You cannot risk manage a decision

Risk management standards and best practice focus hard on the fact that risk management must affect decisions and decisions need to be risk-managed to be prudent. I fully agree to that, but there is a twist which I have found is quite significant.

Any decision inherently has two components:

• · What to do
• · How to do it

Executives make decisions on what to do. “Enter this market”, “Launch that product”, “Implement this IT system”, “Change this process” and the like. However, these decisions are not actions, and hence it really does not make sense to risk manage the “what to do” decisions.

Immediately subsequent to decision of “what to do” comes the considerations as to “how to do it”. This means more or less explicitly to plan and execute the implementation of the decision. This is a series of actions, (often a project) which can be – and should be – risk managed.

Based on this – prudent risk managed decision making comes in a series of steps:

1. Decide what we wish to achieve.

To be effective this has to be a SMART target (i.e. Specific, Measurable, Attractive, Realistic and Timed). This is a very much needed base to enable effective execution.

2. Define one, or preferably a set of options, to meet the target.

In many cases, just one approach/option is truly relevant, and the decision may have been formulated in a way that the approach is “given” – but alternative approaches may be highly valuable to address.

Furthermore, the option of not doing anything differently is also worth addressing.

3. Plan the implementation.

This generally means making a Business Case or like decision document where the steps, time and resources needed are defined, as well as calculate/verify the targeted benefit/value.

Here comes the decision risk management, as this step must include identification, analysis, and handling of relevant risks and opportunities embedded in the plan/cause of action. Doing this further includes Monte Carlo simulating uncertainties leading to an outcome profile which can then be assessed by management. A good decision document shows the likelihood of meeting the SMART target with the steps/plan prepared.

When multiple options are considered, the planning should be made for each alternative to the extent the objectively best alternative can be selected as implementation approach. However, in real life – one option rapidly stands out as the better way of deployment, and alternatives can be discarded each with their rationale.

In rare instances, all options lead to “negative” business cases whereby it has to be concluded that the original decision is not viable. That is the maximum level of risk managing the decision itself.

4. Decide on go/no go to the plan presented

Then the implementation/execution commences with the natural monitoring and follow-up, plan adjustments and reporting that ensures the best possible outcome.

Along the way – everything can be adjusted as “No strategy survives the first encounter with the enemy”. Targets, timing, resource allocation, actions taken etc. can be reviewed. Adaptability to ever changing circumstances is pivotal to success – and anything else is “ignoring reality”.

Leverage the distinction between the “what” and the “how”

This distinction between the “what to do” and the “how to do it” may not seem as a big thing – but in organizational real life, it actually matters a lot.

A lot has been said about the importance of risk managers access to top management and even the board of directors as they make the decisions. It has been frequently shown how difficult it is to get access to these people and get on their agenda – especially as none of them care about risk or risk management, but do (and should) care about performance.

Good executives and boards rarely make decisions “out of the blue”. Whatever they decide is, or will be, taken through a validation process – the preparation of a business case or like document. These decision documents are prepared by staff support, strategists, subject matter experts and/or the like.

Based on that – it is futile and ineffective for a risk manager to try to get access to an executive and/or board member to influence decisions. Instead – get in touch with the team that prepare the decision document, offer to add your insights and resources – and work with them to integrate risk management into the document.

This is more effective as it will (when done right) affect the decision document in terms of actions taken, resources required and expectable outcome – and based on that influence the decision eventually taken by top management.

It is also often easier to do as:

• Supporters and Subject Matter Experts have a focus and professional pride in “getting it right” which often outweighs any “political” agenda which may be in effect at the executive level.
• These people are often at the same organizational level as the risk manager – making this a collaboration amongst peers.
• The approach enables/drives a team work around making the best (= most valid) decision document.

So … dear risk manager … influencing decisions and effectively deploying decision risk management is NOT about getting access to executives and try to make them change their minds. It is about collaborating with the team(s) that prepare(s) the decision document(s) and influence HOW decisions are implemented/executed.