With 2008 behind us, risk managers are able to look back to a year of highly improbable yet excessively frequent bank failures and institutional collapses that bring question to the competence of the risk management practice. Ernst & Young reports in a December article that risk management has continued to miss the big risks and advises that companies must “recognize how closely connected these risks are in terms of their potential impact on an organization.” They observe that:
It is no longer adequate to simply look backwards when identifying risk issues and trends. Companies need to look forward and around corners as well to anticipate and react to potential business risks.
Yet 2008’s failures, as remarkable as they were in magnitude, were unfortunately quite unremarkable in their occurrence. In 2006, it was the completely unexpected failure of Amaranth which some have appropriately attributed to the underlying failure of risk management. And less than a decade earlier, it was the collapse of Long-Term Capital Management, an unexpected, catastrophic implosion of a firm led by two of the gurus of financial risk management, Myron Scholes and Robert Merton. The report on the risk management practice isn’t positive: even the best risk managers seem completely blind to the massive magnitude events.
Information security guru Bruce Schneier writes of post-9/11 security measures that they are mostly intended as CYA mechanisms for the politicians rather than actual preventative, detective or responsive measures… information hardly comforting the next time you’re spending an extra hour navigating through airport security. Indeed, the likelihood of AQI or another terrorist group coming in the same door it used on 9/11 is quite insignificant. The door that will be used is the one we didn’t know we had.
Not surprisingly, our financial, operational and technological risk management practices parallel the experience reported by Schneier in that our focus continues to be on assessing the expected risks, leaving us blind to the unexpected. In many governance, risk and compliance (GRC) practices, we perform assessments with the objective of “identifying risk” by going through checklists that seek problems that could give rise to risks based on previous events. While useful for managing processes and preventing low complexity copycat incidents, the assessments provide no visibility of the unknown risk that lurks around the next corner. It’s for this reason that some advocate that compliance and audit should never be confused with risk management. For our assurance, assessors apply checklists and evaluate processes, reports and controls. They seek comfort in the security of the checklist, minimizing the likelihood of a predictable event while providing false assurances that “all is well” with respect to the unexpected and the unknown. While this compliance practice should continue to be an important part of the management of existing processes, it should never be confused with the management of risk — especially the black swan risk that puts our companies, financial portfolios and national security in jeopardy.
Radicalization as a Risk Management Framework: The Debate Model
One of the unique values of debate, and policy debate in particular, is its creation of conceptual sandboxes where ideas are not only tested, but frameworks of understanding are “radicalized” using critical theory methods. Radicalization is an important tool in the sandbox as it shifts the debate from a policy-making framework to one that questions the very foundation the status quo resides within. For example, an affirmative team may advocate that “the United States Federal Government should use tax incentives to construct geothermal power plants” which sounds like an agreeable proposition. Indeed, when presented with the advantages that clean, green alternative energy provides, it’s difficult to disagree with such a plan.
Negative teams opposing the affirmative’s plan were traditionally used to having to either argue the feasibility of the plan (such as its ability to solve the problem), which often led to a difficult and losing fight against an affirmative that eagerly anticipated such challenges well in advance, or had to argue generic political disadvantages to such actions (such as the political capital the President would have to spend to push through a potentially unpopular initiative). In 1993, the world of Negative strategy was significantly changed with the inclusion of critical arguments, known fondly to such debaters as the kritik.
In the realm of the kritik, the negative team would bypass the direct assault on the plan and instead challenge the very philosophical foundation the plan resided upon. Should the Federal Government even be in the business of offering incentives? Aren’t incentives a form of coercion, and if so, what kind of damage are we doing by even proposing them in this “educational” debate round? What other assumptions are implied in the affirmative’s proposition that need reconsideration? In order to discover the inherent viewpoint we’ve embraced that led up to the proposition, kritik debaters use the process of radicalization which takes a philosophical foundation to extreme forms in order to “punch out of the box” that defines the framework on which our current understanding resides.
Such debates can seem extreme to the layperson, where often “anything goes” within the round and philosophies from Zizek’s “Plague of Fantasies” to technological criticisms by Heidegger present shockingly different views on our world. Nozick’s “minimal state” is advanced as the only proper form of government or Barndt’s claims of inherent environmental racism are explained using wild analogies of “Happiness Machines.” Yet these debates question the ground that the current system rests upon, and through this radical discovery, enlarges the domain of understanding to a larger one where tomorrow’s problems, risks and solutions reside.
Risk Management Radicalism: Finding the Unknown Risk
For the risk management practice, radicalism presents an paradigm for discovering the unknown risk before it occurs. It provides a potential framework for expanding our awareness beyond the status quo, of which our controls are already designed to monitor and protect. Radicalism gives us the opportunity to move outside that realm and challenge the assumptions on which the system was constructed. Whether it’s financial, technological or operational risk, radicalism’s application offers a method of discovery that allows us to expand our vision of risk to one that may just encompass the next catastrophe lurking around the corner.
How does one employ radicalism? That’s the subject of considerable thought and effort, to which I’ve only undertaken the first steps and have drafted some initial thoughts and high level processes to a methodology that can be integrated with existing risk standards and practices (e.g. ISO 31000) to allow the program to gain awareness of those unknown risks in addition to its inventory of known risks well handled by existing practices. If you find this paradigm of interest, I welcome your comments and/or emails (my email address is listed in the About section of the blog).