Last week I wrote about how quickly risks that we were not expecting could become destroyers of countries and corporations.  It’s a topic that we at Defy Expectations focus on with our clients and I thought it would be helpful to talk about the types of Risk Management (RM), when they apply, and who is responsible.  When we raise the topic, we get various responses from “that’s what the Risk/Audit committee does” to “we have a risk register” to “er ???”.  If you look up RM it is defined as something done by Project Managers who undertake reviews to “foresee risks, estimate impacts and define responses”.  The reviews generally sound like a paper exercise, and they frequently don’t seem to be action centred.  I believe it’s much more helpful to think of RM as a framework with different impacts, different owners and needing different handling.  They are inter-linked but they need to be dealt with separately. 

Risk falls into three categories:

RM 1. The everyday - the one that is almost certain to happen: a project runs late, quality problems reduce yields, all the everyday stuff that needs to be in that project managers plan – although ideally with some corrective action attached. These are the sort of risks that can, and should, be managed at a departmental level.

RM 2. It’s not the end of the world - Someone says something without thinking, and your share price crashes in the ensuing media storm; a building burns down or floods. The outcomes are bad but manageable. You may have to invest in sprinkler systems and some good PR, but the risks are tangible and can be costed.  These are the sorts of risks that should be managed by the audit or risk committee and reported to the Board. But it needs thoughtful management and is not a tick box exercise.  This painstaking RM work has created better prepared and more resilient than they have been in the past.

RM 3. The Vesuvius - One of the highlights of a visit to Italy is standing close to the crater of Mount Vesuvius and looking at the homes, farms, factories and workplaces of the 2 million people that live and work around the volcano. The roads around it seem to be permanently jammed with traffic and you realise that if Vesuvius were to erupt again the death toll could be orders of magnitude higher than the estimated 16,000 people killed in the eruption that destroyed Pompei and Herculaneum. I asked our local guide how he felt about living with this threat – he shrugged and said, “we are fatalists, if it happens, it happens”. 

A Vesuvius risk is the sort of risk that doesn’t happen very often but when it does it is catastrophic.  It’s also very easy to say, “if it happens, it happens, we will deal with it then”. Things like the war in Ukraine, the global financial crash, galloping inflation, are all Vesuvius risks and Boards should be thinking and planning for them.  The important thing about Vesuvius is that it has happened before.  So have wars, financial crashes, galloping inflation and pandemics.  Humanity has always come out the other side.  Cities and countries have been destroyed but there are always survivors.  Companies that think and plan and invest where necessary can, and should, mitigate their risk and aim to survive.