I recently conducted a webinar series for IACCM on Risk Management (RM) and asked the following question – What is common between Hurricane Katrina, Hurricane Sandy and the Boeing 787(Dreamliner)? I also predicted that the 787 would probably be grounded by the FAA and they did exactly that. While you are thinking about it, let me share some thoughts on them – these are/were disasters of epic proportions that in the case of the first two have already caused significant havoc. The impact of the 787 on Boeing is yet to be calculated. You would have thought that the leaders in all three situations would have some kind of risk measurement/analysis/mitigation processes/procedures/studies in place that would have warned them of what might occur and allowed them to take the necessary precautions to either prevent or reduce the event from occurring or have appropriate plans in place to manage the fallout from the event?
Would you be surprised that in all three cases, the events that occurred and the aftermath were all known??? The levee situation in New Orleans had been studied ad nauseum and the impact of a major storm had been known for a long time. New York had commissioned various studies to know what a major hurricane might do years before Sandy and the studies had predicted exactly what occurred. The risks associated with the 787 had been known and talked about and studied inside Boeing almost 10 years ago! So it wasn’t a lack of Risk Management tools/process/templates/artificial intelligence scenario planning or your favorite Risk Management gizmo. The risks were all known, quantified, analyzed, templated, studied, processed, powerpointed, exceled, and various meetings were held where all these were discussed and pontificated on. Let that soak in for a few moments!!
All of the effort in Risk Management is a total waste unless it impacts decisions and behaviours-Adoption!! Simply putting the RM “tools” in place offers absolutely nothing. In fact, it probably leads to a false sense of security which will actually increase the risk to the organization. We have worked with way too many organizations helping them develop and roll out RM and our biggest challenge is always convincing the client of that inherent flaw in their thinking. Most of the effort is invested in designing the perfect RM “process” and very little time in evaluating whether it will actually impact decisions and behaviours.
Not that I’m advocating stopping any efforts you may have going on in the area of RM. What I am advocating is to start with the governance and decision making around RM and then work your way backwards to the right tools and processes. Unfortunately, most organizations end up going at it the exact opposite. How decisions will actually get made is at best an afterthought. Making sure that you have the right governance in place is far more critical because then you can design the appropriate RM solution such that it actually drives decisions and behaviors. Otherwise, I can predict with a high degree of confidence ( I just ran it through my latest RM Razzle Dazzle Gizmo) that just like Boeing, you will probably end up with a very sophisticated analysis and very unsophisticated actual RM.
What the above approach will also accomplish is to help change the context around RM. By starting with the goal of impacting decisions and behaviors and therefore initiating your design with the governance and decision making, you will be forced to understand the context around RM in your organization. And if context always trumps content, then it’s not a bad place to start? Remember, your goal is not to control the environment but to have an environment in control and to accomplish the latter, context is far more important than content.