Cause-centric risk management

By Bruce Newsome posted 04-22-2009 10:11 AM

Most risk managers would agree that the most effective way to manage risk is to terminate the risk, but human nature being what it is - particularly in the defense and security sectors, decision makers are too keen to defend against existing threats before they seek to terminate the risks. For instance, when confronted by terrorism, they might invest in various protective measures but forget to dampen the grievances, which encouraged the terrorism in the first place.

So far as decision makers seek to terminate, they probably terminate only the proximate causes. For instance, if faced by an insurgency, they might buy off one insurgent group with an immediate alliance against a more threatening insurgent group. But treating the risk in this way condemns us to perpetual treatment of a risk that is never resolved - moreover, we could end up activating new risks. For instance, by buying off one group, we could empower that group against its old foes or provoke new jealousies and thereby spark off a sectarian conflict.

Tracing the root causes is more burdensome than tracing the proximate causes, but is ultimately the most effective response - and often the most efficient response too.

The "react-defend-activate" pathology is most obviously illustrated by the Global War on Terror. Reacting against terrorist threats as they exist today is no solution to terrorism as a historical phenomenon. Trying to defend the homeland against all possible threats is a route with no end except bankruptcy, after many diversions into pork barrel politics - with every small town requesting funds for its own biological/chemical terrorism response team. Exporting counter-terrorism to regimes and societies overseas inevitably activates new threats, which is how a war on terror has turned into a war on insurgency.

Despite changes in the war on terror, we lack a proper discourse on the main alternative to the react-defend-activate pathology. The alternative is "root cause-centric" risk management. Although astute theorists of risk management have prescribed such a focus, in practice it is all too often forgotten.



05-03-2009 01:03 AM

In order to get "root cause-centric", risk managers need to start with their assessment process. Chances are, the assessment process identifies risks as they are, but doesn't include a formal step or requirement to trace root causes. Having required your staff to trace the causes of risk, the next trick is to provide your staff with the skills to actually trace the causes of risk. Engineers amongst them will be familiar with fault trees - tracing the root causes of faults in complex systems. Social scientists will be familiar with causal modeling - identifying effects, associated causes, and causal chains.
Once required to, and skilled in, tracing root causes, your staff must be motivated too. They should understand the absolute effectiveness and relative efficiency of terminating a risk at its root cause. Too much risk management fails because staff are not motivated to follow procedures, even after managers have set up valid procedures.

04-22-2009 01:46 AM

One of the fundamental problems identified here is the underlying pathology of managers who are involved in control based approaches of mitigating against all threats/risks. How do we address that basic issue and formalise understanding of the concepts of 'root cause-centric' risk management?