Human beings are not good risk managers. The brain is not wired to correctly assess what is going to actually kill us and what will simply worry us to death. We spend an inordinate amount of time worrying about the things that will never happen while paying little or no attention to the things that are likely to harm us. We are routinely provided examples of this ineptitude, and yet the problem persists not only in our personal lives, but also in the realm of corporate risk management.
For example, in the wake of the Sept. 11, 2001, terrorist attacks, many travelers decided to drive instead of fly. As a result of more drivers on the road, there were 1,000 more highway fatalities in the period from October 2001 through December 2001 than there were during the same period one year prior. Only 265 people died aboard airplanes in the Sept. 11 terrorist attacks.
David Ropeik, a former Harvard instructor, noted in Time magazine recently that the choice to avoid flying because of the attacks "produced a third again as many fatalities as the terrorist attacks." In other words, risk aversion led to an increase in accidental deaths.
A cursory probabilistic risk assessment of flying versus driving reveals that driving is far more deadly. According to the Census Bureau's recently released 2007 Abstract of the United States, 44,757 Americans died in motor vehicle accidents in 2003, while only 22 died in commercial airline accidents. In fact, being struck by lightning far surpassed airplane crashes in 2003; four times more people were struck dead by a bolt from the sky than died in airplanes. Yet we worry more about another airline crash than almost any other form of accident.
When we rely on perception and gut feelings to direct our risk management efforts, we invariably focus on the wrong risks. If one wants to be an effective risk manager, this tendency must be reversed. But this is easier said than done. This problem is particularly troublesome in the realm of corporate risk management. If we will not pay attention to the actual probabilities of a risk when death is involved, what motivation do we have to overcome our biases when we are simply dealing with the corporate bank account?
Unlike the risks mentioned above, companies do not have solid numbers on the types of risks that they face. There is no Census Bureau measuring the value of the company's reputation, or the amount lost each year due to customer dissatisfaction. A company like Research in Motion, the maker of Blackberry handheld devices, can have the best business-continuity plans in the world for interruption from avian flu, and then face annihilation because of an unforeseen lawsuit.
An executive who spends only a portion of her time on risk management can be forgiven for not having a clear understanding of the probability distribution of the wide array of risks facing her organization. This is where risk managers establish value for their companies. It is our job to provide a clear, undistorted lens through which decision-makers can assess risk as they really are.
We must overcome our natural human disposition to worry about the wrong things if we are to avoid putting the organizations for which we work at greater risk. When a company fails to accurately assess its exposures, it becomes like the people choosing to drive instead of fly after Sept. 11, 2001. The company drives along, eyes firmly riveted on the sky on the lookout for threats from above, while oblivious to the imminent threat facing it just ahead.
manages risk for Sun Microsystems Inc.
February 1, 2007
Copyright 2007© LRP Publications