There are many risk management strategies, such as acceptance, avoidance, and mitigation. My favorite, however, is “management by ignorance.”
The term “risk management” may appear quite abstract — what does it even mean to manage risks? The concept of risk management becomes tangible when considering some of the famous risk management failures. Examples include the Columbia and Challenger shuttle disasters in the realm of space flights, but also the Great Recession, the WorldCom scandal, and others (see a more extended, non-exhaustive list here).
Risk management has been, of course, subject to extensive studies. The Project Management Institute (PMI) describes various useful risk management practices (see also A practical risk management approach). I have always found the discipline of risk management fascinating, maybe because we, as human beings, tend to despise risks. “Risks” and “failure” are two closely related concepts, and we usually don’t necessarily enjoy visualizing failures. Who would enjoy contemplating a possible disaster?
Learning from past failures, however, is essential to effective risk management. The somewhat worn-out phrase “Those who cannot remember the past are condemned to repeat it” is probably incorrectly accredited to Albert Einstein. Still, regardless of the origin, the phrase appears at least logical. Ignoring risks leads to failure, and thus it cannot be a rational approach to technical and commercial development. In other words, choosing to ignore well-known risks is a manifestation of organizational insanity.
Thus, recognizing that a risk merely exists is a step in the right direction. The next step is to analyze and to mitigate the risk.
But if risk negligence is such an irrational reaction, why is it so widespread? The answer probably lies in the concept of risk itself. The causation leads from the idea of risk to uncertainty to fear. Fear, of course, is the strongest emotion, common to nearly all life forms. We fear risks because they are associated with the most undesirable feeling of pain. In short: risks are perceived as painful. Thus, ignoring risks is a shortcut to avoiding pain. The decision to ignore risks brings immediate relief, deferring the pain at the cost of a long-term solution: an effective risk mitigation
It is often difficult to determine the boundary between an isolated, minor risk and a large-scale, collective failure. For instance, we all know that some small kids pee in public swimming pools. As outrageous as it is, it is typically a rare event, and nobody will even notice. However, if such incidences become frequent, the swimming pool manager should take various actions to prevent such incidents from happening again. But what if the swimming pool manager perceives the problem as too embarrassing to address? The problem is ignored. It becomes taboo. The swimming pool soon turns into a dangerous, stinking cesspool full of nasty germs. Visitors of the swimming pool become sick. Soon, the department of health closes the facility for good.
Risks management by taboo?
This hypothetical example sounds ridiculous. And yet, some organizations still live by the principle of blissful negligence. My favorite real-life example describes the failure of a critical piece of network infrastructure. The entire organization of my client’s business depended on a high-availability international WAN connection. Connectivity failure would result in extraordinarily high penalties. Two different internet providers were hired, and two separate connections were set up to ensure connectivity redundancy. Unfortunately, switching from one provider to another — in the event of network breakdown — was a manual activity. In such a case, an employee had to be present to switch between the networks in-person.
As soon as I recognized this danger, I immediately escalated it to my client’s senior management. The responsible manager, however, complained bitterly about my interference. “Stop spreading FUD! There is no risk! Nothing of such kind has ever happened before!” He was stubborn and would refuse any further mitigation.
Whatever could go wrong?
Soon enough, the WAN connection collapsed. The responsible employee was not available at the moment of the network failure. The only technician was out of the office that day. No one was there to enter the room and to switch the network connection over. There was no short-term solution possible. It would take hours to drive to the office and to swap the network connections. The situation became critical.
Fortunately, after numerous attempts, we were able to locate the responsible technician. He drove quickly to the office and manually switched over to the other internet connections. As a result of this incident, a fully automatic switch-over capability was finally set up.
As a result of this incident (and others of that kind), I have become allergic to risk negligence. “Stop talking about it, or else it will happen” is one of the dumbest ideas I have heard of.
For an effective risk manager, taboos must be taboo. Risks and concerns must be heard. This is the duty of managers and the essence of leadership. Facing threats must be part of the culture. “The only fear is the fear itself” – this is the essence of charismatic leadership. Why not live by this principle, too?