The Risk Manifesto
We have known forever that all things worth doing entail risk. Climbing mountains, founding companies, building bridges, travelling space. Somewhere along the way, though, we have been infected with a mind-virus: Risk is bad. We believed that if we created enough risk departments, hired enough compliance managers, published enough frameworks, and filled in enough paperwork, we could make risk disappear. We could simply manage it away.
Over time we have become more and more risk-averse. We worry about reputation, about adverse media exposure, about social shame and public humiliation far more than we care about real world consequences; and far more than we care about what happens when we don't take enough risk.
We define risk as belonging to two categories: Category 1, and Category 2.
Category 1 is what we might call real-world consequences. Death, an insolvent company, a data leak, a faulty product that harms its users, an oil spill, a misdiagnosed patient.
Category 2, on the other hand, is the institutional, legal, reputational and political fallout of these Category 1 risks. A court of inquiry, a media scandal, loss of public support, political questions in Parliament, reputational damage.
Because of our human nature, we fear these social consequences far more than we fear the real-world consequences they are associated with. People fear public speaking more than they fear death. There are few things we fear more than public humiliation.
As a consequence of this increased fear of Category 2 risks, we create fragility and blame culture where we try to minimise all risk. Common reactions to accidents and inquiries have been to increase the level of accountability; to hold individuals responsible, and to ensure that individuals cannot hide behind committees and policy. All this has achieved is a blame culture, and a far greater level of risk aversion. As a result, organisations and institutions take fewer risks, leading to what we term "capability debt", which leads in turn to much higher Category 1 risk in the future.
This bureaucratic creep has led to the creation of the illusion of control, and the creation of endless policies and processes, where the connection to the Category 1 consequence they are seeking to mitigate is tenuous at best.
We believe that risk is good. All "good" things, all things worth doing, entail taking risks. Being alive entails risk. Organisations and individuals that do not take risks will ultimately wither and die, or fail themselves into non-existence.
- Risk management should be a part of every part of a business, but not as something to be avoided or minimised, but something to be used.
- Risk management should be simple.
- Risk management should be based on understanding.
- Risk management should be part of operations, not kept separate from it.
- Risk management involves everyone, not just risk managers.
- Risks should be managed at the point of decisions, not arbitrarily "tracked", achieving nothing more than the illusion of control.
- Everyone within an organisation should be empowered to take calculated risks - risks that are well-managed, well-understood, and supported by the risk management framework of the organisation.
- Exposing staff constantly to well-controlled and well-managed risk dramatically increases learning, and ultimately makes organisations far more able to manage uncertainty.
Excessive policy and excessive compliance lead to institutional blindness. Over-control kills all innovation, all risk-taking, everything that breathes life into an organisation, and everything that maintains its ability to react to an ever more uncertain future. Worse, when well-meaning individuals within an organisation feel they are stifled by bureaucratic policies with no connection to reality, they will seek to circumvent policy, often unknowingly opening the organisation up to greater Category 1 risk.
If you manage risk in the wrong way, you create capability debt, and in the end, dramatically increase the risk that your organisation will fail.
If you manage risk in the right way, it helps your organisation take bigger risks, and ultimately, to succeed beyond your greatest expectations.