Overlooked Risks

If you are a risk management professional interested in adding value rather than merely reducing the potential for loss, consider including some overlooked risks in your organization's risk management program. Classic risk management programs such as those in financial services companies include measures to address financial risk, credit risk, regulatory risk, operational risk, and reputation risk, among others. These classics leave out work habits that could either detract from or add to the bottom line. Addressing a few overlooked risks can move a risk management program toward a positive return on investment and away from its traditional role as a necessary expense. The following categories make up some of the overlooked risks that deserve attention.

Inefficiency Risk
Every process carries the possibility of not executing as efficiently as possible. Sometimes efficiency doesn't matter, as in a process carried out as a passion or hobby, but efficiency matters a great deal in a business environment. For this reason, any formal risk management program should include at least a regular reminder to look for inefficiency.

Looking for inefficiency serves as a control against complacency. People become complacent when they perform tasks without considering their meaning, context, or value. They strive for a standard and they resist change as if a cost were attached. In fact, it is. Often, the cost associated with a change lies in not making the change. Operating at less than optimal efficiency imposes a real cost. Reducing the risk of inefficiency may reduce that cost.

Distraction Risk
Conventional wisdom holds that doing more with less increases efficiency. Up to a point it does. Beyond that point, doing more with fewer resources consumes the resources just as running an engine on a lean mixture reduces the life of the engine. Also, and more likely than long term burnout, resources forced to do more with less strive for productivity increases by overlapping tasks, omitting tasks, or multi-tasking. In fact multi-tasking reduces a person's efficiency. Focusing on single-threaded tasks is the only way to bring full knowledge to bear on the individual steps in a process. Risk management programs might include controls that help people eliminate distractions in their environment as well as the temptation to engage in multi-tasking.

Focus Risk
This is akin to Distraction Risk, perhaps on the other side of the same coin. In military settings in which people work a problem largely by interpreting symbols on screen, this risk is called "scope lock", or the inability to incorporate information that does not appear on the display. Scope lock renders an intelligent person incapable of synthetic reasoning, of combining seemingly unrelated pieces of information to gain a new understanding of threats in the environment. Threats can stalk a person with scope lock like predators circling an ostrich with its head in the sand. They can range from exotic to banal, from unforeseen circumstances to rote execution of a process. Whenever people carry out routine processes, they should keep in mind that there's a fine line between a routine and a rut. An innovative risk management program might prompt people to look up from their routines occasionally to prevent them from falling into ruts.

Misinformation Risk
Most people have heard the old saying, 'caveat emptor': let the buyer beware. Internet users who consume online information for free are free of the warning associated with making a purchase, yet the consumers of free content should also beware. A lot of bad information appears online, and heeding it poses a real risk.

Professional journals invoke a peer-review process to evaluate content in order to promote valid, reliable information. Good web sites achieve a version of peer review through content rating by users. Unfortunately the unfettered proliferation of information on the internet means that some of the guidance available on a subject has not been vetted. A risk management program in an organization that benefits from knowledge and information should include a control designed to ensure new information arrives only from credible sources. Even when misinformation does not directly harm a process, it can invoke a great deal of inefficiency through unproductive speculation.

Enthusiasm Risk
Alan Greenspan famously spoke of "irrational exuberance". The emotional phenomenon Greenspan described is not limited to investors. Employees who believe in their jobs and the service they provide can experience the same sentiment. Their best intentions lead them astray, to the point that employees can enable bad customer behavior by going overboard to provide good customer service. Relationship specialists at financial institutions do this when they forego telephone authentication of customers whose voices they recognize. Financial institutions also enable bad behavior--and shortchange themselves--when they bear loss for customers who have surrendered their credentials in response to phishing attempts. They may do this to preserve a customer relationship even though customer agreements usually assign liability for this kind of loss clearly and unambiguously to the customer.

When enthusiastic companies can't avoid the clichéd goal of "exceeding customer expectations," controls may be appropriate to instill discipline. Exceeding customer expectations gives something away. It amounts to waste. Both the customer and the institution are best served by a fair exchange of value.

Hoarding Risk
Treating best practices as proprietary information can be self-defeating. In a network environment or closed business community, failure to share risk management expertise may actually increase risk for all participants, and the errors of competitors can mean non-value-added repair work for the home company. An innovative risk management control might overcome the risk of hoarding information. It can remind people to reflect on the factors that help them contain risks, describe those factors clearly without including proprietary or confidential data, and share their knowledge with others who operate in the same environment.

Risk Management Risk
Finally, beware the danger that the actual expense of controlling all possible risks will exceed the likely cost of all probable risks. Every risk management determination in a non-life-or-death environment comes down to a business decision. The decision involves the actual cost of risk mitigation and the possible cost of an uncontrolled environment. Weigh these factors with care when determining which risks to include in any formal risk management program. Involve the right decision makers, guide them to exercise good judgment in identifying opportunities for adverse outcome, and avoid the temptation to regard an untenable number of conditions as risks.