In 1976, Donald T. Campbell wrote “The more any quantitative social indicator…is used for social decision-making, the more subject it will be to corruption pressures and the more apt it will be to distort and corrupt the social processes it is intended to monitor.”
Against the backdrop of Campbell’s law, has it ever happened where you presented tables or charts to a risk committee and someone (believing they are clever) asks: “I counted 5 Red, 9 Orange and 6 Green risks in Asia but only 3 Red, 7 Orange and 10 Green risks in USA? Why do we have “more risk” in Asia?”
While you roll your eyes and wonder why someone so stupid is on the risk committee here is summary of what you should say:
Risks are not additive.
While a cashier can add the oranges we purchase in the grocery store one cannot add the Oranges in a risk report.
Every business unit has its own risk tolerances. In quantitative terms a Medium risk may be $100,000 in Vietnam, $500,000 in Hong Kong and $1,000,000 in Chicago, so adding risks is like adding apples to..well..you know.
What’s more, to add the risks is to assume that they were properly assessed in the first place. There isn’t a lot of science that went into assessing those 5 Red and 9 Orange risks so who’s to say that there aren’t 7 Red and 7 Orange risks and the business unit head didn’t game the risk assessment process? (See Campbell’s law above.)
Remember that we identify and assess risks so we can prioritize action plans that treat those risks; and doing something to mitigate 20 risks is better than doing nothing.
In a factory someplace, there are 20 workers whose job it is to continuously pass a ball to each other as quickly as possible. Watching this important work from a viewing area are 10 newly minted auditors selected from a Big 4 accounting firm. On this day, managers give each of the assembled auditors a pen and a notebook and explain that in order to satisfy a “regulatory requirement” they are to count how many times the ball gets passed during the day. The auditors with the correct answer will be promoted to Senior Associates by their firm; the rest will be fired and immediately hired by the factory as new ball-passing workers.
There are no issues for the first hour as the ball gets passed and counted by enthusiastic workers and auditors respectively. At around 10am the factory managers release a hungry zombie onto the floor whose job it is to make new zombies by biting the flesh off the ball-passers. Despite the hazard, the workers continue doing their important work while successfully passing the ball and evading zombie threats. The auditors continue counting passes from the safety of the gallery. No issues noted.
When the zombie has achieved its objectives it drags its prey to a corner of the factory where it dismembers the former ball-passer and feeds on its flesh. After several minutes, zombie-handlers remove the zombie and its “zombie offspring” and a new zombie is then introduced to factory floor. This process continues until 5pm when the remaining ball-passers go home and remaining zombies are returned to their quarters.
At 5:15, managers assemble the auditors in the board room (who are hungry and tired from a long day of counting). They are each given a special remittance form and an envelope and asked to write down the following: (a) the number of passes they recorded; (b) the number of zombies they witnessed; (c) their name, and; (d) the phone number for their next of kin. Auditors then place their sealed envelopes in a metal box and take their seats. While the auditors enjoy some refreshments, managers review the responses in nearby office.
When managers return at 5:30, the results are revealed. On this day, only one of the ten auditors recorded the correct number of balls passed but none answered the zombie question correctly. In fact, none of the auditors reported seeing any zombies during the day. (1)
It turns out the auditors were so focused on counting the passes that they didn’t notice the zombies or the gruesome disemboweling of workers. (During their post-mortem meetings with managers, two of the auditors stated they were puzzled by “pools of maroon blood” and “the mess on the floor” that seemed to suddenly appear at 5:00, but postulated that it must have always been that way.)
Day 2: Risk Managers and Zombies
The following day, one risk management practitioner was hired to count ball-passes. This time however, every time a zombie appeared, he hollered to the workers to stop passing the ball for a moment. The risk manager jumped down from the gallery and stabbed the zombie in the brain with his Sharpie. Upon returning to the gallery the workers were asked to resume their important work and counting continued. At the end of the day, the risk manager not only reported an accurate tally of ball passes and zombies but none of the workers were harmed. None of the zombies met their objectives.
Moral of the story
To anyone who thinks audit is risk management and auditors are risk managers remember that while auditors are busy counting their balls risk managers are on the lookout for zombies.
Image credit: Going Loud Studios
(1) There is a paragraph in Richard House’s book The Kills/Sutler that partially inspired this post, where he explains the reason why the auditors would not have noticed the zombies. It’s “because they’re too busy trying to get something right”.
Who wouldn’t want Ryan Callahan on their hockey team? The New York Rangers’ captain isn’t the biggest star in the NHL but ask General Managers and fans throughout the league and everyone would be happy to have him suit up.
That is until you find out that Callahan is presently negotiating a contract extension seeking 7-years, $42 million and then maybe you don’t want him that much. (“That bum isn’t worth seven million bucks!”)
Risk management decision-making is just like this. Tell any leader about a high organizational risk and they will behave the same way: “What! We cannot have a high risk. Mitigate it. Eliminate it. Make it go away. We don’t have risks here.”
That is until they find out that it is going to cost them $49 million to treat that risk and then they change their mind. (“That risk isn’t worth seven million bucks!”)
Getting a hockey player is like getting rid of a risk: It’s a really great idea until you have to pay for it.
Here’s a story about a watermain break in the Montreal borough of Pierrefonds, Quebec which left about fifty homes without water for a couple of days. The West Island Gazette writes:
Pierrefonds residents can expect two four-litre bottles of water per household will be delivered to their door by borough workers sometime before supper, Monday. Borough spokesperson Johanne Palladini explained the watermain break, which has left between 40 and 50 Fifth Avenue homes without water since Sunday morning, will only be fixed Monday night, sometime between 9 and 10 p.m.
While I agree delivering water to these families is a terrific humanitarian gesture, from a risk management perspective it’s a terrible idea.
Risk management is about preparing for events that are important but not urgent and most of the time people don’t recognize the value of identifying, assessing and managing risks until after an event (like this!) takes place. The upside of being left without water for two days is people saying “never again” then make preparations for the Next Time.
So when the government steps in to mitigate some of the pain caused by the broken watermain then that risk management lesson is not learned.
Once upon a time there were three little boys left unsupervised while on a field trip when one of them spotted a large crack in a window pane. So he tapped the glass once and nothing happened. Next, the second boy tried his luck and poked the glass as well. Tap tap tap. Again it did not break.
Now the third boy approached, looked around, saw that none of the teachers were watching and because his friends didn’t break the window he tapped lightly on the glass with his index finger. Nothing. So he poked harder. No change. Then again. Again. Another time. Ok again. Faster.
Finally the glass broke.
The funny thing is that I don’t believe the boys wanted to break the window. I submit all they wanted to do was tap repeatedly on the glass without the glass breaking. But if that’s the case how does anyone know when to stop tapping?
We use the process of risk management as a way to identify where all the cracked windows are in an organization. It also allows decision-makers to collectively decide what should be done (if anything, about these cracks). In some cases we replace the window pane immediately; we affix a warning sign; or assume anyone that sees the crack won’t touch it. But I think most people will just tap on the cracked window until it breaks and worry about it then.
Now risk management is not the panacea that will tell you when the window will break but you would be foolish if you knew about all your cracked windows and didn’t prepare for what might happen when one breaks.
Many people will agree that risk management is important. After we identify and assess a risk, it is treated appropriately and managed to an acceptable level. But is it possible to over-risk manage? Can the treatment become so onerous that people are encouraged to find workarounds thus rendering the controls useless? And if so, why does it happen?
As a result many foreign diplomats were insulted having to visit these prison-like facilities. What’s more it became more difficult for the American officials to do their jobs forcing them to devise “creative” solutions like meeting people in hotels (thus rendering the control useless).
Sometimes this happens when we assess a risk higher than it should be but I think the recent events in Benghazi support the assertion that the risk to American diplomats was correctly assessed: high impact and high likelihood. If so, why overdo it with the controls?
First, I submit that nobody bothered to ask the diplomats what their requirements were and how these prison/embassies would affect their work and lifestyle. But even if that information was solicited and considered it was likely ignored and usurped by the second reason which the former ambassador to Yemen explains in the article: “Nobody wants to take responsibility in case something happens, so nobody is willing to have a debate over what is reasonable security and what is excessive.”
So despite best efforts to keep US official safe, when one of them is blown up in a hotel at least a State Department official will be able to explain to Anderson Cooper that they built these fortresses and it’s not our fault the ambassador did not want to use it.
I’m off to Virginia Beach later this month so it seemed fitting that today’s post has a beach theme. This quote comes from Chapter 7 of Nathan Englander’s book “The Ministry of Special Cases” and you should remember these words whenever someone like me asks you to think about your organization’s risks.
“It’s like standing in the ocean and facing the beach. It’s up to you to know what’s behind you. There’s always another wave coming, building in force and crashing down.”