Recently I had a discussion with a friend who is a colonel in the Army about the culture of risk among senior officers and, by extension, in management. The culture of risk is an important question for any organization.
To understand the culture of risk, we must first distinguish between two types of risks. Type One risk is where you do something that leads to an error or a bad result. It’s a reasonable assumption that the majority of our time in school and in higher education is designed to teach us how to reduce such risks.
Type Two risk is the opposite, it is the risk of not doing something that could be valuable. Of course, the two are linked: the more one reduces the risk of doing something, the more one increases the risk of not doing something valuable. The trick, unfortunately, is that we tend to focus more on the Type One than Type Two risks. On one level, this makes sense: after all, failure is very visible – a disaster, a lost war, a failed product launch, etc. In contrast, forfeited opportunity is invisible: we do not see what valuable things our caution has prevented us from doing, and no one is punished for not having invented something. Our education, liability laws and corporate governance structure push us towards a culture of Type One risk avoidance, i.e. to reduce the risk of failure (Sarbanes-Oxley anyone?). This obviously is a problem for innovation in the long term, but it doesn’t even reliably protect us. If it did nothing else, the financial crisis that began in 2008 has demonstrated that those institutions entrusted to manage risk failed to do so properly. In short, we focus on risk avoidance at the expense of opportunity creation, and we don’t avoid even risk very well!
Second, we must address the risk globally. In his book The Black Swan, Nassim Taleb showed that one of the fundamental errors of financiers was the assumption that their environment is governed by a so-called “normal distribution”, or bell curve. A real risk assessment, on the other hand, requires a complete understanding of an organization and its environment. One of the examples that Taleb offers is that of a Las Vegas casino. One would think that the very essence of running a casino is risk management, and that they would have a well-developed appreciation for risks of all types. Instead, Taleb relates a tale in which a tiger show, a hotel, a restaurant and of course the gaming tables all formed a magnificent business model. All went well for many years until one day the star tiger (raised by the trainer from an early age, who had given performances for ten years without any problems), attacked its trainer on stage and almost killed him. The casino naturally cancelled the show, its gaming revenues dropped dramatically, and the casino management thus realized that a key dimension of its business model lay outside its risk model. The casino saw itself as a gaming center offering a show, while the reverse was true: people came to see the show, took advantage of a cheap hotel room, and incidentally were lured into playing the tables. The enterprise risk was completely misjudged because the firm misunderstood the core of its identity.
Am I a part of your risk model?
Finally, it is important to distinguish between risk and uncertainty. This distinction was first made by Frank Knight, Nobel Prize winner in Economics, and author of the famous book Risk, Uncertainty and Profit. Knight distinguished between risk and uncertainty using concepts of probability. Risk characterizes a future with a known distribution or a distribution that can be estimated by the study of events over time. For instance, car insurers know how many 20-year old male drivers have accidents in Sweden each year. Uncertainty, on the other hand, characterizes a future whose distribution is not only unknown but objectively unknowable, even in theory. It particularly applies to entirely new, unexpected events, i.e. Taleb’s ‘black swans’. The probability of the collapse of the Euro, or of the invention of teleporation, can be imagined but cannot be computed in a meaningful way.
This means that for such entirely new phenomena, there is no historical data on which to extrapolate into the future. This novelty makes it difficult to rely on our knowledge, as such knowledge always relates to past experiences. Hence, “learning” cannot work. Like an Army officer, managers face normal, predictable risks in a lot of the their activities (routine tasks, repetition of events which, even if they differ, still belong to the same category of events, broadly known as the standard business environment). When uncertainty appears (combat against an hitherto unknown enemy, a disruption, “Black Swan”, etc.), an entirely different way of thinking must be adopted. Are we training our managers, civil or military, to manage risks? In my view, a little, but not very well – witness the failure of concepts such as Value At Risk, etc. Do we train them to manage uncertainty? Not at all, and this bodes ill for the future. It implies that they will do well in normal environments, but they will fail in uncertain ones or when faced with an intentionally novel adversary.
Develop a culture of uncertainty
More than a culture of risk, therefore, it is a true culture of uncertainty that we must help managers develop. In this area, we can learn much from entrepreneurs, because uncertainty is their daily lot. The first thing we must do (and that I do in my classes), is to show that uncertainty is not necessarily dangerous, it is also a source of opportunity. As noted by Peter Bernstein in his remarkable story of risk, uncertainty makes us free: it assures us that we are not prisoners of a future written in advance, or of a cyclical world where everything is only repetition. In the words of Gaston Berger, founder of the French futurology, “Tomorrow will not be like yesterday. It will be new and will depend on us. It is less to be discovered than invented.” This is the culture of uncertainty that we need to lay the foundations for. It is based on a creative design of actions and decision-making in the face of acknowledged uncertainty. The traditional paradigm of decision making is indeed that of choosing among a number of options. But in uncertainty, the role of the decision maker is not so much to choose among pre-existing options but to create these options. The paradigm of decisions under uncertainty becomes the creation of options and their implementation under uncertainty.
We educate managers mostly about how to choose among what is; in my vie, we should educate more to get them to design what could be.
More on the black swan here.
Silberzahn & Jones 
Phillipe, very interesting information. I specially value the difference you make between risk and uncertainty. I am a socio-cultural researcher and was wondering if you have evidence if this risk-uncertainty issue has any cultural foundation, as if…? Maybe something more present in the occidental world than in the oriental, or some countries more than others for some reason? And whether you think this point of view may aid in understanding the risk situation better?
Thanks, again very good article.
Hello
Thanks for your comment and your appreciation. This is a very interesting point. I haven’t explored the socio-cultural underpinnings of risk vs. uncertainty. This distinction comes, in part, from the entrepreneurship research and has been observed in different countries. Perhaps the need to calculate the odds is rather occidental, but again, this needs to be explored!
Best
Ph S.
Sorry but I tend to disagree with the notion that ‘”learning” cannot work” in case of uncertainty. Every uncertain event has something in common with others – our reaction on this as astonishment with different degree of it. The learning point here is to control emotions in order to take the maximum rational decision in uncertain environment.
Hello Alexander
Thank you for your comment. You raise an important point. Indeed, our ability to learn is linked to the degree to which the event is repeated. No learning can help to deal with an entirely event. But as you rightly point out, no event is entirely new, so there is always a degree of commonality. Hence, as Frank Knight observed, it is a problem of categorization. The key for a new event is to determine what is similar (to previous events), what is different, and what it all means. Then learning can help.
Thanks
Philippe thanks.
One of the most excellent examples which I have read about possibility to learn working with uncertainty was in McKinsey Quarterly interview with Head of group in Gov. for threats prevention. I will send to you reference as soon as I find it.
Philippe.
Please find the link for interview with US National Officer for warning.
https://www.mckinseyquarterly.com/Focused_on_foresight_An_interview_with_the_US_national_intelligence_officer_for_warning_2415
One of the learning point is that you have to be always ready for unknown. Readiness for me means preparedness.
Regards,
AK
Thanks for another excellent post. Your and Milo Jones’ work in getting the business community’s attention on managing uncertainty is a real service.
As you say, we’re obliged to help management develop a true culture of uncertainty. And yes, characteristics of successful entrepreneurs (culture creators and uncertainty warriors that they are) can be helpful in pointing the way.
In the case of successful, established companies, the job is more one of transforming than creating a culture. But their very success makes them highly resistant to such a transformation. Their existing culture permeates factors such as deep strategies, values, business processes, priorities, past hiring selection, etc. Backing out of this entrenchment and introducing significant change is only for the brave.
I hope that in future posts, you and Milo will lead us through a discussion of how we can best help brave managers navigate through the barriers to needed transformation.
How to assess the level of maturity of Risk Management in your company
By Horst Simon
All companies are practicing some level of risk management, either on a formal basis, with policies, processes and systems; or on an informal basis, without any risk management structure. Those who are not good at risk management or doing nothing about risk management will be exploited by those who are good at it, so it is time to do some “stock-taking” of your risk management capabilities.
To start this process an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity.
Although most inputs in any kind of maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes generally fail to identify specific weaknesses or action plans.
There is no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.
The five levels of Risk Culture maturity have been defined as follows:
1. In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
2. In a typical risk culture, people will do the right things when risk policies and controls are in place
3. In a good risk culture, people will do the right things even when risk policies and controls are not in place
4. In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
5. In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation
Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation. No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:
• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)
Once an organisation has established the level of maturity, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible to implement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique. Risk Culture Building is thus a process of change to instill new behaviours in the workforce, both the behaviours the leadership want to encourage and the behaviors they want to avoid.
Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk.
The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.
Horst Simon is the Director of Risk Management at Horwath MAK. He is based in our DIFC office and delivers Risk Management Consultancy and Training services to all industry sectors. He is also a regular speaker at International Conferences on Risk Culture and other Risk Management topics.
How to assess the level of maturity of Risk Management in your company
By Horst Simon
All companies are practicing some level of risk management, either on a formal basis, with policies, processes and systems; or on an informal basis, without any risk management structure. Those who are not good at risk management or doing nothing about risk management will be exploited by those who are good at it, so it is time to do some “stock-taking” of your risk management capabilities.
To start this process an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity.
Although most inputs in any kind of maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes generally fail to identify specific weaknesses or action plans.
There is no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.
The five levels of Risk Culture maturity have been defined as follows:
1. In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
2. In a typical risk culture, people will do the right things when risk policies and controls are in place
3. In a good risk culture, people will do the right things even when risk policies and controls are not in place
4. In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
5. In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation
Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation. No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:
• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)
Once an organisation has established the level of maturity, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible to implement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique. Risk Culture Building is thus a process of change to instill new behaviours in the workforce, both the behaviours the leadership want to encourage and the behaviors they want to avoid.
Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk.
The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.
Horst Simon is the Director of Risk Management at Horwath MAK. He is based in our DIFC office and delivers Risk Management Consultancy and Training services to all industry sectors. He is also a regular speaker at International Conferences