7 Habits of Effective Risk Managers

Type: Rules
Sources: Matthew Leitch (Internal Controls Design), D. Doerner (Logic of Failure), Robert Maurer (The Kaizen Way), my own experiments and experience. And thanks Mr. Covey for the title!
ToDo: Replace the rather weak R7 with a rule that mandates continuous communication.

And this is the link to the full article on Raven's Brain. which for some reason is down on May 8, 2009, 14:26 CEST


Preparing a job interview for the position of a risk manager I asked myself what worked and what didn't, considering my past work life as someone who almost always had something to do with risk management in the respective endeavour. I was either causing risk :-) or helping others in doing something about it.
Here's what I found to be effective.

Rules and Notes

R1: Be responsible.

This seems obvious: a person managing risks should act responsibly. But what does it really mean?

  • First, responsible risk managers decide for themselves. It doesn't mean that they don't hear what others think or advise, it means they know the call is upon them, personally, the risk MANAGERS. They may delegate many responsibilities, but they don't delegate that responsibility.
  • Second, responsible risk managers know that their decisions can fail, especially if the means used seem to have only positive consequences. While the lack of negative consequences properly leads to more confidence in the methods, blind belief can easily turn out to be a false friend in the field of predicting future effects. Falsification waits around the corner.
  • Third, responsible risk managers tend to make more decisions than irresponsible ones. However, these decisions each have smaller immediate effects. You test your various strategies risking little. You see where each ends and make another decision pro or con strategies. Small changes at a time. Evolution, not revolution.

One last piece of advice here: responsible risk managers, when confronted with bad news, don’t react cynically. Bad news is news after all. It doesn’t help or make sense to get angry (Cynicism in human behaviour is a form of passive aggression).

R2: Analyse in depth.

  • As long as time travel has not yet been invented, predicting the future remains difficult. It is a good idea to make use of the past and the present, the realms we actually have access to, when making decisions about risk. You build hypotheses about what could affect what. The deeper you think about a problem, about how things interact with and affect each other, the more robust your hypotheses are. Look at all the great scientists who found out about the apparent principles of nature. They are known as deep thinkers. They ask 'why?' a lot and among scientists for the last several centuries use actual data to verify (or falsify) the hypotheses.
  • And, just like good scientists, good risk managers accept their hypotheses as such, i.e. they don't take them as truths.

R3: Use hard facts.

  • If you as a risk manager are more an intuitive than a sensing person, it might be a good idea to bring in someone who is analytical and uses data to ground their recommendations. When doing anything about a risk, you should measure the effects. In order to measure, you need a clear understanding of the goals, expressed in a measurable way. This gives you real (vs. assumed) results. It can help to visualise the data, in order to see trends (also see R1, small changes, and R5, time gestalt), and numbers in relation to each other. Until the 2008 bank crisis and the government bail-outs I thought a billion dollars really is a lot of money.
  • Moreover, you should check the credibility of the information you gathered. By doing so you are able to make mathematical competent decisions towards effective risk mitigation.
  • But never forget that every model you use for this purpose reflects the world views of the modeller. Intuition cannot and should not be excluded completely from decision making.

R4: Do more than one thing.

  • Bearing R2 and R3 in mind, you think long and hard about a certain risk. What would be the best action to take, in order to mitigate it? Most likely, there is no single best action. In fact, it might be risky in itself to take action A alone. This strategy is similar to betting a significant amount of money on only one number in roulette. Much more promising is to initiate a bundle of actions. All the various side effects of your actions, some of which will not be noticeable in the short term, tend to level each other out.
  • A good deal of the other risks, more or less related to the one you’re mitigating, will be affected, too. This leads to good practise in general. Each action is less risky. (Do small steps, because there is less *uncertainty* to overcome.) Recall R1 which tells something about making more, smaller decisions rather than fewer big ones.

R5: It's not fire and forget.

Talking about side effects, this is another curious thing about handling things with respect to future outcome. Some call it the butterfly effect, the notion that everything is somehow related to all other things. In a Buddhist mindset this is the most natural way of thinking. As an effective risk manager, what should you do to mitigate risks?

  • First, you also need to think about long term effects and side effects of your risk mitigating actions. See R4. When confronted with some effect, maybe it is the result of something you did a long time ago. Or the result of something you didn’t do a long time ago. Diligently seek root causes of today's important problems to devise long term mitigations.
  • Second, you should analyse the current situation AND the trend of things. It helps a great deal if you employ some kind of measurement to risk assessment and effects, so you can literally plot the trends against time. This gives you access to the information that usually is hidden in the time-gestalt of things. Time is not the easiest dimension to grasp for most humans, so visualisation supports responsible risk management.

R6: Integrate.

  • Risk management can be a complicated matter. Our view of the world is influenced by different people’s mental models, risks are interrelated, and mitigation has side effects and long term effects. However, effective risk managers tend to integrate the data they gather, the information they get, and the actions they take. While it seems easy to isolate a specific problem, and handle it as some kind of project for itself, this generally is a bad strategy.
  • Maybe you can optimise locally, i.e. e. you find a useful and economic solution to the one problem. But taking a more global point of view, thinking of the bottom line of all your goals combined, or even the company’s most important goals, it may be a useless and inefficient solution.
  • Having various little (independent) projects also brings communication at the projects’ interfaces into focus, more than necessary. More effort is needed to inform and query peer projects.

R7: Don't change the scales of measurement.

  • Last but not least there is a phenomenon that seems to be unlikely and counter-intuitive. Yet it is measurable.
  • Risk assessment depends on even details of the scale you use. For instance, assessing importance with a 1, 2, 3, scale will result in different assessments compared to an A, B, C scale. Further research has to be done as to finding out why, and how to deal with it. Experts suggest it is a good idea to very clearly define the risks, the assessment scales and the goals of the risk assessment. For now, it seems reasonable not to change assessment scales if you don’t need to.

Costs, Savings

<Would be great. What does it take to implement those rules? What does it give?>

Side effects

<Is there anything that happend or will happen as one implements the rules? This relates to both wanted and unwanted effects ('unwanted' does not imply 'negative').>



Related Pages

Where to go from here? Link other pages in bullet list.

rating: 0+x

If you want to know more about a topic, simply tag the article with a 'morePlease' or 'examplesPlease' tag!


Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License