WiRM 3: The Philosophy of Risk Management
What is Risk Management? Why do we
The goal of Risk Management is survival. All Risk Management efforts, in whatever domain, are directed towards the preservation of something valuable, be it your home, your savings, your business, your life, an IT network, the power grid, or an inhabitable Earth. We aim to manage these risks while they are still risks, so that their threats are never realised – hence, risk management.
We need Risk Management because there are situations where the preservation of the status quo is the best possible outcome. Science ventures into unexplored territory, creating novelties along the way, and while this is mostly for the best, it can be a disruptive affair. Novel ideas, like novel compounds and viruses, bring novel risks (see Risk Society by Ulrich Beck), and this is not always desirable. There are many things in life that ain’t broke and that don’t need fixing. Do you have a roof over your head? Are you and your family in good health? Is the air breathable? Long may it continue!
From another perspective, we need Risk Management because there are environments in which nothing else will work. These environments are characterised by volatility, uncertainty (using the economist’s definition), and danger, so you don’t know what’s likely to happen, or what’s even possible, but you do know that there are plenty of bad outcomes and plenty of ways it can go wrong. In these environments, Science cannot function, Philosophy is of little practical use, and one wrong decision can make the problem exponentially worse. Risk Management may be your only option.
One of the themes in this Substack is that there are general principles of Risk Management that apply wherever risks are managed. These principles are rules, models, heuristics, and relationships which are transferable across all industries, organisations, and contexts. The individual risks you manage may be unique and specific to your industry, but if you can understand these rules in one context, you can soon learn to apply them in any another. I credit Nassim Taleb with this insight.1
The Principles of Risk Management
In this piece, I will propose two of these principles of Risk Management. I say ‘propose’ because there’s no official or agreed-upon list. These ideas have guided our decision-making for as long as we have been making decisions, and they have stood the test of time, but they’ve never been written down. We have Risk Management in our DNA – we couldn’t have survived without it – so I know these rules exist. I know they are out there, waiting to be discovered, but I can’t say any more than that. That’s just where we are right now in our understanding; it’s the current state of the art.
As students of Risk Management, we are like archaeologists at the early stages of an dig. We know there’s a structure buried in the ground, we know the history and why it’s there, we know that it is worth uncovering and understanding too… but we don’t know exactly what it is yet. We can see a little bit of it, so we know where to begin the work, but we don’t know how far the structure extends or how deep we will need to dig.
The Principles of Risk Management are similar. They exist, there is a logic to them, they are all around us and we use them every day, but we are not conscious of them, so we haven’t identified, defined, or classified them yet.
Well, there’s no time like the present. Let’s dig!
1 There Are No Risks Without Goals
Risks come from goals. You have to have some idea about how you would like the world to be in the future, in order for there to be risks which could threaten the outcome. By managing those risks, you ensure that they do not threaten or otherwise impact the goal. The goal ‘survives’, in a sense.
The first point here is that goals and risks are inextricably linked, but it’s the goal that comes first. By stating the outcome you would like to realise, you bring forth a set of threats to that outcome. The goal gives birth to the risks. If you had no goal, then there’d be no risks to manage. Without goals, there can be no risks.
The second point is that the goal directs you to the specific risks you will need to manage. Risk always depends on context and that context is always defined (in part) by your goals. Rain isn’t inherently risky – neither are cars, carbohydrates, or chairs – it all depends on who you are and what you’re trying to achieve. Different goals are exposed to different sets of risks, and if your goal changes, then your risks will change too.
The third point is that once you decide on your goal, the risk management immediately begins. As soon as you have declared the outcome you would like to achieve, then you are instantly exposed to all those risks which could threaten it. In that moment, you become a risk manager and the laws of Risk Management apply to you. (You should feel the urgency of the task!)
The real-world lesson in all of this is that the clearer you are about your goals and the more comprehensive your understanding of what is required to achieve them, the easier it will be to identify and to manage your risks. Setting your goal streamlines your decision-making. It shows you what is a risk and what is not, and when the environment changes, it will help you to know what factors to focus on, and where to focus your tactical risk management.
If you are not clear about your goals, and your progress towards them, then your risk management will be similarly imprecise. Managing the wrong risks can be just as catastrophic as managing none at all, so keep your goals in mind, and never fall into the trap of confusing the map for the terrain.
2 If It Can Happen, Then It Will Happen – Eventually
The longer you live, the more you’ll live to see. If you could toss a coin forever, you would eventually produce every possible combination of heads and tails. You may not be able to say when a specific combination will occur, but you know it’s possible, so it’s only a question of time before it does. When time is infinite, possibilities become certainties.
Every sporting record currently standing will eventually be surpassed, just as each one of those records had surpassed the previous best. Someone will score more runs than Sachin. Someone else will run faster that Usain. Most of the track and field records set in the 1980s by athletes from behind the Iron Curtain have already been broken (and perhaps by similar means too – plus ça change). It would be daft to think this process had suddenly stopped.
Every record will be broken, every construction will be demolished, and every theory will be disproved and replaced – eventually.
If you’ve ever felt like the world is getting crazier by the day, you’re right – it is! The longer we live, the more extremes in human nature (and Mother Nature) we will live to see. The worst will get worse. The scariest will get scarier. The barbarians will become more barbaric. If you’re in your 30s and you think the world is crazy enough already, well, you’ve got decades ahead of you. Just think what horrors await…
Every threat, hazard, or nightmare scenario that you could anticipate (as well as all of those you could not) will eventually become a reality. It could happen tomorrow, next week, or a decade from now. Maybe you’ll be Or the process may have already begun, but you won’t find out for years. Whatever the path, it’s all possible, so it’s all inevitable.
If you find that thought a little bit unsettling… welcome to Risk Management! In our line of work, fear and paranoia will be two of your closest colleagues. (Although I’d keep the relationship professional; I don’t recommend socialising with them).
The theoretical point is that anything that can happen, will happen – eventually. The practical lesson is that if you’re not prepared when it does, then you have failed.
It’s your job to manage the risks while they are still risks i.e. before the hazardous event occurs. You know the threat is out there and you know it could arrive at any time. You should feel the urgency (a little paranoia) to get on top of it while you can – build the roof while the sun is still shining, as they say.
If you can, then you stand your best chance of survival.
If you can’t, then you will have a lot more to worry about!
(So if there is something niggling away at the back of your mind, an open loop, an un-managed risk… maybe this would be a good time to start thinking about next steps.)
Closing Thoughts
The philosophy of Risk Management tells us that it all starts with a goal. Once your goal is established, you immediately inherit a set of risks which must be identified and managed. If you do nothing about them, then they will definitely take you out – eventually. You don't know when the threat will materialise, but you do know that it ultimately will and that you need to be prepared when it does.
In many ways the philosophy of the risk manager is like the mindset of a doomsday prepper: anything can co wrong – including all of the worst possible things – and we need plans to survive them all. The philosophy of Risk Management is one of precaution and prevention; of paranoia and preparation. Next time, we’ll talk about what that means in practice.
I believe this to be Nassim Taleb’s primary contribution to the world. Taleb showed us the statistical characteristics which applied across domains and, in doing so, took risk out of the specific and made it general. He turned risk management (a boring, woolly term) into Risk Management (a philosophy, practice, and coherent body of thought).
I should add the qualifier that great intellectual breakthroughs are rarely the exclusive achievement of one brilliant individual. More often they are the culmination of decades of work from multiple contributors, and to attribute the achievement to just one of them would be incorrect and unfair. However, I am not a historian of risk so I don’t know how exactly the credit should be apportioned for this one. Fooled By Randomness and The Black Swan were my first exposures to Risk Management - as I believe they were for many people - so while I might be biased, I am sure he deserves a big slice of the pie.