Risk managers could learn some valuable lessons from the ancient world, says Andrew Leslie

Back in the days of the Roman Republic, being a risk manager was a high status job. It was the function of the augur, by observing the flight of birds, to advise whether or not a course of action met with the favour of the Gods. As Livy observes, not much could happen in either the public or private sphere unless the omens were favourable. Of course, the occasional headstrong individual thought he knew better. Claudius Pulcher, the consul in charge of the Roman fleet at the battle of Drepanum, threw the sacred chickens overboard when they refused to eat, saying they could drink instead. Subsequently, the Romans lost the battle.

The modern risk manager is not, of course, a superstitious person, and rather than observing the flight of birds or the habits of chickens, applies the tools of scientific analysis in the attempt to control or restrain the uncertainties of life. In this, he may be less wise than his Roman predecessor, for given the choice between someone with a direct line to the Gods and someone with a risk register, most boardrooms would probably prefer the former.

And they would not necessarily be wrong, for uncertainty, in business as in life, can never be wholly countered, however complete the data or however perfect the controls.

Even in acknowledging that much however, an awkward question remains. If the modern risk manager is better qualified to spot unfavourable courses of action than his toga-clad ancestor, shouldn’t risk management be rather more successful than it is? It does not take much effort to come up with a list of recent failures – some of them tragic, some merely ludicrous – where the inability to manage risk effectively has plunged organisations into crisis. And the most glaring examples have the common factor that the risk was eminently, intuitively foreseeable. So what is risk management missing?.

Murphy’s law

At its most succinct, Murphy’s law states that ‘If anything can go wrong, it will’. Note that this law does not hedge its bets by assigning probabilities. The only unknown is the timescale, and this is neatly dealt with by Finagle’s law of dynamic negatives, which adds the rider...’Anything that can go wrong will, – at the worst possible moment.’ In the UK, we have seen these laws spectacularly demonstrated during the opening weeks of the new Terminal 5 at Heathrow airport. In the full glare of media publicity, a state of the art baggage handling system failed to work as expected, with the result that an estimated 15,000 bags were stranded after five days. And this occurred even after all the testing that good risk management might suggest. ‘It is all tried, tested and ready to go,’ Tom Garside, head of T5 systems and integration at BAA told Computing.co.uk two weeks before the launch. But at the crucial moment, the system failed. The conclusion is that if encouraging data from a whole sequence of tests, scenarios or dry runs causes risk managers and decision makers to believe that Murphy’s law is in abeyance, they are deluding themselves. Sometimes, scientific analysis provides a comfort blanket that turns out to be threadbare.

The classic response to Murphy’s law is defensive design – to work at idiot-proofing a system or a product to a state where there is nothing that can go wrong. The intelligent risk manager knows in his heart of hearts that this simply is not possible. ‘Anything which seems idiot-proof has not yet encountered a sufficiently determined idiot.’

The point at issue for the risk manager is a simple one. If your calculations suggest you can ignore Murphy’s law, you are letting yourself be deluded.

Open mouth, insert foot

Hardly a day passes in risk management without someone bringing up the subject of communicating risk. But it is less common to hear anything about the risk of communicating. Indeed, because it is essentially a non-scientific, non-mathematical field, the whole gamut of publicity and public relations may pass outside the orbit of what the risk manager considers to be his proper function.

“In the case of thr Royal Bank, every omen was ignored because the prize on offer seemed so tempting.

Yet every press release that a company issues is a potential hostage to fortune. Every redesigned logo may be a time bomb waiting to go off. And because of the internet, a gaffe will circulate at the speed of light from stakeholder to stakeholder. And, again because of the internet, it will stay live for decades to come. What is especially damaging about publicity that goes wrong is that it creates ridicule, and the damage to the reputation of an organisation that opens itself to derision is incalculable.

To return to the ill-fated Terminal 5, the British Airways website contained – still easily accessible – the following choice statements

‘Terminal 5 offers seamless check-in, with 96 Check-in Kiosks designed to eliminate queuing’ (By 16.30 on the day of opening, all check in was suspended)

‘There will be huge improvements in punctuality and baggage now that we’ve brought nearly all British Airways flights together in one terminal’

‘The state-of-the-art baggage system has been designed specifically for Terminal 5 using proven technology already in use at a number of global airports’

‘All these amazing features are exclusive to you, the British Airways traveller’.

The reaction of those caught up in the debacle to such statements can be imagined. The reaction of the rest? Helpless laughter.

Another easily-avoided PR bungle this year was the creation of a new logo for the Office of Government Commerce – part of the UK treasury. The logo is reported to have cost £14,000 to create, and consisted simply of the capital letters OGC. Unfortunately, when turned on its side, the visual impression was of....(unsuitable for a family magazine - Ed). Since the OGC had seemingly arranged for the new logo to be printed on staff’s mouse mats, it took ‘seconds’, according to the Daily Telegraph, for the gaffe to be discovered. Result ‘howls of mirth’ and approximately 940,000 references on Google.

Who can forget the disastrous rebranding of ‘Monday’ by PwC? Who will ever forget the Royal Mail’s ‘Consignia’ brand or the Hoover free flights fiasco? Such matters live on in the public memory long after the event.

If an organisation’s reputation is among the most important of potential risks, these follies, and others like them, are big risk management failures. And once again, they ought to have been blindingly obvious. But the sorry fact of the matter is that among the battery of risk management tools and controls, nothing was likely to flag them up – because current risk management techniques take too little account of human nature. Any old soothsayer – or dirty-minded twelve-year-old for that matter – could have predicted disaster for the Office of Government Commerce. But risk management either did not, or could not.

“In the full glare of media publicity, a state of the art baggage handling system failed to work as expected.

Back to Claudius Pulcher

It takes someone with extreme lack of respect for the unknown to throw the sacred chickens overboard before a battle. And unfortunately, Claudius Pulcher seems to have many followers among contemporary business leaders. To take but one recent example, this year’s AGM of the giant Royal Bank of Scotland saw the board eating humble pie in front of incensed shareholders after announcing a £12bn rights issue and a total £8.3bn write down of assets in the wake of the credit crunch. Chairman, Sir Tom Mckillop said: ‘This is a big ask for our shareholders. We come to ask that with a great deal of humility. You should be in no doubt about the degree of contrition. This is a significant set of announcements.’

This was only a year after RBS had announced its intention of going after ABN Amro – an acquisition which ultimately cost it in the region of £47bn. Back in April 2007, chief executive Sir Fred Goodwin was happy to answer the media’s enquiry:

Question – ‘I was wondering where the cash comes from in your plans because it is 70 percent cash proposal?’

Answer – ‘As I emphasised a moment ago, we are not announcing a bid today, when we come to announce a bid we will go into all of those details, but I think most people would think we are good for it. We have got the cash.’

Now they haven’t got the cash, and shareholders face massive dilution unless they stump up.

The Guardian commented on the Claudius Pulcher element thus: ‘The deal arguably made some sense when it was announced in spring last year. By the time the credit markets started to unravel in August, it had become reckless. RBS had the option to pull out. It chose to plough on.’ Indeed during the summer months of 2007, as first Bear Stearns and later Northern Rock put up distress flares and the words ‘sub-prime’ appeared in the general vocabulary, it became increasingly clear to financial journalists, small investors frequenting bulletin boards, and indeed to most people with a finger in the financial wind, that the sacred chickens were firmly off their food. But the RBS board chose to ditch the poultry, with the result that the bank’s share price has plummeted and investors are faced with months, if not years, of uncertainty.

Taking stock

I suggested that the common factor behind these examples is that the risk was intuitively obvious. Hence my labouring of the point that the soothsayer would have recognised it just as well as, if not better than, the risk manager. But the reasons that disaster followed vary. In the case of the Office of Government Commerce logo, risk management tools either weren’t capable of seeing the risk, or else had never considered it. In the case of Terminal 5, risk management techniques seemingly provided such assurance, that British Airways could put statements on its website that assumed everything would be hunky-dory on the day. In the case of the Royal Bank, every omen was ignored because the prize on offer seemed so tempting.

The Roman augur knew about capricious fate, and probably knew a good deal about human folly too. How much does modern risk management take account of either? There is a seduction implicit in mathematical models which tempts one to believe that control can be exercised by properly applying the right principles, and much risk management vocabulary – effective, efficient, embedded, and so forth – points to the degree to which practictioners have been seduced. But the great risk manager needs more – a viral suspicion of things which seem to be going well, combined with a well-honed scepticism about human nature. In other words, he must be able to intuitively recognise when the sacred chickens have lost their appetite, and be prepared to act. The day when the modern risk manager behaves more like his Roman predecessor will be the day when we see fewer avoidable disasters.