I've just finished looking through the updated risk register. It's a solid, comprehensive piece of work. And it misses the point in a big way.
The reason I say this is that it's mostly about catastrophic risks. And it is mostly about risks to avoid. These are of course important, and they are not hard to visualise, whether they be exploding drilling platforms (BP), hacker attacks (Sony Pictures) or beefburgers made from horsemeat (various UK supermarkets). The danger is, though, that because these sorts of risk are so vivid, they distract our attention from a different type of risk.
Just like Donald Rumsfeld's famous "unknown unknowns" the risks which will kill us are the ones we don't know we aren't taking. More specifically, it is the risks we ought to be taking in order to move the business forward, but are not. New products, new markets, new processes or business models... we need these to secure the business long term but it can be hard to notice when we aren't taking as many of these risks as we could, or should, be. We can identify risks in what we are currently doing, or in proposals put forward, but what do we know about the proposals that aren't put forward, the children that aren't being born?
The problem is particularly acute because, as humans, we are biased against the risks of trying new things. If someone offers a gamble on the toss of a coin, heads we win $120 tails we lose $100, then we don't need a maths degree to know that we should take it, provided we can play as many times as we like. Yet experiments have found that almost nobody will take such a bet. You need to offer a win of $250 or more to persuade people to risk the loss of $100. Nassim Taleb calls this sort of bet a "convex risk." You could also call it "the only sort of risk that produces progress."
This natural risk aversion is a problem in itself, but the organization adds to it. We've talked about our attitudes to "failure" already, and the way in which we have difficulty trying things for which success isn't certain.
To sum up, preventing and avoiding risks (particularly the catastrophic ones) is what keeps us where we are. Taking (different sorts of!) risks is what enables us to move forward. We have a big sophisticated infrastructure working on the first task, but it isn't doing anything to help with the second. If anything, it may be creating an atmosphere of risk aversion which deters from taking the necessary sensible risks. If we could become as sophisticated in dealing with the risks we should be taking but aren't as we are in dealing with those we should be avoiding or mitigating, the future would look a lot more exciting.
Do you qualify for your own Memo to the CEO? Find out here.
