• United States



Risk management in HBR (and whether that’s a good thing)

Dec 12, 20122 mins
IT JobsIT LeadershipIT Strategy

Is ERM only about preventing downside? Or is there more to it than that?

In a recent digital edition of CSO I noted that

Security is occasionally susceptible to two afflictions:

 1. Hype.

 2. Semantic arguments.

No great surprise if the broader discipline of risk management sometimes catches the same cold.

In June, Harvard Business Review published an article Managing Risks: A New Framework by Balanced Scorecard co-creator Robert Kaplan and colleague Anette Mikes. The article is (of course) smart and interesting – and begins with this can’t-miss anecdote about BP:

When Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top priority. Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history.

Nice to see the topic being addressed in major business media. But being smart and interesting doesn’t make you right, and some smart risk thinkers are taking for- and against- positions regarding a fundamental concept in Kaplan’s article. The issue will sound familiar to security leaders:

Is risk management only about downside?

Or is it about managing uncertainty, which can include upside as well?

GRC guru Michael Rasmussen praises the HBR article and emphasizes a definition of risk that focuses on the possibility of downside:

A more accurate understanding is that risk is an event or condition that creates a state where undesirable effects may be possible.

In the other corner, Norman Marks, an outspoken audit and risk expert, disagrees strenuously with Rasmussen and “the lamentably poor example” of Kaplan and Mikes.

My own view is that risk management effectiveness is measured by its ability to influence decision-making. Better decisions, made with quality information, enable better performance.

So is this merely an argument of semantics? Or does the answer really matter?

I think it matters a great deal for security folks, at a very practical level. Decades of experience in the corporate world have shown that if you focus only on preventing the bad, you limit the impact of the security function. Your value is potentially much greater to the organization if you stay on the lookout for opportunities to enable the good.

What do you think?