Risk management plan
One common approach to risk management is to create a risk management plan. The process of creating such a plan can be fun, as a whole bunch of subject matter experts meet together in a room for several hours and continuously ask themselves the question ‘what can go wrong?’
The next step is to categorise the risks, commonly in terms to the likelihood of such an event occurring and the magnitude of the consequences.
After the meeting, someone types up the results in a ‘risk register’. Fantastic, we now have a list of risks. Sometimes someone might take this a step further, and write up some details about how these various risks might be mitigated, and this is likely to be referred to as the ‘risk management plan’.
Why is this a problem?
There are at least two reasons this process tends to deliver sub-optimal results.
Consigned to the planning graveyard
Ahh, yes, file the ‘risk management plan’ right next to the ‘strategic plan’ from three years ago, that no one’s looked at since, and get them both out and repeat the process in another couple of years. That’s bound to work.
Black Swan events
Even a casual glance over recent history suggests human beings are good at making policies and laws and penalties to mitigate events that have already happened (especially in the very recent past), and bad at anticipating unknown risks that may occur in the future.
For example, we passed laws to tighten up control of customs checks, finance and oil wells immediately after September 11, the GFC, and the BP Gulf disaster. This is commonly known as ‘shutting the gate after the horse has bolted’.
The corollary to this is we did a very poor job of anticipating or taking any relevant action before these events occurred. So have all those laws prevented us from being blind-sided by another big, unexpected event?
This phenomenon is the subject of a fascinating book, called The Black Swan: the Impact of the Highly Improbable, by Nassim Nicholas Taleb, which will be the subject of another post, in due course.
What to do about it
Just because there will always be seemingly random, surprising, game-changing events lurking around the corner, this does not mean we can’t plan for the future. We just have to plan for the unexpected.
For example, when we plan our strategy, do we run ‘best case’, ‘worst case’, and ‘middle case’ scenarios? Make contingency plans. Adopt a strategy that’s flexible enough to work under a range of unexpected conditions. Or build more flexibility into the strategy.
Or, even better than trying to predict and plan for the future, why not be the future? Why not be the next black swan event? What better way to position yourself for the future than by redefining your business category?
Next instalment: Risk management vs risk avoidance