Tuesday, August 7, 2007

Fine whine is meant to be shared

Of risk, bridges and business 2007Aug6

Tom Clancy, in A Sum of All Fears, offered this smug assessment:

The Roman bridges of antiquity were very inefficient structures. By modern standards, they used too much stone, and as a result, far too much labor to build. Over the years we have learned to build bridges more efficiently, using fewer materials and less labor to perform the same task.
Seven years ago, InfoWorld published this response in KJR's predecessor, the Survival Guide (The sum of all projects)
... some of those Roman bridges are still standing a millennium later, while some of our more efficient ones have tumbled into the bay. Adherence to budgets and schedules is our preeminent ethic. One suspects Rome held different values.
Last week, another American bridge, just 40 years old, tumbled into the Mississippi river in the middle of Minneapolis. Those built by the Romans continue to stand.

What exactly went wrong in Minneapolis isn't yet certain. We do know already that recent inspections of the bridge did not report that all was well. They reported risk.

The state of MN, my home state, has underinvested in its transportation infrastructure for at least 25 of the last 25 years.

So has the rest of the country. We have no reason to believe the 35W bridge collapse will be the only consequence. Current estimates suggest we'll need to spend $10 billion a year for 20 years to catch up just on bridge maintenance. That will require new taxes. Do you think many voters would support a preventive maintenance platform, should one party or another be to propose it?
In the meantime, roughly 150,000 bridges have a similar risk of failure.

For those who propose the BIG/GAS theory (Business Is Great/Government and Academics are Stupid) as the culprit -- don't even think about it. Business leaders are at least as prone to the same thinking. As a recent KJR explained (The value of a little failure here and there,), they are far more likely to invest in revenue enhancement or cost reduction than in addressing risk, because investments in revenue enhancement and cost reduction yield tangible returns.

In that column I used risk mitigation to cover all ways of handling risk. Two correspondents -- Tom Reid and Max Fritzler -- recommended a different vocabulary and a more sophisticated way to think about the subject.

The proper cover term, which will be used here from now on, is "risk management." To manage risk you can Avoid, Insure, or Mitigate (Max supplied the acronym, AIM).

Avoidance means reducing the likelihood that the risk will become an event. Preventive maintenance is one of the most important ways to avoid risk. Staff training, to increase competence, is another.

Insurance includes all tactics that deflect the consequences of risk to someone else. Insurance is the label because that's the best-known way to deflect the consequences of risk, but there is another. It's called blame-shifting and it's quite a popular alternative. Quite a bit of political propaganda goes into blame-shifting. In business, backstabbing often has the same goal. Both are annoyingly effective at deflecting the consequences of risk.

Mitigation means reducing the impact should the risk turn into actual events. Fault-tolerant system design and business recovery planning are well-known risk mitigation tactics. So are cross-training and succession planning.

There is, of course, a fourth risk management tactic. It's probably the most popular of them all. It's called hoping.

Synonyms are keeping your fingers crossed and denial. Theoretically, you can also accept the risk -- consciously choose to do nothing. Usually, though, acceptance is just another synonym for hoping.

Denial has an antidote -- developing a culture of honest inquiry. It's how you get an accurate assessment of risk.

It is, perhaps, the most difficult change in business culture you can attempt. You have to constantly and insistently ask,

Are the data we have trustworthy? Complete? Can we get better data? Are we drawing the right inferences? Will they lead to the results we want?
And then,

Do the data say our decisions gave us the results we want? If not, what did we miss? What was wrong about our inferences and decisions? What will we do differently next time?
Tough questions.

You'll note that most risk management fits our definition of a decision -- it requires the commitment of time, staff and money. The exceptions are blame-shifting and hoping, which don't.

Is it any wonder, then, that blame-shifting and hoping are the most common risk management strategies in America today?

Or that another American bridge has crumbled?




Copyright and other stuff -- The great KJR link point

No comments: