Risk Management Beyond Heat Maps

This is not another one of those articles which goes on criticizing how poorly heat maps with their rather deceiving elements of likelihood and impact perform in real situations. The argument has developed to a higher level to developing a tool which will make this transition into a new schema which performs better than "Risk = Impact X likelihood", something brings forward real rationality. Having said that, no!, I am also not interested with the confusing narrative of risk culture, precisely because this type of culture makes risk management an end process, which is not our objective, but rather quite the opposite the objective is to take risks.

Let us set aside the first contradiction of risk management, it is popularly argued that the term risk management is about taking risk as it includes concept of management, this is not how it is actually done. A typical process of risk in a sequence is identifying objectives, identifying risks to the objectives, measuring and ranking risks, developing risk treatment plans and monitoring performance. Risk taking is part of objectives process which I will try to explain in the rest of this article.

To formulate something meaningful I would start from explaining the purpose of risk management. We all can agree that risk management is not an end process, so what is it? Risk management is a process which serves objectives, without becoming an objective in itself, which means it should be applied in a way which makes use of it without becoming it. This is an important distinction which we must keep with us as we move forward with this line of argument.

If we deconstruct risk, we will see it’s an empty word, that is to say it’s without meaning, a useless determination without seeing it through a context. We must then determine this context within which risk exists, e.g. an industry, an organization, a business model, product etc.

But an important question emerges here; are the objectives already not calibrated for risks? Well actually they are, at a different level; the process of developing objectives is influenced by our behavior and in making choices we are already calibrating certain risks, this process gives out risk calibrated objectives. 

Determination of objectives can be understood in its transitory state, which means that another process exists before these objectives which shapes these, and while objectives in them self are an end, they are not an absolute goal but rather it’s a position which is aimed, this position which is a condition for further goals. In this determination, objectives become a transitory shape, which are shaped from a direction selected from multiple choices, in making which the subject is already assuming risks. The management of risks therefore should be those risks which are accepted.

As objectives are a transitory state, or positioning, this also create risks which are related to selected direction which already includes risks which are accepted through choice, this new position in itself influences the multiplicity of directions not just internally, but through external environment, which exists within the context.

If we schematize the above discussion, we will need to understand its elements. First of which is consequence, but not in a negative way, we should understand its reactionary sequence which would follow if an action is taken. In its negative form we would move back to the position we are trying to move away from, which is risk as an end process. Its second element is exposure, which gives meaning to consequence. Nassim Taleb in his book about fragility, the idea behind fragility is similar to exposure. Exposure in itself is not a risk, but actually how much exposure can you take without giving in to this force of exposure, which then breaks things down. This property is inherently internal, but it externalizes itself when faced with consequential antagonism.

Simply put, this schema is Risk = Consequences X Exposure

Consequence and exposure can be identified and measured meaningfully to determine risk; however, there is a fundamental problem here. As I discussed above risks are already taken/assumed when objectives are determined, or in other words, these risks are fundamental to these objectives. This can also be developed as, taking risks is same as setting objectives, and if objective setting is a transitory stage, which is to gain a certain position for further development, is another way of saying taking certain risks is necessary to gain an advantage. And while this development in just a constant inward turning into itself, it can be concluded that decisions, choices, objectives cannot be separated from risk.

Risk management operates within framework of developing objectives, decision making, choices, and the schema described above is at play simultaneously through the subject. This creates a contradiction to how we learn risk management, where objectives are a constant, a given, an unquestionable, immovable condition which we cannot challenge, but actually that type of management is not management at all, it’s only a meaningless task, with sophistry of probability and impact. Instead of creating risk managers, managers should learn about risk and become accountable for it. Risk management is not a sign off job when certain risk levels are breached, a sign off by the risk manager mends the damage, after all one who is hiding the risk is cleverer than the risk manager, and is assisted by abusing the concept of probability.