I’m getting sidetracked trying to write an article on resilience.  One of the hares I’ve chased is Robert Kaplan’s and Anette Mikes’ discussion of three types of risk.  This is because it is asserted by the World Economic Forum’s risk report to recommend resilience as the correct approach to long-term global risks.  Turns out it doesn’t, so I’m a bit embarrassed that I repeated this claim in public.  Kaplan (yes, the man who launched a thousand tiresome scorecards) and Mikes is worth a little review though.

It’s a well-written HBR trot though a few companies’ risk management practices with an amusing reverse ferret on one which subsequently ran into trouble (in this case JP Morgan and the saintly, you are given to understand, Jamie Dimon).  KnM split risks three ways:

• Preventable risks – routine, downside, undesirable internal risks which can be managed by prevention and the usual controls
• Strategy risks – which you take to achieve objectives, may have upside,  and manage through the usual risk management formalism (which KnM see as a source of competitive advantage)
• External risks – which are beyond the influence and control of the organisation (including the WEF’s global risks); for them you need to identify and mitigate impact.

This categorisation (or taxonomy as the WEF calls it) makes a lot of sense and is pretty familiar from most risk identification exercises.

KnM have nothing much to say about the preventable category; it’s well-trodden ground.  They are also pretty weak on the external group.  They mention stress testing, scenario planning and war-gaming.  They do not explicitly mention how the output of these exercises might promote ‘resilience’.

Their best material relates to strategy risk where they have collected practices from JPL (part of NASA), Hydro One (a Canadian Electricity Company), Volkswagen do Brasil, Infosys (an IT services company), as well as JP Morgan.

They start their comments by noting that it’s hard to talk about risk in most organisations.  From my perspective that’s a bit overstated, at least for organisations which seriously want to deal with risk.  But they think this stems from the usual biases as well as the reluctance to deal with possible failure in gung-ho entrepreneurial environments.

They go on to discuss three ways to have improved risk conversations:

• JPL have independent expert, spiky-seat risk review boards sitting on top of routine project risk management practices – independent experts
• Hydro One have a central team of facilitators who collate and communicate the risk information
• JP Morgan have embedded risk experts in each team (except the ones that do badly of course)

KnM believe that these are distinctly different styles of strategy risk management and call this ‘our finding that “one size does not fit all” runs counter to the efforts of regulatory authorities and professional associations to standardize the function.’

Their final point is that you have to beware of silo-ing risk by over-categorisation.  Who knew?  They adduce Infosys and VWdB in support of this, with some risk report card and risk event card  exhibits from VW which would grace any ERM presentation on a risk database.  And guess what?  In true ‘the effect of uncertainty on objectives’ style, they create the risks from their balanced scorecard items.  Now you see where these two professors are coming from!

I’ve said for some years now that to de-process risk management we need to (a)  improve the risk culture, in large part by taking risk conversations away from the risk register and into general discussion, and (b) develop smart tools to facilitate this.  I think KnM support this in respect of (a), in spite of their over-emphasis of the obvious.  Whilst their three ways to do it are just three of many, and their conceit that this runs counter to standards or whatever is absurd, their emphasis on diverse ways to challenge and communicate is very useful.