Menu Close

Is Your Tuchis[1] Hanging Out?


“Only when the tide goes out do you discover who’s been swimming naked.”

– Warren Buffet

The current pandemic has wreaked profound dislocation on businesses throughout the world and upended societal norms as we know them.  It may have been an unpredictable, ‘black swan’ event that will not recur anytime soon, though that’s open to discussion, but it’s worth evaluating your risk management practices to see whether you could have done better.  My guess is that, with the exception of a small fraction of companies, risk management is not done particularly well and better (or at least, less-worse) outcomes could have been achieved.

Here’s why:

  • Most early-stage companies are primarily focused on tweaking their business models and not on steady-state operating models.  After all, why worry about business-as-usual if there isn’t going to be a business?  Many established enterprises are engaged in similar struggles in rapidly evolving markets and actually behave similarly to early-stage businesses in this regard.
  • Managers fixated on building businesses are eternal optimists.  After all, no one takes on running and growing a business with the intention of failing.  Cortez had his crew burn their boats upon landing in the new world and a lot of CEOs take a similar approach to their business.
  • Some, many, most companies are not particularly good at identifying and understanding risks.  Within the past couple of weeks, JC Penny and Neiman Marcus filed bankruptcies and the general feeling is that their having been bought and sold by Private Equity firms and loaded up with debt and management fee obligations left them extremely vulnerable to exactly what has happened.
  • I question whether companies that are not accomplished at risk management are actively assessing their performance at it or are engaged in retrospective processes to improve it.

I have spent some time looking at what authoritative and regulatory bodies (OMB, ISO, COSO, PMI, NIST and others) have to say on risk management and compliance and what they seem to have to say is:

  • Companies should engage in risk management
  • They should identify risks, assess alternative treatments and select appropriate ones
  • There should be some sort of compliance process and reporting in place
  • Risk audits should be conducted, every so often

Um, Duh.

Winston Churchill has said, “Never waste a good crisis.”  Those companies that survive this catastrophic economic environment will have a wealth of experience from which to learn.  The question is, will they avail themselves of the opportunity?  Unquestionably, survivors will be scrambling to return their companies to a stable footing but opportunities will abound in the form of the abandoned market share of failed competitors, new business models, new partnering possibilities and vastly changed lifestyles in almost every corner of our society.

So, now seems a good time to reconsider how risk management is being performed at your company.  I think some common major weaknesses are:

  • Incomplete identification of risks, too much focus on what’s obvious or on specific areas of risk and not enough on the holistic enterprise and the environment in which it operates
  • Poor understanding of dependences and interconnectedness of elements of the business that contribute to creating or reinforcing risks
  • Poor understanding of linkage between risks and their impact on the company’s Critical Success Factors (CSFs) and Key Performance Indicators (KPIs)
  • Not enough introspection and quantitative analysis of risk management performance and commitment to continuous improvement

I propose that a more structured, multi-disciplinary approach be employed.  I think companies should apply Enterprise Architecture, Business Architecture, Business Process Management, Transformation Portfolio Management and Program and Project Management techniques to Risk Management.  I believe that application of these disciplines would result in:

  • Better identification of risks
  • Better understanding of the interplay of factors that create or amplify risks
  • Better prioritization of risk mitigation and management efforts
  • More informed priorities in managing transformation initiatives (projects), perhaps even more willingness to try, fail and terminate proof-of-concept projects
  • A more nuanced understanding of the costs and benefits of companies’ risk management and greater ability to improve it

So now that the tide’s gone out, are you ‘hanging out?’

[1] (tookhuh s, taw-khuh s); audio pronunciation here