How you can achieve decision-focused risk management in minutes

A lot of risk management activities are essentially operational tasks based on prudent cost benefit considerations – like hedging currencies, buying insurances, running safety programs for people and (IT) systems etc. Let us leave that as is for now.

Decisions made and actions taken are however, all related to the future – just as we are going to spend the rest of our lives in it. Still, business decisions are too often not risk managed with any kind of systematic approach. Why not?

Leaders rightly focus on performance, not on risks. Thus, they do not have, nor give themselves, time to consider things that may never happen anyway. This way they may save several minutes on a small decision and potentially hours or even days on a large strategic decision.

That is not intelligent business decision making.

To support improving this, let me propose a simple way to do prudent risk management – one which may take just minutes to do on your own if/when this is deemed adequate, and one which can easily be scaled up to a full fletched analytical proactive decision risk management activity, when that is the optimal value add. The approach comes in four steps:

Targeting – Identifying – Prioritising – Acting or “TIPA” as a short memory word.

 

 

Step 1 – Targeting

You are about to make a decision or initiate an action of whatever size. The targeting question is, how can you tell a success from a failure. Even for a small/fast decision – consider – “when all the dust has settled, how do you know you made the right decision”.

Define what is your target/aspiration and how you see/measure it.

Blatantly, and based on Douglas Hubbard’s best-seller “How to measure anything” – if you cannot measure/see the difference between the right and the wrong decision – the choice you make does not matter. But - let us agree – it does matter, and thus it can be seen and hence measured. The target will be some performance metric.

This step implicitly includes deciding what you will do to meet your target.

Step 2 – Identifying

According to the ISO 31000 standard, risks affect performance and can do so in positive as well as negative ways (the standard actually states that risks affects objectives, but I disagree on that detail).

Hence, do remember to look for “positive risks” with the same tenacity as looking for negative risks. Leveraging a 100,000$ opportunity is, after all, as valuable for you as avoiding a 100,000$ risk.

Then, look holistically. Do not just focus on the process/activity you are about to decide upon (which is in the middle of the model below). You also have to look at which risks (good or bad) may emerge from-, or can be imposed:

• Upstream – the processes and activities that comes before, whatever activity/process/area you are looking at with the decision you are contemplating.
• Downstream – processes and activities that comes after what activity/process/area you are looking at with this decision.
• Supporting functions/processes – e.g. IT, HR, Finance or whatever supporting processes and activities are there for your area of focus.
• External conditions – be it legislative, market/competitive, technological, environmental, reputational, and such issues which also may affect your decision.

Not all of these five “boxes” will be equally relevant for every decision. If so, you may park those not relevant after having thought it through. For easy reference, you can leverage a model like the one shown here.

Step 3 – Prioritising

This step is somewhat analytical. For each risk/opportunity you identify, address “how important is this”. For small and simple decisions under known circumstances, this may be based on just your immediate thought based on experience … although you should be careful about that as human beings are immensely biased when making decisions. As a tip – try acting like a software when you do something. Ask yourself “are you sure?” before deciding.

For even slightly more complex or larger issues – do make the analyses based on facts – and/or ask a subject matter expert, in your organisation to do so. This way, you can validly prioritize based on facts and not some opaque and biased gut feeling.

This prioritisation means that you decide to act on some of the risks, others you decide to accept without further ado. That is your call as decision maker.

Step 4 – Acting

Last. Looking at the opportunities you wish to leverage and the risk you wish to mitigate/handle – the question is “how” – what will you do/which actions will you take. Define what to do, and embed in your planning/execution.

This will add activities and hence time and costs to whatever you do to execute on your decision – but you have decided it will benefit the outcome of the decision (haven’t you?).

Closing

Now, I have not mentioned anything about reporting and follow-up or the like. Do that the same way as you would without the risk management – potentially with a few added measures embedded to monitor risk exposure – just add what you need.

So! Summing up - all it takes to make value adding and proactive decision risk management … is just responding to a few questions:

• What do you aim for, and how do you plan to get there?
• What may happen?
• How important is that?
• What will you do about it?

Naturally – the more complex or “large” the decision – the more diligent you should be. But even for the smallest decision you make, it will add value to your decision making to spend a bit of time thinking it through in a systematic way.

After all, prevention is better than cure, or as Benjamin Franklin stated more than 200 years ago “by failing to prepare, you are preparing to fail”.

Implementing proactive decision focused risk management does not need to be more complicated than that. However, when looking at complex decisions with multiple options and/or strategies aimed to be effective for years into the future – it will require some effort to optimize the balance between planning and execution – optimizing performance.

With this in place as a standard business practice, you are no longer managing risks, but executing intelligent risk taking and hereby gaining a competitive advantage over those who still make gut-feeling decisions and then try to rescue these by reactive management of risks afterwards.

Good Luck – and remember, “luck favours the prepared” as Luis Pasteur stated.

Hans Læssøe, principal consultant at AKTUS and former risk manager of The LEGO Group