The most prolific users of social media do not follow this maxim but you should never tweet when angry. I broke my own rule a while ago after I was irked by a training business that I had offered to help as a favor to a friend. Although I was willing to help, this business was incapable of helping themselves or their client. It is safe to assume they intended to make a profit by providing training to their client, despite not knowing anything about the subject matter. You will have already guessed that their client was a telco seeking to learn about risk management. But what kinds of risks drove this telco to seek help? The training business had not asked. They had no idea about the varieties of risk management that this client wanted to learn about, or even the kinds they already knew about. There are risks everywhere; no business does no risk management, so even the worst business is already taking some steps to manage risk. This inability to articulate the needs of the client or how the client wanted to improve prompted me to revisit an analogy between managing risk and managing wellbeing that I have used before.
If medicine was taught the way risk management is taught there would be no ophthalmologists, psychiatrists, oncologists, anesthetists, surgeons or obstetricians. There would just be miscellaneous doctors who had miscellaneous training pretending their competence has no limits.
— Commsrisk (@Commsrisk) May 13, 2022
Writing this tweet led me to contemplate why I was angry. The education of risk professionals is intolerably inept, but my opinion is an outlier. Most people in business must be broadly satisfied with the current arrangements for training risk professionals, or else change would occur more rapidly. My career has gone moderately well but I know a good number of people who did the same kinds of risk management that I did earlier in life, and have since progressed to the highest echelons of big corporations. Risk management provided the foundations for their careers, but from their elevated vantage points they exercise no positive influence over the training of junior risk professionals. If they started as doctors concerned to improve the lives of their patients, they have ended as hospital administrators, content to perpetuate third-rate treatments so long as the official statistics show their fatality rates are not much worse than average. This is the real root of my anger, which was only sparked by the unfortunately incompetent training business.
Good health systems do not deny patients the opportunity for a second opinion. This is because doctors are human beings, and all human beings are prone to make mistakes from time to time. Furthermore, a well-designed health system is built around the concept of referring patients. A doctor with broad general ability refers a patient to another doctor with more specialized expertise, as pertinent for that patient’s needs. This does not make one doctor superior to another; they both have demanding jobs and the patient will only receive the best treatment if both doctors are competent to do those jobs. Sometimes well-meaning but foolish people have sought to present me as a narrow specialist within a specific field, most commonly as an expert in revenue assurance, when the truth is that I am an excellent all-rounder whose ego is not so massive that I blind myself to the need to solve a client’s problem by engaging specialists who know more than I do. That is why I volunteer to play the role of the generalist, referring potential clients to others, even though the ‘system’ for educating people about risk means there is never any financial reward for this role. Good professionals continue to be professional even when their work is unpaid.
If we were to talk to a real expert in cybersecurity about what it means to be an expert in cybersecurity they would soon scoff at the notion that anybody could be expert about every aspect of cybersecurity. This is a sign of the maturity of cybersecurity as a profession; there is no shame in admitting the limits to a single person’s competence. Consider that cybersecurity risks are a subset of all risks. It should be immediately apparent that nobody could know everything about risk management. However, when we talk about risk management, the immaturity of our approach to education means people really do talk about learning how to do risk management as if somebody could complete a training course and would then know how to manage all risks. What can be taught are general principles of how to understand and evaluate risks and their potential mitigations, but central to those principles would be the notion of knowing when to seek the assistance of specialists, and a broad understanding of what kinds of specialists there are.
The first question to ask of any business that says it wants to learn about risk management is the following: are you genuinely seeking to embed general principles of risk management into how your business functions, or are you suffering from specific kinds of pain that you want alleviated? This question must be asked because a business led by executives who are not committed to engraining risk management in the fabric of the organization’s decision-making is never going to ‘learn’ how to do risk management, because you manage risk in general by generally making better decisions. It is more likely that the business is asking for advice with risk management because they have specific causes of pain, but struggle to articulate their symptoms, and so they will need the care of relevant specialists. Most businesses that suddenly decide they need better risk management are like patients in an emergency ward, screaming that they are in pain and they want it to stop. The doctor’s role is to ask the patient questions about where it hurts, so they can diagnose the cause of the pain, prescribe medicines, run tests, and schedule surgery if necessary. An emergency ward is not the right place to give the patient lectures about exercise, diet and wellbeing in general, the metaphorical equivalent of training businesses how to manage risks in general.
I could begin to draw a map of all the specialisms that lie within the remit of risk management but that is the kind of exercise which sadly leads to many unproductive conversations. Rightly or wrongly, the tendency is that somebody from the USA will draw their own mind map, and that mind map will become the norm because that country’s economy is best suited to publishing the mind map and incorporating it within standardized training courses. This is thanks to US corporations that will collectively dedicate the most expenditure to this kind of training. The mind map they collectively adopt will be little better or worse than mind maps that professionals in many other countries might have drawn. It will also suffer a degree of bias, as it will reflect the experiences of somebody in the USA and not the experiences of people from other countries, but I can offer no guaranteed way to prevent this kind of bias because nobody has unlimited experience.
The mind map would include risks that must be endured by most kinds of businesses, and there is also a need to make allowances for sector-specific risks, because the methods used by a bank to avoid making bad loans have little in common with the methods used by a fast food business to avoid poisoning its customers. I spend most of my time learning about the risk specialisms pertinent to electronic comms providers, and could hence offer a sector-specific list that includes the topics that most interest the readers of Commsrisk, such as cybersecurity, fraud management, customer privacy and revenue assurance, but the map should equally include disaster recovery, employee safety, regulatory affairs and supply chain risks. We have to make practical compromises in real life, so it is fine for somebody to call themselves a risk manager even if they do not manage every kind of risk, but it is unhealthy to pretend the risks addressed by that risk manager are the only risks that matter. Businesses can be trained to better manage risk in general, but you cannot do a better job of managing risk in general by setting up managers to compete for attention. A risk is a risk is a risk; the value and priority associated with each risk should not be influenced by rivalries between managers within the same organization, irrespective of the way responsibility for different risks has been allocated. On the other hand, the training given to people in different risk specialisms usually lacks a common foundation. We do not even use a common definition of the word ‘risk’, having each been taught it is something different. This is as unhelpful as a team of doctors who each have conflicting objectives when they treat the same patient.
It follows from this argument that fraud consultants should not pretend that they know how to do revenue assurance when they do not, although many of them do. It also follows that there is a real tension when grouping fraud and security together, despite the many pragmatic advantages of linking the two. Anybody aspiring to become more important within their business should also have the humility to appreciate there will be many kinds of risks where others will be better placed to evaluate the potential impact and recommend ways to reduce it. Those who have become more important should strive to remember what it was like to be junior, and loosen the purse strings so staff receive training of a high quality that is also pertinent to their role. Nobody wants to be treated by a doctor who is a liar or who pretends to be more competent than they are. A similar appreciation for the merits of honesty would help us progress in the quality of the training given to risk managers.
There is a positive and a negative aspect to how everybody can encourage the improvement of our discipline. The positive aspect is that any individual may have obtained special insights into risks that are not yet common, or into novel methods of mitigating risks. If others could learn from you, then make it your responsibility to teach them. The negative aspect is that we should not reward corner-cutting and incompetence by pretending that everybody is equally qualified to manage every kind of risk. So push your business to invest in training existing staff, hiring new staff, or engaging external advisors if there are risks that you are not competent to cover and which nobody else is covering either.
I began with an analogy about training doctors and will end with an analogy about training doctors. Do doctors lose work if they refer patients to another doctor? Do doctors get paid less by admitting the limits of their knowledge and the need to involve other specialists? The contrary is true. Better doctors lead to increased demand for doctors. Better medicine leads to more customers for medicine. The better the healthcare system, the longer people live, and the more they trust and seek care from the system instead of exploring alternatives. If healthy bodies lead to a healthy lifestyle then we can also say healthy businesses lead to a healthy economy. Good doctors increase health; good risk managers increase wealth. Resources are always finite, but it can be foolish and counterproductive to save money by skipping investments that lead to greater health, and greater wealth. Improving the training of the metaphorical doctors of businesses would be a sound investment. It begins with an admission that the current training is far below the expectations we should set for ourselves.