I’ve been giving the practice and best approach of managing risks a lot of thought lately, and I’m seriously wondering whether or not we’re not trying to solve the wrong problem when trying to install risk management systems in the way we’ve been going about it in the past 20 years.
The wrong problem
Past and current thinking on risk management implementation goes something like this:
- There are risks out there;
- Some of these risks may impact my operations;
- But I don’t know which ones and what their relative importance is;
- So I need to find a way to identify them;
- And evaluate them and rank or prioritize them;
- In order for me to allow for best resource allocation to solve the issues;
- Or at least as many as my funds available for risk mitigation will allow.
And so we impose a risk identification framework on our organization. There is however, one problem. An organization is a complex structure of people which all have their own, very unique view of reality and the risks this reality entails. Hence, the exercise just became a lot more complicated.
Resistance is futile
As decree up on high, risk management will be implemented. So people go about it just like they go about implementing any other decreed new system. They go through the motions but don’t really “get” the system or its added value. Case in point: most human resource systems are, when considered from a technical point of view, very well thought out and could, if used correctly, really add some value. However, people just go through the motions and don’t really get all the value out of the systems. In addition, systems are used in error and timing or even content is not optimal for its intended purpose. In this way, assessments are not based on pre-discussed metrics or don’t find their way in time to the management table where they could have a significant impact on a promotion decision … Because systems are not used well, their added value does not come to the fore and we end up not using or supporting them to the best extent possible. And the systems die a slow death. It may be the same with risk management implementations. They are issue centric, but not user centric. And given that the real added value comes from making the user realize his or her real exposures, it may be that we’re really approaching this the wrong way.
The alternative: user centric risk management systems design
What a mouth full! But what it really comes down to is this: we need to make sure that the risk management systems we implement are usable from the user perspective instead of solely from the business perspective. This means that we need to assess how the user actually is confronted with risks and allow for obiquitous capture at that moment. This will be the subject of further posts, but I wanted to put the idea out there.