You are doing “Risk-Based” what? Do not be irresponsible!
Andres Calderon
Creative insights that drive durability are at the core of everything that I do.
Most western definitions of risk say something like “the chance of injury or loss.”
“Risk-Based” anything is problematic and irresponsible, here is why:
Chance:
To understand chance, you have to understand both the likelihood, the probability of something bad happening under a multitude of scenarios. You must have a complete understanding, with significant data to establish variability and validate assumptions, of all related dependencies among components of a system that could generate cascading consequences.
Injury or Loss:
It is human nature to predict injury or loss based on underlying emotional factors, which can often play a bigger role than does a rational analysis of the facts. For example, a person who feels anxious about the potential outcome of a risky choice may choose a safer option rather than a potentially more lucrative option. This can become a risk in itself. If your ultimate assessment of risk is based more on emotions than facts, you may attribute much more, or much less risk to a situation than there is. And getting risk wrong is risky business. Not to mention the well-known and acknowledged optimism bias.
And there is groupthink, the phenomenon that happens when people come together in groups to make important decisions. In the context of risk management, groupthink furthermore exacerbates our ability to be objective, since groups end up taking more risks than they would do individually.
Are you being irresponsible?
I challenge you to look at any disaster. All of them are the result of cascading consequences. Katrina was a major hurricane, yes, but it was the levee breach and the failure of the pumps designed to keep water out of the city of New Orleans that caused the catastrophe.
Most companies have a pandemic plan among their continuity plans, but decision-makers probably rolled their eyes and said “this will never happen” and “is this necessary?” when called on to talk about these plans. As a result, during the Covid-19 pandemic, corporate responses were more crisis management than business continuity. This makes the risk of risk-based planning painfully clear.
What is happening with our response to the pandemic should be a lesson learned for all of us. We need to stop doing risk-based analysis and start doing consequence analysis during planning. We must include unknowns in the consequences and identify breaking points so that we can best manage our liabilities.
We need to realize that we cannot fully understand or calculate risk—the biases are too many, including individual, group behavioral biases, and corporate culture.
Consequence-Based Decision Making
Assume that the risk has materialized. Whist a risk-based approach you admit that risk is inevitable, with the consequence-based approach disregards the likelihood of an event and therefore rejects the notion of risk. For example, a hacker would exploit the weakest link to progress its elevation of access. By pursuing a consequence-based approach, we assume that hackers are already inside the company and have privileged access.
Consequence-based decisions are made to eliminate the risk rather than reducing it to an acceptable level. This is a cultural shift for most organizations, but if done correctly, it will contribute to the overall resilient organizations.
Partner at Success Labs - We Build Better Leaders, Better Teams, and Better Organizations | Gallup-Certified Strengths Coach | Certified Fundraising Executive | Keynote Speaker | Lifelong Learner
3 年This is so helpful, thank you Andres! I love what you say about consequence-based decision making. This is the approach we recently took on our risk register and it was a valuable exercise!
Director at Logical Resilience Limited
3 年I used a similar ‘consequence-based’ approach to risk, starting from the risk or event happening. I did not discard likelihood though, and used it in conjunction with the level of impact, producing a ‘net risk’ map. Helped build resilience, informed strategy, plans and exercise scenarios. #logicalresilience
Organizational Resilience | Business Continuity | Crisis Management | Enterprise Risk Management |
3 年As unlikely as it seems, I am actually going to agree with Mark Armour about something - I make consequence-based decisions every time I drive a car: that does not eliminate the risk of being injured in an accident. My decisions may reduce the potential outcomes, but they are not 'eliminated'.
Changing how resilience, business continuity and organizational preparedness are practiced and perceived
3 年Thank you Andres and well put. The only thing I would challenge is the statement “Consequence-based decisions are made to eliminate the risk rather than reducing it to an acceptable level.” As you state earlier in the article - this approach is based around the assumption that the risk has already materialized. I don’t believe that planning for a consequence eliminates the risk so much as it improves the outcome when risks occur.
★ Action for outcomes, not outputs ★ Transformer & Team Enabler ★ Owns ?? Relationships ★ Interim / Fractional Executive ★ CIO-CTO-ITG-BTO-PMO ★ Adviser ★ Board Member ★ M&A Tech Due Diligence ★ BCP ★ Program Executive ★
3 年Great points, Andres Calderon ... organization resilience doesn’t occur with happenstance, it happens through comprehensive continuity planning. Kudos, my friend!