The Failure of Risk Management. Douglas W. Hubbard
Gulf of Mexico, and multiple large cyberattacks that compromised hundreds of millions of personal records. But I won't dwell on these anecdotes or the events that occurred prior to the first edition. This book should be just as relevant after the next big natural disaster, major product safety recall, or catastrophic industrial accident. Better yet, I hope readers see this book as a resource they need before those events occur. Risk management that simply reacts to yesterday's news is not risk management at all.
I addressed risk in my first book, How to Measure Anything: Finding the Value of Intangibles in Business. Risk struck me as one of those items that is consistently perceived as an intangible by management. True, risk is intangible in one sense. A risk that something could occur—the probability of some future event—is not tangible in the same way as progress on a construction project or the output of a power plant. But it is every bit as measurable. Two entire chapters in the first book focused just on the measurement of uncertainty and risks.
Unfortunately, risk management based on actual measurements of risks is not the predominant approach in most industries. I see solutions for managing the risks of some very important problems that are in fact no better than astrology. And this is not a controversial position I'm taking. The flaws in these methods are widely known to the researchers who study them. The message has simply not been communicated to the larger audience of managers.
All of my books—not just the two that explicitly mention risk in the title—are really about making or supporting critical decisions where there is a lot of uncertainty and a cost to being wrong. In other words, I write about risky decisions. I was drawn to this topic after watching consultants come up with a lot of questionable schemes for assessing risks, measuring performance, and prioritizing portfolios with no apparent foundation in statistics or decision science. Arbitrary scoring schemes and other qualitative methods have virtually taken over some aspects of formalized decision-making processes in management. In other areas, some methods that do have a sound, scientific, and mathematical basis are consistently misunderstood and misapplied.
I just didn't see enough attention brought to this topic. Of all the good, solid academic research and texts on risk analysis, risk management, and decision science, none seem to be directly addressing the problem of the apparently unchecked spread of pseudoscience in this field. In finance, Nassim Taleb's popular books, Fooled by Randomness and The Black Swan have pointed out the existence of serious problems. But in those cases, there was not much practical advice for risk managers and very little information about assessing risks outside of finance. There is a need to point out these problems to a wide audience for a variety of different risks.
Writing on this topic would be challenging for several reasons, not the least of which is the fact that any honest and useful treatment of risk management steps on some toes. That hasn't changed since the first edition. Proponents of widely used methods—some of which have been codified in international standards—have felt threatened by some of the positions I am taking in this book. Therefore, I've taken care that each of the key claims I make about the weaknesses of some methods is supported by the thorough research of others and are not just my own opinion. The research is overwhelmingly conclusive—much of what has been done in risk management, when measured objectively, has added no value to the issue of managing risks. It may actually have made things worse.
The biggest challenge would be reaching a broad audience. Although the solution to better risk management is, for most, better quantitative analysis, a specialized mathematical text on the analysis and management of risks would not reach a wide-enough audience. The numerous technical texts already published haven't seemed to penetrate the management market, and I have no reason to believe that mine would fare any better. The approach I take here is to provide my readers with just enough technical information so that they can make a 180-degree turn in risk management. They can stop using the equivalent of astrology in risk management and at least start down the path of the better methods. For risk managers, mastering those methods will become part of a longer career and a study that goes beyond this book. This is more like a first book in astronomy for recovering astrologers—we have to debunk the old and introduce the new.
Douglas W. Hubbard
February 2020
Acknowledgments
Many people helped me with this book in many ways. Some I have interviewed for this book, some have provided their own research (even some prior to publication), and others have spent time reviewing my manuscript and offering many suggestions for improvement. In particular, I would like to thank Dr. Sam Savage of Stanford University, who has been extraordinarily helpful on all these counts.
Reed Augliere | Jim Dyer | Harry Markowitz |
David Bearden | Jim Franklin | Jason Mewis |
Christopher “Kip” Bohn | Andrew Freeman | Bill Panning |
Andrew Braden | Vic Fricas | Sam Savage |
David Budescu | Dan Garrow | John Schuyler |
Bob Clemen | John Hester | Yook Seng Kong |
Ray Covert | Steve Hoye | Thompson Terry |
Dennis William Cox | David Hubbard | David Vose |
Tony Cox | Karen Jenni | Stephen Wolfram |
Diana Del Bel Belluz | Rick Julien | Peter Alan Smith |
Jim DeLoach | Daniel Kahneman | Jack Jones |
Robin Dillon-Merrill | Allen Kubitz | Steve Roemerman |
Rob Donat | Fiona MacMillan |
CHAPTER 1 Healthy Skepticism for Risk Management
It is far better to grasp the universe as it really is than to persist in delusion, however satisfying and reassuring.
—CARL SAGAN
Everything's fine today, that is our illusion.
—VOLTAIRE
What is your single biggest risk? How do you know? These are critical questions for any organization regardless of industry, size, structure, environment, political pressures, or changes in technology. Any attempt to manage risk in these organizations should involve answering these questions.
We need to ask hard questions about new and rapidly growing trends in management methods, especially when those methods are meant to help direct and protect major investments and inform key public policy. The application of healthy skepticism to risk management methods was long past due when I wrote the first edition of this book more than a decade ago.
The first edition of this book came out on the tail end of the Great Recession in 2008 and 2009. Since then, several major events have resulted in extraordinary losses both financially and in terms of human health and safety. Here are just a few:
Deepwater Horizon offshore oil spill (2010)
Fukushima