As the title lyric of a song originally recorded in 1939 by the iconic Ella Fitzgerald states, it can matter just as much how you do something as what you do. The goal or purpose may be essential, but is subject to a failure of execution, as the result of which bad things may happen.
The natural tendency in such cases is to assume that the failure was one of process, but what if there is more to it than that?
Consider “Risk Management”, which now has various paradigms, including “lines of defence”, “enterprise risk management” (ERM), tail VaR, and “emerging risk committees”, yet frequently fails when severely tested.
Perhaps because its basic approach and orientation is flawed, as Steve Denning provocatively argued in a recent article for Forbes (Ten Reasons Why Risk Management Increases Risk).
Denning’s basic premise is that very often the real risks to an organization are not “somewhere out there”, but within the organization itself- the product of a top-down, bureaucratic approach both to management in general and the way in which Risk Management is approached, which creates a false sense of comfort, but in reality increases rather than decreases risk.
In a VUCA (Volatile, Uncertain, Complex and Ambiguous) world, such complacency poses an existential threat.
One key point that Denning makes is that Risk Management generally assumes that markets are complicated (and so, with effort, predictable); whereas, in reality, most are inherently complex and so unpredictable. In such an environment, theories and models are of little use, because the only way in which to understand what is going on is to interact with a complex system; see how it behaves, and adapt accordingly. As we have seen with the reactions to the potential coronavirus (Covid-19) pandemic, complex systems do not have linear outcomes.
Similarly, decision-making can be flawed because it is non-iterative- essentially a binary “go/no go” mentality, rather than iterative and responsive to changes in environment and outcomes. Of course, (re)insurers may well argue that they do adjust their behaviours depending upon experience- that is almost an article of faith. However, what if their basic premise of being in a particular class of business is, in itself, a failure of decision-making, because of a refusal to admit that some commoditized lines of business are irredeemably unprofitable for the camp followers, who simply go along for the campaign, and hope to profit from it?
Another flaw in traditional Risk Management is the tendency to centralize oversight, control and “prediction”, even if lip-service is paid to the concept that the “first (business) line” is primarily responsible for monitoring and managing risks assumed. In reality, the existence of a seemingly well-staffed ERM function tends to mean that everyone assumes that someone else is responsible for managing risk, so nobody does.
Perhaps, the abiding sin of Risk Management is that it is seen in purely in preventative, negative terms. Only bad things can happen, so we must protect ourselves from harm at all costs. Risk aversion is endemic. In reality risk is not always a four-letter-word, because there is equal risk in failing to focus on opportunities. In Denning’s telling phrase: “the label of “risk management” needs to be subordinated to opportunity management””. One may argue about the relative weights to be applied, but the point is important if Risk Management (including within (re)insurance) is ever to help create value, rather than stifle or destroy it.
In our view, Risk Management is an holistic, devolved and flexible construct, in which the entire Team is involved, rather than a silo-ed, hierarchical one. Siloes and hierarchies are themselves sources of risk.
The Awbury Team