Cover: The Failure of Risk Management, Second Edition by Douglas Hubbard

The Failure of Risk Management

WHY IT'S BROKEN AND HOW TO FIX IT

 

Second Edition

 

DOUGLAS W. HUBBARD

 

 

 

 

 

 

 

 

Wiley Logo

I dedicate this book to my entire support staff: my wife, Janet, and our children, Evan, Madeleine, and Steven, and to the Armed Forces of the United States of America.

About the Author

Mr. Hubbard's career in quantitatively based management consulting began in 1988 with Coopers & Lybrand. He founded Hubbard Decision Research in 1999 and he developed the applied information economics (AIE) method to solve complex, risky decisions. He has used AIE in many fields, including cybersecurity, aerospace, biotech, environmental policy, commercial real estate, tech startups, entertainment, and military logistics, to name a few. His AIE methodology has received critical praise from respected research firms such as Gartner, Forrester, and others.

He is the author of the following books (all published with Wiley between 2007 and 2016):

His books have sold over 140,000 copies in eight languages and are used as textbooks in dozens of university courses including at the graduate level. Two of his books are required reading for the Society of Actuaries exam prep, and he is the only author with more than one on the list. In addition to his books, Mr. Hubbard has published articles in Nature, The American Statistician, IBM Journal of R&D, CIO Magazine, and more.

Preface

A lot has happened in the decade since the first edition of this book, both in the world of risk management and in my own work. Since then, I've written two more editions of my first book, How to Measure Anything: Finding the Value of Intangibles in Business as well as writing Pulse: The New Science of Harnessing Internet Buzz to Track Threats and Opportunities and How to Measure Anything in Cybersecurity Risk. By 2017 this book (along with How to Measure Anything) was placed on the required reading list for the Society of Actuaries Exam Prep.

Regarding the broader topic of risk management, there were several more examples of risk management gone wrong since the first edition. The Fukushima Daiichi nuclear power plant disaster in Japan, the Deepwater Horizon oil spill in the Gulf of Mexico, and multiple large cyberattacks that compromised hundreds of millions of personal records. But I won't dwell on these anecdotes or the events that occurred prior to the first edition. This book should be just as relevant after the next big natural disaster, major product safety recall, or catastrophic industrial accident. Better yet, I hope readers see this book as a resource they need before those events occur. Risk management that simply reacts to yesterday's news is not risk management at all.

I addressed risk in my first book, How to Measure Anything: Finding the Value of Intangibles in Business. Risk struck me as one of those items that is consistently perceived as an intangible by management. True, risk is intangible in one sense. A risk that something could occur—the probability of some future event—is not tangible in the same way as progress on a construction project or the output of a power plant. But it is every bit as measurable. Two entire chapters in the first book focused just on the measurement of uncertainty and risks.

Unfortunately, risk management based on actual measurements of risks is not the predominant approach in most industries. I see solutions for managing the risks of some very important problems that are in fact no better than astrology. And this is not a controversial position I'm taking. The flaws in these methods are widely known to the researchers who study them. The message has simply not been communicated to the larger audience of managers.

All of my books—not just the two that explicitly mention risk in the title—are really about making or supporting critical decisions where there is a lot of uncertainty and a cost to being wrong. In other words, I write about risky decisions. I was drawn to this topic after watching consultants come up with a lot of questionable schemes for assessing risks, measuring performance, and prioritizing portfolios with no apparent foundation in statistics or decision science. Arbitrary scoring schemes and other qualitative methods have virtually taken over some aspects of formalized decision-making processes in management. In other areas, some methods that do have a sound, scientific, and mathematical basis are consistently misunderstood and misapplied.

I just didn't see enough attention brought to this topic. Of all the good, solid academic research and texts on risk analysis, risk management, and decision science, none seem to be directly addressing the problem of the apparently unchecked spread of pseudoscience in this field. In finance, Nassim Taleb's popular books, Fooled by Randomness and The Black Swan have pointed out the existence of serious problems. But in those cases, there was not much practical advice for risk managers and very little information about assessing risks outside of finance. There is a need to point out these problems to a wide audience for a variety of different risks.

Writing on this topic would be challenging for several reasons, not the least of which is the fact that any honest and useful treatment of risk management steps on some toes. That hasn't changed since the first edition. Proponents of widely used methods—some of which have been codified in international standards—have felt threatened by some of the positions I am taking in this book. Therefore, I've taken care that each of the key claims I make about the weaknesses of some methods is supported by the thorough research of others and are not just my own opinion. The research is overwhelmingly conclusive—much of what has been done in risk management, when measured objectively, has added no value to the issue of managing risks. It may actually have made things worse.

The biggest challenge would be reaching a broad audience. Although the solution to better risk management is, for most, better quantitative analysis, a specialized mathematical text on the analysis and management of risks would not reach a wide-enough audience. The numerous technical texts already published haven't seemed to penetrate the management market, and I have no reason to believe that mine would fare any better. The approach I take here is to provide my readers with just enough technical information so that they can make a 180-degree turn in risk management. They can stop using the equivalent of astrology in risk management and at least start down the path of the better methods. For risk managers, mastering those methods will become part of a longer career and a study that goes beyond this book. This is more like a first book in astronomy for recovering astrologers—we have to debunk the old and introduce the new.

Douglas W. Hubbard

February 2020

Acknowledgments

Many people helped me with this book in many ways. Some I have interviewed for this book, some have provided their own research (even some prior to publication), and others have spent time reviewing my manuscript and offering many suggestions for improvement. In particular, I would like to thank Dr. Sam Savage of Stanford University, who has been extraordinarily helpful on all these counts.

Reed Augliere Jim Dyer Harry Markowitz
David Bearden Jim Franklin Jason Mewis
Christopher “Kip” Bohn Andrew Freeman Bill Panning
Andrew Braden Vic Fricas Sam Savage
David Budescu Dan Garrow John Schuyler
Bob Clemen John Hester Yook Seng Kong
Ray Covert Steve Hoye Thompson Terry
Dennis William Cox David Hubbard David Vose
Tony Cox Karen Jenni Stephen Wolfram
Diana Del Bel Belluz Rick Julien Peter Alan Smith
Jim DeLoach Daniel Kahneman Jack Jones
Robin Dillon-Merrill Allen Kubitz Steve Roemerman
Rob Donat Fiona MacMillan

PART ONE
An Introduction to the Crisis