In the last couple of decades, the topic of risk management has received a lot of attention, from consultants, analysts, corporates, governments and academics. Yet somehow or other, corporations and governments keep stumbling over risks that subsequent analysis shows were identified at the time, could have been prevented or mitigated etc.  What is going on?  You would have thought that with the hundreds of initiatives and publications about risk management, applied to everything from finances, project management, supply chains, digitalization etc. etc., this would not be happening.

Risk is a good thing, the engine of progress.  In some cases, poorly managed risk advances later progress, because companies that perhaps even unwittingly succeed in a risky environment do so by being creative and doing new things.  If they had managed risk, they might not have taken the initiative.  We can see this pattern in areas such as the development of the railways in the 19th Century, airframe manufacture (e.g., the Boeing 747), and pharmaceuticals.  Sometimes the risks are associated with complex projects, sometimes with complex and new products, and sometimes with human behaviours (e.g., will customers or investors actually buy into this thing that we are creating, as in the case of the Sony Walkman?).  In many cases, the pay-off is best for companies or individuals who identify that others are steering clear of a risk, and so decide to “jump in”.

This problem of what risks to take has been sanitised into the idea of “risk appetite”.  Yet it is often projects or products which infringe the “official” risk appetite of a corporation or other entity that are the most successful – hence the idea of skunk works.  That’s because the dead hand of bureaucracy may push back against a risk which looks too great or simply can’t be quantified, when those taking the risk (as individuals or in the culture of their department) may be closer to whatever domain in which the risk is being taken, so that they have a better idea of whether there is a risk or what the pay-off may be if taking the risk pays off.  Hence the idea of applying the portfolio approach to risk.

So, is it bad news, for example, that small and medium enterprises lack the knowledge, resources and reliable tools to support risk management, as academic research shows? Should we be worried that financial services are particularly vulnerable to the risk of fraud, when it is the high returns generated by the finance sector that attract competitors and investors as well as fraudsters (they are not separate categories, by the way, as competitors and investors often use fraudulent approaches to maximise their returns, while the high rate of insider and collaborative fraud indicates the success of the financial sector in attracting evilly-innovative people), particularly in areas such as financial technology and loans), as academic research shows.

My view is that we should accept risk as an intrinsic and highly valuable part of the way capitalism works.  It is the polar opposite of communist-style planning – and we know where that ended up!  There is no neat dividing line between good and bad risks, although they are clearly different at the extremes.  Minimising risk, so often advocated by risk experts, is not necessarily a good policy.  There has been almost no research into the effectiveness of enterprise risk management and its effect on firm performance, for example, as academic research demonstrates.  In this respect, enterprise risk management is like so many other management totems, such as quality, customer-orientation, zero-based budgeting, just-in time inventory management.  They work some of the time, they may work best if they become part of the culture of an organisation rather than being managed centrally.  The idea that risk management is about identifying risks and then deciding which ones to take, according to a company’s risk appetite, makes the brave assumption that risks can be identified, mitigated, shared or avoided, all ahead of them occurring.  Life is rarely so simple. Some risks (positive or negative) are “famous” because the pay-off or damage caused by taking them is simply much larger than might have been expected.

The information relating to risks and their positive or negative consequences often emerges at the last minute, sometimes when a risk has become actual.  The neat categorisation of risk (e.g., into strategic, financial, governance or operational) is precisely the kind of narrow-minded and over-categorised thinking that can lead to a company falling behind.  That’s the problem with the ISO’s 5-step risk management process – risk identification, analysis, prioritisation, treatment/response/mitigation, and monitoring.  It’s a kind of Soviet approach.

It’s this kind of approach, applied not just to risk, which leads to the failure to achieve many business plans.  The alternative, especially in an era of artificial intelligence, is to apply a real-time analytical approach to business data, identifying a range of things, such as performance, risk etc., combined with rapid response to risks and opportunities.  Training of AI to deal with this would of course involve looking at lots of case studies of past risk and performance.  It would involve recognising that risk signalling is usually to the front-line, and so that’s where response and control should lie.  Greater front-line involvement in the management of risk and reward should surely lead to a more effective approach.  This way of managing risk is characteristic of high-reliability organisations, in areas such as aviation, defence and nuclear power.

Merlin Stone is Principal at Merlin Stone Consulting and Honorary Professor at St Mary's University.  He carries out research and editing projects, mainly in areas of economic and social importance and mentors and support individual managers, small companies and individuals.