Last week, at the Electronic Signature Records Association (ESRA), I delivered a keynote address that surprised me. For awhile, I have been advocating that risk management is dead as a business discipline. Why? Because RM is only funded out of the net profits of an organization. When companies seek the monies to meet budget requests for managing risk, their only sources of funds are the monies left over after all the other expenses of producing their goods and services have been spent. RM spending, as such, does not do anything that increases the value of the goods or services of a company to its customer base. But it has always been challenging to make that point clearly, and to illuminate how making risk-based decisions are different than making affirmative trust decisions.
Then I stumbled onto an image of Butch Cassidy and the Sundance Kid from the iconic film itself. The picture showed the two of them, having been chased to the edge of a nearly bottomless canyon (with a river running through it), calculating whether they could jump and survive. At that point, they are calculating trust and probabilities. They are evaluating the context of the circumstances, the raging qualities of the water, the apparent depth of the river, the likely velocity at impact—all variables for which each of them were calling up rules, math, and doing the figuring. Then, one further information element was introduced. “I can’t swim” says one to the other.
That simple declaration confirmed that one of the rules that were being evaluated in their calculus would not be met. “And then we swim away” could not be satisfied. So, in fact, Butch and Sundance had not been able to reach an affirmative decision they would survive. To the contrary, the information element meant that jumping would indeed not be an act in which they had confidence.
And that allowed me to explain risk differently. Risk-taking is all about deciding to move in a specific direction even though the information available indicates our criteria (or our rules) for what will assure an affirmative outcome are not being met. Risk management is never reaching a trust decision; it is always saying to proceed forward with the hope that the information we don’t have will not bite our backside!
So, risk management turns out to be nothing more than collecting information and trying to close the loop with all of our rules. Sometimes we discover rules that we did not know need to be in place, or rules that are not being properly enforced. But risk management demands transparency; it requires collecting and applying information against our known rules. And it is always taking money from our profits.
What makes building trust different? Oddly, it is flipping the transparency required for effective risk management upside down and using that transparency (and the information collected) to increase the value of our goods and services to our customers. The same services (including information security or swimming lessons), when their presence and value is communicated to our customers, increases their confidence, improves the velocity with which they decide to trust our goods or our services, and ultimately increases the volume or revenues we receive.
So, standing on the ledge with Butch and Sundance, we discovered the inherent poor quality of investing in risk management. A single item of information can put our lives at risk. Yes, they jumped, and yes, they survived, but doing so was a decision that put their lives on the line. Do you really want to do the same when trying to defend risk management expenses?