Norman Marks, in his blog post called "How will risk management change as we emerge from this crisis?" pointed of that "Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure – which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations." Here is my response.
Norman,
Crises like that from the Coronavirus that we all face now, just expose the total folly of the ‘risk management’ edifices organisation’s have built. Leaders are making decisions that in some cases, and often quickly in retrospect, either prove inspired or, mostly, highly defective. But the overall impression is that, despite the claims of the risk management fraternity (or whatever three letter acronym you like to label yourself particular brand of belief system with), its all very ‘hit or miss’!
Form what I can see, no one is reaching for their ‘risk register’ or ‘risk appetite statement’ or ‘risk matrix’ (etc. etc.) to help them make a decision. Some decision-makers are clearly listening to others, thinking out assumptions and choosing between options so that they end up with a decision which they are sufficiently certain will lead to the outcomes they desire. However many, including some of the most important ‘leaders’ in the world, are making decisions based simply on gut feel, ignoring the advice of others or the experiences elsewhere. They seem to lurch from crisis to crisis, with precious little monitoring taking place to see if decisions lead to the outcomes desired or whether the original basis for a particular decision still remains valid.
Some misguided politicians are still bandying around nonsense words like ‘risk’ and ‘risk management’ as though just uttering those phrases as part of their ‘spin’ will solve problems and pacify people. Fat chance!
In my real world, practical experience over the last few weeks I’ve seen clear evidence that the distraction of ‘risk management’ has in some case led to poor decisions or, mostly, just impeded the process of making a decision with sufficient certainty of outcomes. Similarly, most organisation’s Business Continuity Plans (another three letter acronym) have proved useless because they focused on specific events and not generally the organisation’s vulnerability and how that can be reduced, and how decision making can be enhanced when a disruption occurs. Mostly, they’ve been cast aside by decision makers as totally irrelevant!
At this time, mankind needs leaders (not politicians worried about getting elected) who are capable of making the best possible decisions – for the sake of us all. Even if people say this is ‘risk management’ they are simply deluding themselves.
If anything, this awful crisis just proves we have wasted years and $billions building ‘risk management’ edifices that have ended up like the Maginot Line in WW2: they have created a false sense of security, and exposed us all to the perils of inflexible strategies, poorly defined assumptions, insularity and blindness to wider context and ineffective monitoring.
Now we are facing our biggest challenge in a generation, our various ‘risk management ‘frameworks’, ‘systems’ and ‘programs’ and all the paraphernalia that comes with them, manifestly are not only failing to respond but are actually impeding good decision making.
When we get through this, we must remember all this and never fall for a similar ‘con job’ again.