Why Risk Management has to cost money!

In Austria, there's a saying: "If it doesn't cost money, it's not worth anything." This age-old adage appears to hold some truth.

In an experiment conducted at Caltech University , participants were asked to taste wine.

They sampled the same wine twice. First, they were told it had a very low price. For the second tasting of the same wine, they were informed of a much higher price.

Unsurprisingly, participants preferred the wine they believed was more expensive (although it was the same wine).

This experiment reveals a lot about human nature and ties back to the quote at the beginning.

Our world is full of trade-offs. There's no such thing as a free lunch. And even if there were, would we truly enjoy it?

It's only when we sacrifice something—be it money, time, or energy—that we begin to value it. The more we sacrifice, the more value we attribute to the item. That's why we appreciate a high-priced wine over a cheap one. It's not just about value, we genuinely enjoy it more.

In classic risk management, often referred to as cost-benefit analysis, we weigh different factors against each other. For instance, we might estimate that a theft could cost our facility €100,000, while a state-of-the-art alarm system would cost €90,000.

In this hypothetical scenario, the decision seems straightforward. But is it?

While it should be an easy choice for us logical humans, many might still opt against the alarm system. Why? One can only speculate. Perhaps it's the certainty of the €90,000 expense versus “only” the potential future loss.

I've observed numerous such situations in companies, whether they're financial, operational, or security risks. Yet, many would assert that they have risk management in place, even without mitigation measures.

But is that genuinely effective risk management?

Imagine you're the Security Risk Manager of this hypothetical company. You begin with a risk assessment, which often includes a detailed scenario. Based on this, you determine the probability, impact, and vulnerabilities.

As an adept Security Risk Manager, you've done all this and have prepared a risk report suggesting the implementation of an alarm system. However, the decision-maker chooses inaction.

Is this truly risk management? Some, including myself, would argue not. While risk acceptance and risk appetite are valid concepts, merely identifying a risk and accepting it without mitigation is half-hearted.

Oliver Bäte might contend that merely highlighting a risk without taking steps to mitigate it is insufficient. I concur. While this is debatable in theory, in practice, the implications are clear.

From minor to major risks, we identify them and create scenarios for context. But there's a reluctance to make sacrifices now to prevent potential future losses.

This mindset is problematic.

Identifying risks is straightforward. Crafting scenarios is intellectually stimulating and relatively cost-efficient. But when it's time to act—whether it's hiring more staff to address workforce overload, diversifying suppliers, or declining a business opportunity due to high upfront costs—that's when challenges arise.

Interestingly, we've addressed such dilemmas in some areas, like fire insurance. It's an unlikely event with a significant upfront cost, yet we willingly pay.

So, how can we tackle this conundrum in Risk Management?

• Shift focus from estimating probability to highlighting fragility or impact, especially for rare events.

• Monitor how many risks are genuinely mitigated. If most risks remain unaddressed, it indicates either flawed risk assessments or a company culture that tends to ignore risks. Both need immediate attention.

• Experiment with different risk communication methods.

These are just a few suggestions. They won't eliminate the problem and come with their own risks, but they're a step in the right direction. The key is persistence and continuous improvement.

With experience, you'll refine your approach and become more adept.

Enjoy your (expensive) wine! 🍷

Best regards,
Marco

P.S.: Please sign up for my original email list here. This ensures you stay updated, even if there are issues with LinkedIn.

I also share more content via this email list. Next week, I have an exciting offer for a course with the father of Resilience Engineering, Erick Hollnagel.

Don't miss out!

How to Subscribe:

1. Click the provided link.

2. Enter your email address.

3. You will receive a confirmation email (please check your spam folder if you don't see it).

4. Click on the confirmation link. Important: You'll need to enter your email address again for verification (Double Opt-In).

5. Well done! You're all set.