Читать книгу The Failure of Risk Management - Douglas W. Hubbard - Страница 20

Long definition: The detailed examination of the components of risk, including the evaluation of the probabilities of various events and their ultimate consequences, with the ultimate goal of informing risk management efforts

Shorter definition: How you figure out what your risks are (so you can do something about it)

Note that some risk managers will make a distinction between risk analysis and risk assessment or may use them synonymously. If they are used separately, it is often because the identification of risk is considered separate from the analysis of those risks and together they comprise risk assessment. Personally, I find the analysis and identification of risks to be an iterative, back-and-forth process without a clear border between them. That is, we start with some identification of risk but on analyzing them, we identify more risks. So I may use the terms analysis and assessment a bit more interchangeably.

Now, obviously, if risk analysis methods were flawed, then the risk management would have to be misguided. If the initial analysis of risk is not based on meaningful measures, the risk mitigation methods are bound to address the wrong problems. If risk analysis is a failure, then the best case is that the risk management effort is simply a waste of time and money because decisions are ultimately unimproved. In the worst case, the erroneous conclusions lead the organization down a more dangerous path that it would probably not have otherwise taken. Just consider how flawed risk management may impact an organization or the public in the following situations.

 The approval and prioritization of investments and project portfolios in major US companies

 The level of protections needed for major security threats, including cybersecurity threats, for business and government

 The approval of government programs worth many billions of dollars

 The determination of when additional maintenance is required for old bridges or other infrastructure

 The evaluation of patient risks in health care

 The identification of supply chain risks due to pandemic viruses

 The decision to outsource pharmaceutical production overseas

Risks in any of these areas, and many more, could reveal themselves only after a major disaster in a business, government program, or even your personal life. Clearly, mismeasurement of these risks would lead to major problems—as has already happened in some cases.

The specific method used to assess these risks may have been sold as “formal and structured” and perhaps it was even claimed to be “proven.” Surveys of organizations even show a significant percentage of managers who will say the risk management program was “successful” (more on this to come). Perhaps success was claimed for the reason that it helped to “build consensus,” “communicate risks,” or “change the culture.”

Because the methods used did not actually measure these risks in a mathematically and scientifically sound manner, management doesn't even have the basis for determining whether a method works. Sometimes, management or vendors rely on surveys to assess the effectiveness of risk analysis, but they are almost always self-assessments by the surveyed organizations. They are not independent, objective measures of success in reducing risks.

I'm focusing on the analysis component of risk management because, as stated previously, risk management has to be informed in part by risk analysis. And then, how risks are mitigated is informed by the cost of those mitigations and the expected effect those mitigations will have on risks. In other words, even choosing mitigations involves another layer of risk analysis.

This, in no way, should be interpreted as a conflation of risk analysis with risk management. Yes, I will be addressing issues other than what is strictly the analysis of risk as the problem later in this book. But it should be clear that if this link is weak, then that's where the entire process fails. If risk analysis is broken, it is the first and most fundamental common mode failure of risk management.

And just as risk analysis is a subset of risk management, those are subsets of decision analysis in general decision-making. Risks are considered alongside opportunities when making decisions, and decision analysis is a quantitative treatment of that topic. Having risk management without being integrated into decision-making in general is like a store that sells only left-handed gloves.