The Dark Ages of Risk Management
"Risk management used to be a science then it became an art, now it's just bullsh@t" writes Alexei Sidorenko [LINK] in his wonderful posting. I personally agree with him, Enterprise Risk Management is off the rails and the focus at the moment seems to be directed on chasing fads rather than pragmatically assessing and responding to risk.
All this said, I don't believe risk management has entered the dark ages, well not quite yet. Mind you, the new SMA operational risk proposal from the Bank for International Settlements might prove me wrong when it comes to retrograding risk management into the dark ages.
Alexei didn't quite say any of this, it just felt that we have entered the dark ages given his chronological description of moving from a science to an art to, well you know, something we don't really want I can be nearly sure of that.
As it happens, quite the opposite is in play. If we were to look at the evolution of data technology, statistics, visualization of uncertainty and risk modelling, we are reaching a point of evolved convergence where these discrete disciplines are amalgamating to provide potentially extremely powerful tooling for risk managers (see fig 1). If we simply observe the growth of modelling functions in R-Project alone, notwithstanding the emergence of these free powerful statistical tools, we need question:
"It's also been years since I last saw a scientist present at any risk management event sharing new ways or tools to quantify risks." ~ Alexei Sidorenko
Separately, if we were to look at the growth and acceptance of Enterprise Risk Management across the planet; just over the last eight years or so we have also seen a doubling in the number of firms moving into this management space. Where are all these Enterprise Risk Managers coming from? ...
Tragically I utterly agree with Alexei when it comes to the risk management community or the quality of it. ERM practitioners can be basket-cases at times and the TC-262 Committee under ISO 31000 seems to be loaded with politically motivated consultants on one hand and a dose of ignorance on the other.
Fig 1 : Advancements in Risk Management Technology | Various Sources
You can break this community down into some 'Pareto Bucket' of headaches much of the time as shown in fig 2. Perhaps as much as 80% of those involved in this game appear to add more mayhem to it and they do seem to chase strange unicorns as Alexei puts it. Quite often they complicate their work without adding value, missing the basics and there is a massive lack of coherent and critical thinking going on in this field of risk management.
Two public ERM debates I recently observed had me shaking my head in dismay and I will quote from one of these discussions ...
"Risk Managers confused with the term opportunity (seriously). Imagine facing stakeholders as risk managers & not being clear with the definitions & differences between an opportunity, a threat or a risk." ~ Martin Davies [LINK]
I am not saying that some opportunities don't come bundled with paradoxes or that they aren't difficult to access. However, we have to accept that if a risk manager doesn't know the difference between an opportunity and a threat, in their very own commercial setting that is; it would be fair to say they won't be able to add much management value to their respective organisations.
What's wrong here is not the only question we need to be asking, although it might be the first thought that comes to mind. We are much better off understanding not just what is wrong with Enterprise Risk Management but what we can do about this, at a commercial level that is and where it makes the greatest impact.
The value proposition under Enterprise Risk Management should be massive, surely? We have a risk management discipline that spans the entire enterprise, it is not trapped in a silo and theoretically it can affect the other risk management silos around it, if it is properly aligned of course.
Fig 2 : The ERM Population | Martin Davies
The problem with the world of ERM is not those chasing unicorns, although that is an unhelpful distraction but quite simply the community of risk management is leaden down with a huge amount of mediocrity. In one camp we have academically minded people churning out models and in the other domain, we are overloaded with ERM practitioners focusing on unicorns to keep up. The basics, well that is all generally left undone as Alekei states, mind you; we must move beyond the basics before true commercial value can be unleashed from a sound enterprise risk management framework.
The most useful enterprise risk managers I seem to stumble across sit somewhere in the middle, somewhere between these very different worlds of models and madness. They are able to interpret business requirements into useful constructs that can be coherently assessed or quantified.
To become 'enabled', I believe risk managers can lift up their core skill set through knowledge acquisition, self taught or otherwise. In this case ERM practitioners could do well to start their journey of learning in the domain of Financial Risk Modelling, data management, optimization, engineering, physics, forensic science or even epistemology and you can throw in R-Project or analytics for good measure. That will bring the science back into risk management.
Why financial risk modelling or any of these other vocations I hear you ask? Well, if you are going to measure risk in coherent and financial terms, you will improve the quality of your work by learning about those terms and terms that are acquired from a field that derives its ideology squarely in the corner of critical logical thinking.
This evolution is going to take effort, it's probably going to cost you time and money. I can also hear the excuses from camp mediocrity that risk management isn't all about numbers, models or that we need to keep it simple but it isn't anything else but unicorns without a strong measurement layer.
Keep it simple is the most common sidestepping comment that is bestowed upon stakeholders. Please do of course follow an Occams Razor approach [LINK] to risk assessment but at the same time; we need to stop talking about unicorns unless they translate into coherent models. If you want coherent models as an outcome, ERM practitioners will need to learn how to model or find someone capable of doing this work for them.