I was reading an old risk mitigation plan that someone (it may have been me, but I hope not) wrote. I don’t know why I was reading it, but that’s pretty irrelevant. As I was reading it, there was a line item for a potential risk that data wouldn’t be available for testing. Under the mitigation plan it read “escalate to management.”
This is not a good mitigation strategy, yet as I mused over it, I realized that it is probably a strategy that is written more often than it should be. Yet there are so many issues, where to begin:
- It’s reactive. In the event that data is not available, we will escalate to management, it says. That’s not mitigating a risk, that’s reacting to when a risk becomes an issue.
- Management isn’t going to be able to help you. Management doesn’t have a magic wand to make the data appear. Management could go ask/yell for some data, but it probably isn’t going to happen all that much faster.
- Even if you escalated the risk to management BEFORE it became an issue, it’s still not a great strategy. It’s a punt. “Management will fix this for me” is what it says. Again, unless you’re willing to ascribe magical powers to management that they just don’t have, it’s not going to work. To manage a risk, it has to be more than proactive, it has to be effective.
Yes, there will always be risks that become issues that nobody even imagines – the “unknown unknowns” as it were. Risk management is to about managing the known unknowns. For example, in Nassim Talev’s book The Black Swan he writes about the casinos. They manage all kinds of known unknown risks – like who is going to try and count cards, or steal, etc. But, they didn’t have a plan for the unknown unknowns, like the fact that one of Sigfried and Roy’s tigers were going to maul one of them.
As much as Mr. Talev points out a very good point – there are extreme events that could happen – if you don’t at least manage the known risks, you’ll become a victim of one of those long before you get the chance to be wiped out by a huge unknown risk. Admittedly, it doesn’t sound like much of a reason to manage risk at all, but like all risks, the unknown unknowns might happen but aren’t guaranteed to happen, and thus improving your chances of success by really managing risks is still worth it.
All that said, reacting to risks becoming issues is not risk management. Mitigation plans must provide an alternate path which may be less ideal, more expensive or even somewhat slower than your original plan, but not as bad as not managing the risk at all.