Everyone agrees that the world is risky and that risk management is important. But where did risk management come from, and where is it going? When and how did we learn that managing risk was an essential life skill? And what will our descendants think of how we manage risk today? This article looks back to the past and forward to possible futures, seeking answers to these questions.
THE LONG VIEW BACK
The earliest records of human history and prehistory include stories of risk and its management. If we take a long view back, we find historical documents, sacred writings, myths and legends – all telling tales of the human struggle against nature, the gods or the odds. Accounts of mankind’s earliest origins describe the urge to break boundaries, to go beyond current confines, to explore the unknown.
Narratives describe risk-taking individuals ranging from Abraham, revered by three of the world’s great religions for his faith in leaving home and setting out to find a new country, through mythological heroes like Jason or Odysseus who undertook epic journeys, to modern entrepreneurs and innovators who change the lives of millions through ground-breaking discoveries and inventions.
The broader sweep of human development has included risky phases as hunter-gatherers and agrarians, leading to the establishment of great civilizations like Egypt or the Mayans, to the present day.
RISK IS EVERYWHERE
Seen from a certain perspective, risk is everywhere. The world we inhabit is unpredictable, strange, incomprehensible, surprising, mysterious, awesome, different, other. This is true from the macro level of galaxies to the exotic nano-realm of subatomic particles, and everywhere in between. Irrefutable evidence forces people to accept the truth that we neither know nor understand everything, and we cannot control everything.
Consequently, the word “risk” has become a common and widely used part of today’s vocabulary, relating to personal circumstances (health, pensions, insurance, investments, etc.), society (terrorism, economic performance, food safety, etc.), and business (corporate governance, strategy, business continuity, etc.).
And it seems that mankind has an insatiable desire to confront risk and attempt to manage it proactively. Many of the institutions of human society and culture could be viewed as frameworks constructed to address uncertainty, including politics, religion, philosophy, technology, laws, ethics and morality.
Each of these tries to impose structure on the world as it is experienced, limiting variation where that is possible, and explaining residual uncertainty where control is not feasible. Sense-making appears to be an innate human faculty, seeking patterns in apparent randomness. People apply a variety of approaches, both overtly and subconsciously, to reach an acceptable degree of comfort in the face of uncertainty.
RISK MANAGEMENT IS EVERYWHERE
As a result, not only is risk everywhere, but so is risk management. Perhaps it is not too far-fetched to describe risk management as offering an integrative framework for understanding many parts of the human experience, if not all. Just as the presence of risk is recognized and accepted as inevitable and unavoidable in every field of human endeavor, so there is a matching drive to address risk as far as possible. This has led to a proliferation of areas where the phrase “risk management” is used to describe efforts to identify, understand and respond to risk, particularly in various aspects of business.
There seems little doubt that risk management has been part of human activity for a very long time, and it is today a vital component of business. As a result, anyone asking the simple question “What is risk management?” will not find a simple answer. Even the most cursory exploration reveals a huge variety of differing perspectives, all claiming to represent the best way to address risk.
In fact, risk management is not a single subject at all; it is a family of related topics. These business applications range from project and technical risk management through operational and financial risk management up to strategic and enterprise-wide risk management. Other disciplines could also be included under the risk management umbrella, such as health and safety, business continuity, or corporate governance.
There are many common elements shared by these different types of risk management, but each has its own distinctive language, methodology, tools and techniques. They vary in scope from the broadest application to very specific areas of risk. They are at different levels of maturity, with some types of risk management being quite recent developments while others measure their history in decades or longer. But each is important in its own way, representing part of the response of business to the uncertain environment within which it operates.
THEORY AND PRACTICE
All of this leads to one essential question: If risk is everywhere and risk management is so important, why don’t we do it for our business? We are constantly confronted with business and project failures, and in the rare cases where post-mortem reviews are held afterwards, causes of failure often include unforeseen-but-foreseeable risks.
Threats that should have been spotted and tackled turn into avoidable problems, and opportunities to create additional value or minimize waste and rework are missed. This continuing catalogue of failure indicates an ongoing lack of effective risk management. If we believe that our uncertain world can be managed proactively, then we need to find and address the missing critical success factors that are preventing risk management from delivering its promised benefits.
Mankind has always faced risk, from our earliest beginnings and throughout our history. Our survival and success as a species has largely resulted from our ability to understand and manage our uncertain environment, rising to each new challenge and adapting our behavior to meet it. Perhaps we need to apply the same approach to how we manage the risks inherent in our business.
THE LONGER VIEW FORWARD
We began with a long view back, charting the role of risk management from cave dwellers to the 21st century. Now it is time to look into our crystal ball and take the longer view forward.
Surveying the risk management futurescape, there are three possibilities for how risk management might develop. Drawing parallels from cosmology, we might call these three options “Infinite Expansion”, “the Big Crunch”, or “Ongoing Oscillation”.
Expanding risk universe?
The first option is that the scope of risk management will continue to expand and include more and more elements of personal, business and social life, until “Everything is just risk management.” Ultimately all decisions will be taken in the light of the identification and assessment of relevant uncertainty. This expansionist view is exemplified by some risk management practitioners whose slogan is “Manage the risk = manage the business.”
This implies that normal planned activity needs no special attention, and all that is required is management of variations from the plan. By looking ahead to identify potential variations, both positive and negative, and focusing management attention on addressing just these aspects, proponents of this position claim that success is ensured.
While the “Infinite Expansion” option emphasises the importance of risk management, it is an extreme position that doesn’t match reality. The risk element is not the whole picture in a business or project, and concentrating wholly on managing risk to the exclusion of other aspects would be detrimental and counter-productive.
It is probably true that the scope and influence of risk management will continue to expand, at least in the short term, as more areas of application are found for risk-based approaches. But is such expansion limitless, or will some critical point be reached when further growth is unsustainable, to be followed by a collapse and eventual “Big Crunch”?
It is possible that risk management might just be the latest management fad, although admittedly it is already rather more long-lasting than most. The recent emphasis on risk management started in the 1970s, and though it shows little sign of reducing, it is conceivable that our future colleagues might place less emphasis on risk than we do today. If risk management goes the way of other fads, it could disappear from the scene very quickly, becoming just a memory or a footnote in the annals of management history.
There is another way in which risk management might disappear, rather than fading away into oblivion. If risk management becomes all pervasive to the point where it is absorbed into the nature of business at all levels, it could become invisible as a result. If everyone naturally and habitually “thinks risk” and manages it as a normal part of daily life, then it might no longer be necessary to have a separate discipline called “risk management”, since this would be accepted and practiced by all. Risk management could vanish as a result of its own success, leaving risk specialists and practitioners as outdated purveyors of a universally recognized self-evident truth.
A third option for the future of risk management is possible, combining expansionism and catastrophism into “Ongoing Oscillation”. Maybe the size of the “risk management universe” might vary cyclically, increasing for a time then contracting. A review of the broader story of risk management across the span of human history reveals periods when it was more prominent than others.
Social commentators suggest that advances in technology, law and religion can be seen as human responses to uncertainty, seeking to make sense of the ineffable, and attempting to impose control wherever possible. If this is true then the major changes in civilizations might be interpreted as cycles of risk management, though not within the same process-driven framework we see in modern business. And maybe the expansion we are witnessing today is merely part of the latest cycle.
Only time will tell whether we’ll see “Infinite Expansion” with the risk management universe expanding indefinitely until it encompasses everything, or whether a turning point might be reached to be followed by collapse to a “Big Crunch” where risk management disappears, or whether some “Ongoing Oscillation” cycle of growth and decline might occur. What is certain is that, like our physical universe, risk management is not in steady-state.
The reason that risk management is such a fascinating topic is precisely because it is constantly changing. New approaches and application areas emerge, new dimensions of risk management are discovered, and new insights into the meaning of risk are revealed. Explorers of this intriguing universe can be sure of an exciting journey as the future of risk management unfolds before them in novel and unexpected ways, challenging them “to boldly go where no man has gone before.”