Rethinking Risk Management: Moving Beyond Rules-Based Approaches

In a world where risk management is often seen as a box-ticking exercise, two experts are calling for a new approach that goes beyond simply following rules. Robert S. Kaplan and Anette Mikes argue that companies need to understand the different types of risks they face in order to truly protect themselves from disaster.

Their categorization of risk breaks it down into three main types: preventable risks, strategy risks, and external risks. Preventable risks are those that come from within the organization and can be controlled or eliminated. These include risks from unethical behavior or operational failures. Strategy risks, on the other hand, are risks that a company willingly takes on in pursuit of greater returns. External risks, such as natural disasters or economic shifts, are beyond the company’s control.

The authors argue that companies need to tailor their risk management processes to these different categories. While a rules-based approach may work for preventable risks, strategy risks require a more open and explicit discussion. And to prepare for external risks, companies can use tools like war-gaming and scenario analysis.

By taking a more nuanced approach to risk management, companies can better protect themselves from the unexpected. As the authors point out, disasters like Deepwater Horizon and the financial crisis of 2007-2008 were not prevented by simply following the rules. It’s time for companies to rethink their approach to risk and ensure they are truly prepared for whatever may come their way.