by Dennis M. Kirschbaum, ARM
During the last century, a handful of historians and academicians debated the question of who was the first risk manager. In his new book, The Polar Bear Strategy, author John Ross traces back the history of risk management to a seventeenth-century Monk named Blaise Pascal, who suggested that it was less risky to believe in God than to be a nonbeliever. His line of reasoning went like this.
If you believe in God and it turns out there is no God, you will be none the worse for having believed. However, if you do not believe in God and there is a God, you may be punished for eternity for your stubbornness. In other words, it is less risky to believe in God–just in case.
Ross makes a compelling case that Pascal’s application of the laws of probability for predicting the likelihood of unwanted consequences led to the development of risk management. That may be true, however, I believe that Brother Pascal was more likely the first actuary. In fact, the first risk manager lived at least 2,300 years earlier.
I am thinking of the Old Testament prophet Jonah. Although he is best known for his sojourn in the belly of a big fish, the Book of Jonah is really about effective risk control.
Let’s review the facts as presented. Jonah gets a call to go and preach to the people of Nineveh that God will destroy them to punish them for their evil ways. Destruction is almost certain unless Jonah can convince them to repent. In making his case to the people of Nineveh, Jonah used the basic three-step approach to risk management. He asked the following questions:
- What could go wrong? (God could destroy the city.)
- What can we do to prevent harm or to deal with it when it occurs? (We can repent or else hire many more firefighters.)
- How will we pay for it? (Difficult to say. Acts of God were normally excluded from the standard CGL of his day.)
Jonah was not the first person of his day to predict doom and gloom. But there is an important difference between Jonah and most of the other prophets of the Hebrew Bible — the people actually listened to him! They repented and the awful things didn’t happen. But this presented a problem for Jonah. How could he prove that his predictions would have come true if people had not changed their behaviors? At the end of the book Jonah is found moping. He is concerned that his reputation as a prophet will be damaged because the things he predicted did not come true.
Of course, just knowing the right questions to ask doesn’t make one a good risk manager. Jonah also had the right skill set to put an effective risk management plan into place.
- Jonah was an effective communicator. He knew how to present his message in a clear and compelling way that could get people’s attention and, more importantly, get them to modify their behaviors.
- He had the support of top management. Now admittedly, when the Almighty blesses your efforts, there is no telling how far you can go. Most of us, however, would be happy to have the board, CEO, or even Catbert, the evil human resources manager, sign off on our risk management strategies.
- He had buy-in from frontline employees.
- He critically evaluated the results of his work.
Fast forward 2,500 years. By now everyone knows that the Y2K computer bug was a big snooze. The predictions of widespread power outages, loss of phone service, and the collapse of worldwide financial markets simply didn’t occur. Instead, a handful of IS guys and gals stood guard, largely bored, over our nation’s computer servers while the rest of world stayed home to watch ABC’s coverage of various New Year’s festivities on TV.
But while people are cursing the pundits and wondering what they are going to do with 100 cases of k-rations and a thousand gallons of cooking fuel, is anyone stopping to ponder what would have happened without the prophets of doom and gloom?”
What happened? How could all the doom and gloom prophets of the final years of the ‘90s have been so wrong? Like Jonah, they have become despised in their own land when their prophesies of global meltdown and destruction failed to materialize. But while people are cursing the pundits and wondering what they are going to do with 100 cases of k-rations and a thousand gallons of cooking fuel, is anyone stopping to ponder what would have happened without the prophets of doom and gloom?
Perhaps the world really would have come to an end. Thanks to all those squeaky wheels the Y2K problem got lots of grease. Grease, and, by some estimates, about 400 billion dollars. Yet no one will ever be able to quantify the losses that didn’t occur.
Isn’t this a fundamental challenge of risk management? How does one quantify the losses that didn’t occur? The Y2K pundits took the lessons of Jonah to heart and tragedy was averted. And therein is revealed an approach that can work in any organization that wants to prevent everything from small problems to big disasters.
- Communicate effectively and continuously
I first heard about the Y2K computer bug in the mid-90s, but there were actually folks who were sounding alarms as far back as the 70s. It can take lots of effort and wind before a message sinks in. Don’t give up. If you are convinced that there are issues that need to be addressed, keep raising them. Sooner or later, someone will listen.
- Get the support of top management and the board of directors
Fear is good. Franklin D. Roosevelt said, “We have nothing to fear, but fear itself.” I’m not certain what he meant, but I do know that fear can be a strong motivator. The threat of a lawsuit can motivate people to take action and address problems.
- Enlist the support of line employees and volunteers
Show your people why it is in their best interest to buy into risk management. No one wants to be injured and most people don’t want to injure others. Demonstrate how risk management reduces the likelihood of unwanted consequences and creates an environment where more risk taking is possible.
- Monitor your results and make modifications where necessary
When he had finished his task, Jonah settled on a perch on the outskirts of the town to watch and see what would happen. Of course, with risk management, the job is never completed. There is an ongoing process of evaluating your risk management strategy and making constant adjustments.
Implementing such a strategy will go a long way toward the realization of not only your risk management goals but also your organization’s mission. And like Jonah, don’t forget to prepare for the worst while you hope for the best. Because the night is always darkest right before the whale spits you out on the beach.
Dennis Kirschbaum is Manager of Information Technology at the Nonprofit Risk Management Center. He can be reached at (202) 785-3891 or via e-mail.
© 2003 Nonprofit Risk Management Center