Lord Voldermort would make an excellent risk manager because when he identifies a risk, he assesses it and treats it immediately. Here are a few of my reasons but I welcome additional examples of his risk management in the comment field below.

1. When the young Voldemort (a.k.a Tom Riddle) learns that he was born half-Muggle, he identified this as a high impact reputation risk. After all, you cannot go around hating Mudbloods when your dad was one. To manage this reputation risk he killed his father and grandparents.

2. A prophecy tells Voldemort that a boy born in July will become his enemy. He figures that this boy is either Harry Potter or Neville Longbottom. Voldemort performs the required risk assessment and determines Harry, a half-blood like himself, is the greater threat. Unfortunately, for Voldemort, Harry’s mother was a better risk manager; seeing a threat to her boy she threw herself in front of Voldermort’s killing curse sacrificing herself to save her boy.  

3. Finally, to protect himself from the greatest risk of all, death, Voldemort looked to Horcruxes. A Horcrux is a magical object used to store a piece of your soul. They are not easy to create. One requires knowledge of dark magic, the painful process of splitting one’s soul and murdering someone to make it work. Despite the excruciating pain involved, our Voldemort assessed the risk-return of making these Horcruxes and determined the pain and risk was reasonable. And he didn’t do this just once but seven times. Talk about building redundancy into your risk management plan. 

In hindsight this was a smart move for when trying to kill young Harry his physical body was destroyed, but luckily he had more souls in his various Horcruxes which kept him alive until he could come back.

So what do you think? Risk Manager of the Year?

Sometimes in an effort to treat an issue, we generate a different risk or increase an existing one in the process. Many of us can relate to when the internal auditors come in, look at existing processes and weak controls and “strongly suggest” that management fix the problem. Quickly.

Management’s solution is often a series of manual processes and spreadsheet generated reports plus workarounds that mitigate the initial risk (but more importantly closes the outstanding audit point!) while creating countless more process waste and operational risks.

Here’s a real example from history from the book At Home by Bill Bryson – A Short History of Private Life (Chapter VI – The Fuse Box).

“In 1939…Great Britain introduced stringent blackout regulations to thwart any murderous ambitions by the Luftwaffe. For three months it was illegal to show any light at night, however faint.”

According to the author, one could be arrested for smoking in a doorway or holding up a match to read a sign. Drivers drove stealth: not even lights on the dashboard. They had no idea where they were going or how fast they were driving. Cars drove down the middle of the road and collided with cars doing the same thing coming from the other direction. Similarly, pedestrians walked into “lampposts, trees and furniture”.  People were dying and getting hurt all in an effort to not die or get hurt in a yuckier and different way.

In the book Bryson notes, “During the first four months of the war a total of 4133 people were killed on Britain’s roads” – double the deaths from a year earlier. Three quarter of these deaths were to pedestrians. He explains that the Luftwaffe was killing hundred people a month without dropping a single bomb.

(Eventually some illumination was permitted and this craziness stopped.)

I guess the lesson to be learned is that we should think through our risk treatment strategies carefully while considering all downstream effects rather than implement some half-assed solution merely to check off a box on an audit report.

On the one year anniversary of the death of Georgian luger Nodar Kumaritashvili at the greatest Winter Olympic Games of all time, emails have been released disclosing concerns about the luge track that claimed the life of the 21-year old Georgian on the eve of the Games.

A year ago, I asked whether the risk management treatments which we implement were influenced by the emotion, timing and severity of the event. Are proactive treatments the same as those we take after someone dies? At the time it appeared as if the “stupid fast” corner where he died was an unidentified risk because organizers didn’t mitigate the risk until after the accident. However, emails written prior to the Games show that Olympic organizers were aware of the risks but chose to “Accept” the risk rather than “Mitigate” it.

If Organizers had sat down to formally measure the impact and likelihood of this risk, their assessment likely have reflected the comments made by Canadian gold medalist (in skeleton), Jon Montgomery, “As far as I am concerned, as far as a lot of my sliding compatriots are concerned, it is an absolutely freak accident that should, and probably will, never happen again.” Based on that quote, a fictional Olympic CRO would have placed the luge risk “bubble” in a corner: Impact = Catastrophic, and Likelihood = Unlikely.

Hindsight is a bitch. But it’s not fair to look back and say, they should have treated the risk differently. Unfortunately, managers often don’t choose to treat a risk until after it becomes an event or as in this situation, when someone dies.

I’ve said it before that I would rather know I have 100 risks which I am accepting or mitigating than think I have no risks at all and doing nothing about; having a risk management process is still better than the alternative. In the case of the Olympics, it appears that they knew the risk was there and chose to Accept it which is slightly better than not knowing the risk was there at all, despite the outcome.

The Riskczar Philosophy on reputation risk is that it is a second order risk. This means the risk to your reputation or brand is not something that can be directly mitigated or insured against, it is harmed when some other “up stream” event occurs. You cannot actually prevent reputation risk, but you can prevent the events that cause it.

Let’s take a closer look at the Tylenol tampering crisis in 1982 when capsules were laced with potassium cyanide, killing seven people. The Tylenol brand was harmed and their market share dropped from 35% to 8% following the scare. Could this drop have been prevented?

Let’s imagine that in 1979, Johnson & Johnson, who manufactured the product, had conducted a risk assessment, identifying reputation risk as one of many risks. Let’s also assume that they had developed sophisticated models enabling them to quantify the financial loss of a catastrophic decline in market share like this. Having identified and assessed this risk, their next step would be to develop some action plans to mitigate, avoid, reduce, transfer or accept this risk of this drop in market share.

Well, how do you do it? Aside from buying millions of dollars of put options on your stock (which may not even be legal), I cannot think of any way of hedging the financial losses. When the brand is harmed, the public loses trust and they don’t buy your product any more.

Risks have causes and effects so imagine a chain of events that looks like this:

Downstream cause x –>   Downstream cause y –>   Reputation is harmed –>   Financial loses are suffered

Reputation damage has root causes as well as effects, so what you do is identify the root causes of the reputation risk and then develop action plans against those.

One technique comes from Six Sigma, called Five Whys, where we start with a question like: “What could cause financial losses?” then continue asking Why? (up to five times) to those responses until you determine the root causes. For example:

Tylenol loses market share and suffers financial loses (problem)
Why? Reputation is harmed (first why)
Why? Someone tampers with the bottle and with the pills (second why)
Why? There are no preventative or detective controls; and capsules can be pulled apart (third why)
Why? Design defects to box, bottle and pills (fourth why)

After completing this analysis, you can develop and implement action plans for the second, third and forth whys which ultimately harm reputation and cause financial losses.

After the event, Tylenol stopped making capsules and began making caplets (preventative control); and they began using tamper-resistant packaging (detective controls) which we see today. J&J also did a fabulous job of damage control. They went public, recalled all products and saved their reputation. One might suggest their communication plan was also an effective control.

So remember, while you may not be able to protect your reputation (second order risk) you can do your best to treat the root causes.