What’s the first step in a typical 12-step program? Admission of powerlessness, or a lack of control over a thing or a situation. Whether it’s an addiction or a compulsive behavior – to begin to take control, one has to understand and admit they have no control.
It’s the same with risk. We have to start with an understanding that we’re not in control (at least, not as much as we think). Acknowledging risks, understanding them, and managing them appropriately are critical to the survival of our organizations.
First, let’s agree on what risk is. ISO 31000 defines risk as “the effect of uncertainty on objectives.” We don’t like uncertainty. Change means uncertainty, which is why we resist change. But resisting change is loaded with risk, too.
What to do? Well, we can accept risk, avoid it, mitigate it, or transfer it.
When the cost of managing a risk is thought to outweigh the cost of avoiding it, the risk is said to be “acceptable”. The risk of flooding was considered acceptable many centuries ago. If you’re near a body of water, you risk occasional – and sometimes disastrous – flooding. However, transportation and energy are relatively easy and cheap. River bottom land is subject to flooding but that very activity makes soil fertile, which leads to healthy, plentiful crops more years than not. However, as we’ve moved away from being an agrarian society, we’ve been less inclined to accept flooding as a cost of doing business.
Sometimes, avoiding a certain hazard or avoiding exposure to it – like finding a safer alternative to a risky activity – is preferable. However, there are inherent risks – social, economical, environmental, etc. – in running any kind of business. There is no such thing as a risk-free environment: avoiding one risk usually means exposing oneself to another.
Risks seem to have a way of balancing out. For instance, if I move my business from the seashore to the drier highlands to avoid the risk of flooding, I then face the possibility of dehydration and/or starvation or, at the very least, resource shortages and higher prices when they are available.
If I choose to avoid certain investment risks by squirreling my wages away in my mattress, what happens to my “investment portfolio” when the mattress is suddenly infested with insects, bacteria, or mildew? What if a fire starts in the kitchen and spreads quickly to the rest of the house? (Once upon a time, I’d have suggested “investment banking” but now I’m not so sure.)
Now we’re getting more realistic about risk management. Mitigating risk means reducing one’s exposure – or the likelihood of exposure – to a given hazard. The risk of flooding, for instance, can be mitigated or lessened by the strategic use of dikes, levees, and/or flood walls. I can mitigate the risk of performing poorly on a certification exam by enrolling in a thorough exam prep course and keeping up with the coursework. Corrective and preventive action are excellent means of risk mitigation.
I habitually fill up when my car’s gas gauge is near the halfway mark, to mitigate the risk of running out of gas 20 miles from the nearest station when it’s sleeting. My spouse points out that nearly all automobiles have some kind of audiovisual indicator to let you know you’re within 50 miles of empty, but I have a very good reason not to let it go that far. (Thank you, Mrs. Granbury, for getting me into that habit.)
Transferring, or shifting, a risk to a party better equipped to handle it dates back thousands of years. Insuring shipments of goods against loss was practiced in China three millennia before the Roman Empire flourished, and health and life insurance has been traced back to Greece, six centuries before the common era (BCE).
Transferring risk is generally a safe bet for the insuror and the insured. We (the insured) are financially protected in case of catastrophic loss and the insuror generally makes more money than God knows what to do with, insuring them against the possibility of their own catastrophic loss.
At least, that was the case before Sandy.
* * * * * * *
Next post: How does your organization manage risk?