Uncertainty pervades our existence and is virtually impossible to rule out from anything that we do. Uncertainty also triggers risks, those possible events in the future that may adversely affect what we are trying to achieve. It therefore follows that risk and risk management are an inseparable part of our everyday experience. From the time we wake up, throughout hundreds of little decisions made each day until the time we turn off the lights at night, we consciously (and sometimes even unconsciously) manage hundreds of risks. By default, this makes each of us a risk management machine. If it were not for effective risk management, our personal and professional performance in terms of managing our resources, planned deadlines and achievement of our objectives would be at stake. Yet, when we translate risk management concepts to organizational setting, and in public sector organizations in particular, we often see that important risks get overlooked or managed improperly.
As a professional working in international development, I often face decisions that involve a high degree of uncertainty. Negotiating assignments, moving countries, working in different roles and with various people in multiple organizational settings, all contribute to this. My move to Ljubljana to start work with the CEF earlier this year was a useful reminder of the importance of risk management in how we manage our private and business affairs alike. In this post, I want to share a number of critical notions, which separate good risk management from poor, and a couple of lessons about risk management from everyday life with their implications on what we could be doing in our workplaces.
As I was contemplating the move to Ljubljana, I looked at all the things that could potentially go wrong from the perspective of my primary objective to start work for a dynamic, growing international organization. There were hundreds of smaller scale risks that tagged along: finding the time to write a strong cover letter, managing the logistics of travelling for the interview, establishing trust and relationships with the prospective employer. I could not achieve my main objective if I did not manage the multitude of smaller scale risks as the stepping stones.
Not all risks are created equal. Just like individuals, organizations face specific risks that are shaped by their particular circumstances. There is no generic, one-size-fits-all, risk management approach that will work equally well for everyone. Risks cannot be properly understood in isolation from the objectives. Unless we are able to articulate our objectives clearly, there is a danger that the risk management exercise may miss its target as the number of all possible risks may escalate to infinite numbers.
Risks can work on strategic and operational level, frequently with a complex interplay between the two. This interplay results from the fact that risks on the operational level may have causal relationships with those on the strategic level and vice versa. It is therefore imperative to understand the interrelation and correlation between strategic and operational risks in all stages of risk management.
When I learned that my application was successful, my joy was quickly marred by concerns about things that could go wrong, both with the move to a different country and with a new job. The most difficult aspect was trying to make decisions and take actions without full understanding of the environment and the people I was interacting with. I desperately needed to know things, and I needed to reach out to others and learn more about what they know.
We cannot manage risk without information. Every decision that we make entails risk. The quality of our risk management is determined by our ability to anticipate future events. Risk management is therefore a vital tool to support high-quality decision making. In turn, the ability to anticipate what could happen depends on the quality of information available at the time.
Risk management should not be a solitary activity. Due to our subjectivity and the effects of a number of cognitive biases, risk management works best when it involves multiple perspectives on the possibility that we are trying to anticipate. With the aim to make the process more objective, risk management identification and assessments require the best available inputs and analysis. This in turn requires relevant, accurate, complete and timely information. For the best results, our risk management approach should aim to include as many different perspectives from different people and should not be confined to an individual position.
Throughout my initial months at the CEF, I had to stay on my toes. Often times, this meant going back and re-examining my choices in terms of the alternative scenarios to the one I followed. As I went along, I reaffirmed that potential events do not necessarily entail adverse effects. Things I was trying to anticipate sometimes worked out to my advantage.
Sometimes risks are opportunities in disguise. Risk may have one or multiple causes and its materialization may have one or multiple consequences. This means that in addition to being sensitive to what might go wrong, risk management is also about maximizing the opportunities for beneficial outcomes. This is complicated by the fact that the effects of future events may not necessarily materialize in a linear fashion. Risk identification and assessment has repeatedly proven to work best if understood as an iterative process that takes into account new risks which arise in the course of our action that could not have been defined in the initial stage.
For all these reasons, I prefer to think of risk management as art rather than science. Theoretical frameworks and models for risk management range from fairly simple to very complex but they essentially assume an iterative, cyclical process to help us with: identifying risks to our objectives, understanding where they are coming from (causes) and what may happen if they materialize (effects), assessing their impact and likelihood, prioritizing the critical ones and determining a reasonable response, all the while monitoring its appropriateness and adjusting as necessary. As with any other theoretical frameworks, the models offer a simplified representation of the reality but a useful starting point in understanding the necessary ingredients for sound risk management. In practice, this means we need to adapt good practice approaches to individual circumstances, both on personal or professional level.
I am sure to benefit from these lessons the next time I need to make a decision and manage the accompanying risks, whether in private or professional life. I hope this blog post will inspire you to do the same and help you perform better, both at home and at work.