Risk: The Follow-Up

Yesterday, out of sheer frustration with the poor quality of popular discourse concerning corporate risk-taking, I wrote an article breaking down what so many commentators get entirely wrong about risk management. I also explained why anyone working client-side should treat advice provided by those without skin in the game with caution; even if they happen to be correct (unlikely, but for the sake of the argument), they are playing a completely different game with completely different rules.

The feedback, both public and private, was very good - and I am of course very flattered by that. However, a couple of points were raised that I found so interesting as to warrant elaboration.

The ISO objective problem

Dave Snowden noted that ISO 3001 was part of the problem given that it starts with objectives. Doug Garnett concurred, adding that standard practice such as that promoted by the framework is a serious problem in businesses around the world. As usual, both gentlemen are correct.

ISO is, per definition, standard practice; the acronym stands for the International Organization for Standardization. It is perhaps not entirely obvious that it would do, but the story goes that it is derived from the Greek word "isos" (meaning "equal"). To me, it appears more likely that the members could not agree on what language to use and therefore compromised (lest it be IOS in English, OIN in French, etc.), but that is speculation on my part.

I digress.

What makes objectives as standard practice problematic, then? In a word, context. Standard practice works in ordered and ergodic (repeatable) situations. In predictable manufacturing processes, for example, generalized rules and principles such as "wear a hardhat" can mitigate the downside risk involved in getting a wrench dropped on one's head. The issue is that most corporate situations, particularly in strategy and innovation, are not ordered but complex; practice is thus novel. To quote Dave's own award-winning piece A Leader's Framework for Decision Making (written together with Mary E. Boone for Harvard Business Review in 2007):

As in the other contexts, leaders face several challenges in the complex domain. Of primary concern is the temptation to fall back into traditional command-and-control management styles—to demand fail-safe business plans with defined outcomes. Leaders who don’t recognize that a complex domain requires a more experimental mode of management may become impatient when they don’t seem to be achieving the results they were aiming for. They may also find it difficult to tolerate failure, which is an essential aspect of experimental understanding. If they try to overcontrol the organization, they will preempt the opportunity for informative patterns to emerge. Leaders who try to impose order in a complex context will fail, but those who set the stage, step back a bit, allow patterns to emerge, and determine which ones are desirable will succeed.

A couple of things stand out against the backdrop of yesterday's post: defined outcomes (objectives), failing to recognize that one is dealing with complexity (systemic uncertainty), and trying to impose order (enforcing standard practice). And, again, I completely agree with his views. In complexity, the correct approach is to begin with a direction, not an objective, goal, or target. I have made the same argument many a time over the years.

My point was merely that a standard definition of the key technical term (risk) exists and, for better or worse, is widely used. As I noted via reference to my own article The language of marketing is so imprecise as to be almost meaningless (MarketingWeek, 2021), this is rarely the case. Thus, as flawed as the relevant definition may be, we at least have a baseline of sorts against which the even worse claims made by the uninformed may be contrasted.

Additionally, given that the key is not to be found in the objectives, but the uncertainty (which is why I barely mentioned the former but elaborated upon the latter), I thought it acceptable for the overall argument.

Fat tails, defensive decision-making and portfolio design

Ian Snape replied that while he enjoyed my post, he would like to see a bit more elaboration on "fat tails, how to create systems that don't overly reward defensive political decision making ... and the benefit of coupling risk [and] opportunity in portfolio design". All are, of course, rather large topics in and of themselves, but I will do my best to be (decently) concise.

Many real-world events, as?proven by Benoit Mandelbrot, display distribution patterns that are not?Gaussian?(shaped like a bell) but?Paretian?(shaped like a banana). The events with the highest frequency sit on the left side of the graph: the 20% that provide 80% of the impact per Pareto rule fame and subsequent management consultant misinterpretation. But then there is a long tail of events that also exist within the adjacent possible, most of which we are unable to foresee.

Historically, firms (whether via their strategy or risk management department) have dealt with the issue of the long tail of possible events through robustness. That is to say, they hone in on a few key aspects that they perceive themselves able to control, and imagine that as long as they do them well enough, the rest will become irrelevant (usually manifested in so-called strategic focus, heavy buyer fallacies, and so on). The modus operandi is so prevalent that it causes defensive decision-making - it is self-evidently not the best approach, but it is the most easily defensible.

The problem is that robustness inevitably leads to strategic drift (a gradual deterioration of relative competitiveness that results in a catastrophic loss of performance due to a failure to adapt to changes in the business environment; what David Woods would call decompensation). A superior approach is therefore to recognize that certain parts may be more or less stable at any moment in time, but that other parts may never be. For companies, this means that while there will be aspects of the business that they know rather well (their present core), it will nonetheless remain important to run coherent safe-to-fail experiments at the edges. In so doing, they may not only discover previously unknown opportunities and risks, but also create necessary resilience over time.

Here, the strategic exercise (much as Ian alluded to) is a balancing act. In investment firms, it is sometimes referred to as a Taleb's barbell - allocation of funds into both non-risk assets and high-risk assets with positive asymmetries (low investment, high upside) - though it may be worth emphasizing that experimentation does not have to be exclusively high-risk, high-reward. In complex contexts where there is input-output asymmetry, small actions that appear to have little groundbreaking potential when first taken may end up providing exponential growth; radical innovations and breakthrough events can emerge from entirely unexpected sources.

The larger point is that companies benefit from constant exposure to primarily safe activities and a few risky ones, so long as they may survive the latter failing. It is for this reason that the exposure ought to be constant and parallel, not temporary and linear (i.e., exposing the entire company to safe activities most of the time, but occasionally to huge risks that could bankrupt it). Safe-to-fail experiments are not about reducing frequency of downside but the impact thereof, which is why it is so important to consider them not merely individually but collectively. Or to put it differently, as I often do with clients, one must factor in both depth and breadth of cost. And to be clear, the same principle applies to portfolios of projects as well as portfolios of, say, companies.

The conundrum with the "always make big bets" crowd - to bring the conversation back to yesterday's starting point - is that their advice only is safe to fail for them, not their clients, and falls into the trap of linear experimentation. The proverbial barbell, to the extent that it exists at all, is thus entirely out of balance; the negative risk exposure is so strategically inane that it becomes unacceptable. The talking heads' fundamental lack of relevant knowledge practically ensures that most companies that heed their advice will be heading into very treacherous waters indeed. In a world of clickbait headlines and survivor biases, their words may appear alluring, but outside of it, they are revealed to be no more than a Siren's song.