About three months ago, a dear friend was diagnosed with a serious condition. At some time, a medical intervention would be required, either major surgery, or potentially keyhole surgery. He, with advice from his specialist, had to choose; surgery now, or monitor the situation and plan surgery at a later date. There were many reasons that either choice would have been acceptable – get the surgery out of the way quickly to reduce the risk of a catastrophic event, or wait six months until the family was in a good position to be able to handle the disruption.
The condition could manifest itself any time, or might not for a few years. What should be done? If they agreed to go ahead with the surgery immediately, then it would probably take six to eight weeks to schedule the surgery, and only the major surgery option would be available.
In weighing up all the factors and eventualities, his specialist suggested that the situation be monitored, but that if he had any events that were of concern, to contact the hospital immediately, and they would schedule the surgery, major or keyhole depending on what was happening or required. With other factors in his family life at that time, a delay would have been best, as long as the doctor felt it was safe to do so. He chose to delay. He also choose to "mitigate" through continuing his exercise programme, and ensuring he was as fit as possible.
Risk Management is been defined in many ways, as has Risk itself as a concept. ISO31000 uses the very bland “effect of uncertainty on objectives”, while my own definition for the past 25 years has been “the possibility of something bad happening, or something good not happening”. Of course, risk by itself exists in everything we do, and in all the decisions and choices we make, as individuals, companies, families, cultures and countries.
But that misses the primary point of Risk Management. There is too much talk of supporting decision-making, providing insights, developing or supporting the development of risk appetites, and on the list goes. But what Risk Management is really all about is “choosing”. When we remember that the decision to do nothing is a choice, as is a decision to do something, then we get to the heart of what is Risk Management, and that is the very act of choosing, to do something or to do nothing, in an informed manner, with intent and with expectation of the choice made delivering a more desired and desirable outcome that the alternative choices.
Is there a role for fate? Of course. After all, it is not possible to influence all choices, or even to identify the full range of choices that must be made. It is, however, the proactive choices that prepare for the potential for fate to intervene, that can influence the severity of the results and impact.
We can look at this from two directions. In order to make an effective decision, all risks and rewards need to be considered and Risk Management is instrumental in assisting with that decision making. Looking from the other direction, Risk Management should only be providing support to enable those with the authority and responsibility to choose. Therefore, if there is no choice, then does Risk Management have anything to offer (in this particular case) and should Risk Management then be focusing on where choices must be made?
This feeds directly into the prioritisation of Risk Management attention, to focus on the areas that require decisions. Yet how does Risk Management achieve that? Unfortunately by looking across the spectrum of potential choices and attempting to assess which of those meet the following criteria:
- Biggest impact (positive or negative) that may result from choosing
- Criticality of the timing of choosing
- Underlying longer-term impacts of not choosing
- Level of authority required to choose
For each of these criteria, any risk (or control, and yes there is a relationship to internal controls and Internal Audit here) needs to be considered, at a level of attention commensurate with the balance of the four criteria. Operational level decisions (choices) should already be subject to appropriate oversight and consideration, and probably are not the most effective allocation of Risk Management resources, while the processes of consideration and authorisation of those operational choices at the senior level may be of considerable interest. The processes (and resulting choices) for determining and confirming delegations of authority will have lasting impacts on the culture and associated effectiveness of decision making.
Six weeks after choosing to delay the surgery, “The Event” happened, and my friend very nearly died. He is recovering, after truly heroic efforts of a simply magnificent surgical and ICU team. He has a long road to recovery ahead, but he will make it.
Had they decided to go ahead with the surgery at the time of diagnosis, in all probability the event would have happened before the surgery could have been scheduled.
So was the choice the right one? How can we know? We do now know that his fitness (a choice) and effective diagnosis before the event (another choice) ensured that when the event happened, he was physically most able to sustain the terrible damage. We also know that with the diagnosis, the emergency services were able to get him from the local hospital to the best specialist hospital in the country, immediately.
The Risk Assessment in this entire situation was the identification of the potential problem through effective diagnosis, and a defined and agreed treatment plan. The choosing was when to intervene, and this was the Risk Management.