Some felt my claim of banking and insurance was too brave:
The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you've got too much to do.
From this I separated out into those that do risk management because because they are risk management, from those who have risk management because it is useful. If you are familiar with object oriented thinking, this is the difference between isARiskManagement and haveARiskManagement.
Banking is risk management because of the term mismatch. Simply put, banks take in deposits, which are payable on demand, and lend it out at term, which means the banks can't get it back. By ordinary business rules, banks are bankrupt, because they cannot pay back what they owe. Anytime you can get a large bunch of depositors together, you can prove this, by starting a "run" on a bank.
This not only makes banking different from all other businesses, it also makes banking, all of banking, at is very core an exercise in managing the risk of those term loans (and those deposits, but there are some easy answers to that side). Insurance is the same, although different in some ways. As Alex has it:
Most security folks (and many in the financial industry) believe that risk analysis is something to *engineer* future state, rather than a tool used in understanding our ability to meet qualitative objectives. As such, when the state of nature changes (as it inevitably does) or when it's determined that the analyst screwed up in accounting for uncertainty or variable measurement - the whole process is demonized.
If banks did that, they would die. When banks muck up their risk management, they fail because that's what they are, they are risk. When the entire sector, banking as an industry, mucks up its risk management, then it fails, as a sector. Finance goes down the tube.
On the other hand, other businesses have risk management. It's an option, it's a nice-to-have, or a told-to-have. As Alex says of public companies:
First, allow me to point you to future earnings guidance statements made by public companies.
Or, as Don wrote in comments over at EC, "Risk management as the basis for information security planning is alive and well in healthcare (required by HIPAA) and for federal systems (required by FISMA)." Some companies are told to do it, but that alone doesn't make it right, nor useful.
What does this is-versus-have differentiation allow us to say? Well, in banking, if you don't do risk management, you are dead. You are expert in this, and maybe nothing else. It is your core competence, it your very being, your essence.
In other businesses, not so. It all depends. Maybe you have a competence in risk management, or maybe you have a department that does this, or maybe your security guys think it's hot stuff. Or maybe not. The point being, risk management is optional, and some firms will be good at it and some not. Or, as Alex puts it:
Chemical and Aerospace engineering, Food Service, and many other industries I'm skipping over do perform rigorous risk analysis, it's just that the system they operate in has much less uncertainty.
Which leads to the rather contrary conclusion that, unless it delivers results, then ... it might not be worth the money, however it is arrived at, whatever you are cooking. And by obvious conclusion, there are options: you can either apply risk management as it is mathematically inspired, or you can choose to eliminate these risks, as was the old 1990s security dogma, or you can choose to manage these risks from a business perspective, incorporating other knowledge.
The point of the first half of that post was to open up the options. Only banks have to do risk management, and cannot choose. Others can choose. Which sets it up for the rest of the post, which suggests that actually, risk management as it is stressed by the "economic" school may not be worthwhile.Posted by iang at January 24, 2009 04:41 PM | TrackBack