Things That Have Never Happened Before Happen All the Time

Good risk management guarantees success over various futures

Link copied

By integrating risk management into plans, decisions, and actions, we can succeed over a wider range of possible futures, not just the future we expect (or hope for).

Risk management is mainly a way to stop bad things from happening. Of course, risk management should help us reduce the frequency and size of negative events and then recover more quickly and effectively when negative events occur.

But, risk management, in my view, should also help the right things happen by giving us tools to work more effectively. Innovation is an essential tool to manage risks, because not changing can be riskier than changing.

Risk management could be misinterpreted as an attempt to create a contingency plan for every possible thing that could go wrong. It is important to prepare by scanning the horizon, exploring the range of possible futures, and understanding how those futures could help or impair desired outcomes. We do want to invest in effective responses to key scenarios.

However, no organization has the resources to prepare for all possibilities. And, no matter how creative we are, we still can't imagine every one of them anyway. As it is said, "Things that have never happened before happen all the time." So, effective risk management is more than planning. It is creating the capacity to adapt to and recover from unexpected shocks, which is what we often mean when we talk about resilience. To me, successful risk management is as much about culture as it is about structure. My version of the saying "culture eats strategy for breakfast" is: "culture eats structure for breakfast."

Risk Management During the Pandemic

Our business continuity planning and testing helped us navigate the early days of the pandemic, but this event was far more extreme than anything we had practiced, and we learned many lessons. I highly recommend a recent paper by the Consultative Group on Risk Management that brings together insights from central bank experiences managing business continuity risks during the pandemic.

At the New York Fed, as we were changing where and how we worked, the pandemic's impacts spread to the economy and financial markets. In response to these conditions, the Federal Reserve System used our three-lines-of-defense risk model to build strong risk management into facility operations.

The first line of defense, the facilities teams, were responsible for understanding and managing their risks. The second line – my group (the Risk Group), the Compliance Function, and others – was responsible for independent assessment and oversight of those risks. And, the third line – our Internal Audit Group – was responsible for fully independent assurance.

Resilient processes and technology should support the ability of the staff to successfully manage in normal times and during disruptions.

What are some concrete steps to strengthen resilience? In terms of processes, an important first step is to identify the processes that are critical to achieving organizational objectives. Gains are often found through simplification and automation of manual processes, especially when combined with performance metrics and risk metrics that provide real-time measures of process health.

For technology, modernizing technology and software development processes can be a key area of focus. One goal is to create a fast, robust, and secure software development lifecycle that stays current by design (perhaps enabled through the agile development methodology and cloud platforms). And, approaches like red-teaming, threat hunting, and external benchmarking can provide insight into cyber resilience strengths and areas to improve.17

On the people side, does the current organizational culture help people successfully adapt to rapidly changing environment? Do staff have the skills that are needed to achieve organizational objectives today and in the future? These are important questions to explore and potential priority areas to address if there are mismatches.

We Will Be Surprised

I'd like to wrap up with a bit of realism followed by optimism. Here's the realism: while we might prefer never to be surprised, we will be. The optimism is: effective risk management can help us be less surprised and respond better when we are. And, a strong risk management ecosystem will be self-sustaining because it generates demonstrable value – that is, practical and timely solutions to material problems – to help our organizations succeed in all environments.