There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:
Every cloud has a silver lining: If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.
What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.
And my favourite…
Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management.
I am currently working in Istanbul and on arriving in mid-July, there are many Turkish flags flying around the city to mark the one year anniversary of the attempted coup that was successfully quashed. 15 July 2016 saw a short but violent and disruptive civil unrest which caused disruption to the workings of the city and the people and organisations that operate here. One year later and it is evident that there is a renewed focus on business continuity and disaster recovery planning in the wake of those experiences. This reflects the first two clichés and should end up making businesses in Turkey more resilient. However, it does bring "prevention is better than cure" into focus in that if we were practicing good preventive risk management, we should already be ready for incidents that arise.Often in risk management, we need a major event to wake us up and to get our house in order. This arises from a common human trait of not adequately assessing or managing risk until it happened to us. A favourite Australian saying “she’ll be right” is often used when we want to do something and someone mentions a risk and we downplay it and go ahead with the activity anyway.
These incidents we suffer can have value as implied by the first two phrases “Every cloud has a silver lining" and “What doesn’t kill us makes us stronger”. However, I think if we practice excellent risk management the last phrase is the most powerful “Prevention is better than cure”.
If we can understand the risk BEFORE we suffer an incident and we manage that risk early on to prevent it from happening in the first place, this must be better than waiting for an incident before we act and learn.
If we are to move our risk management practices to be proactive, we need to:
- Understand the lifecycle of our risks very well, especially their root causes and early drivers. The use of Bow Tie analysis can be very useful here.
- We need to understand the different types of control that can be used to manage the risk: Preventive, Detective and Reactive and understand that Preventive is better than Detective which is better than Reactive. We can then assess whether we have an optimal set of controls for each risk. Read: Integrated Controls Assurance – Maximum Assurance, Minimum Effort
- We need a risk management framework that focusses on early management of risk. This will include Risk and Control Self-Assessment, Stress Testing and most importantly leading Key Risk Indicators.
If we practice this early understanding of, and intervention in, our key risks, could we get to a stage that incidents do not happen anymore? Maybe we will not eliminate all incidents but I believe we can substantially reduce the number and size of incidents that many businesses are experiencing by being much more proactive than we currently are.
If we can achieve this, we do not need to experience “clouds” and “things that nearly kill us” in order to harness learnings and value. We can be smarter and prevent the things before we need to cure them.