The more complex things are, the more simple your system needs to be

“That’s been one of my mantras – focus and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.”

Steve Jobs

This quote from Steve Jobs sums up the paradox of simplicity – simple is hard.

Working out what the essentials are and how to do things efficiently isn’t only difficult, it can seem like more work than just sticking with the complicated path in the first place.

That’s certainly the case with risk management where we are working with several areas of complexity and difficulty:

• Organizations are complex
• Risk management is complicated
• We are dealing with multiple unknowns
• Change is hard

This would seem to be the kind of thing that isn’t just hard to simplify, but something that actually necessitates complexity.  How can something simple be effective in this case?

If you are at NASA or running high-frequency trading models then I agree, it’s going to get complicated.  However, most people – and certainly most people reading this – just need a risk management system that’s fast, efficient and effective.

• Fast in order to deliver results when they’re needed but time is scarce.
• Efficient to make the best use of the (usually limited) resources available.
• Effective because it provides the data that decision-makers need to help the organization achieve its objectives.

Anything that is slow and complex will fail each of these tests. Even if you produce a thorough report, it’s often too late or too confusing to use.

We need to KISS – keep it stupid simple.

We need a stripped-down system which delivers results with the speed, efficiency and effectiveness that most risk managers need. At the same time, the system still has to adhere to relevant standards and produce useable results for all but the most technical edge cases.

The irony is that complex, opaque systems are often a symptom of unworkable processes that don’t deliver results. KISS risk management is an antidote to this.

A system and mindset

However, KISS risk management isn’t just a system. Just as importantly it’s a mindset. Using a KISS approach won’t work if you judge success on the number of words in the final report.

Taking a KISS approach requires you to accept uncertainty, embrace simplification (even if it feels like over-simplification) and understand that you might not be right the first time.

This might come across as sloppy but it’s not. Instead, it’s about being realistic.

We don’t have unlimited time and resources and we certainly don’t have all the information we need.  Moreover, even if we did, we are trying to peer into the future so we will still get some things wrong.

So KISS is also about being realistic about what risk management can achieve with limited time, limited resources, and limited data while still giving decision-makers what they need.

The exact process and steps will differ depending on your organization, location, and sector. But a simple, lean approach should be something that should benefit any risk manager.

So no matter what your specialty, industry or level of expertise, please take some time to think about what you can strip away, cut back and simplify. Invest some time into considering a KISS approach to your risk management system and you’ll quickly see the investment pay off.

How to keep things simple

Four basic principles can assist with the implementation of a simple yet effective ERM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty.

Standardize

Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within departments if each team was using a different system.

However, a robust, comprehensive risk management system allows for adjustment at the functional level while maintaining a standard approach that can be used across the entire organization. So, instead of finding department-specific definitions for risk, or processes tailored to each team department, everyone will share the same basic foundation for risk management.

Learn to speak risk

Risk provides organizations with a common language and mindset that can be applied across departments and functions to help with discussions and decision making. However, ‘speaking risk’ can be more complicated than it might first appear because the same terms can be applied differently or different terms are used for the same thing.

Therefore, you need to start by clarifying how terms are being used and keep reminding people until the correct usage becomes commonplace. Adapting existing materials across an organization to match the new lexicon will also take time, but a surprising amount can be accomplished with some careful use of edit / find / replace commands.

Become objectives-led, rather than threat-focused

Using a risk vocabulary doesn’t just help with discussions: it also helps change mindsets and perspectives.  Adopting something like the ISO definition—that risk is “the effect of uncertainty on objectives”— keeps the focus on objectives that will quickly become second nature.

This allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander’s (in this case the organization’s) overall intent and can shape their activities to support that without step-by-step direction.

Moreover, being objectives-led moves from a reactive to a proactive mindset. So instead of thinking, ‘x has happened, so we need to do y’ organizations can consider ‘what effect could x have on our objectives?’ and act accordingly.

Finally, everyone can support the organization more effectively when mitigation measures and contingency plans are developed with the organization’s top-level objective in mind. A friend of mine who’s an embassy security officer summed this up well while we were discussing security in a higher-risk country. “The best way to keep everyone safe here is to keep them inside [the embassy] but that’s not my job. My job is to help them get out there and do their jobs as safely as possible.”

Accept uncertainty and avoid over-specification

We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From a risk management perspective, avoiding this paralysis requires two things.

First, the system should accept uncertainty and avoid trying to become too specific. Ultimately, risk management is a decision-making tool that helps put risks into a comparative order, but it doesn’t measure risk per se.

Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regulated, technical systems. However, day-to-day operations in an organization have neither that kind of stability nor the data: there are simply too many variables for that kind of accuracy.

Therefore your risk management system should work in broader strokes than you might initially be comfortable with. However, that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing usable results.

Secondly, information overload is not just something we can experience, it is also something to which we can contribute. Risk managers should avoid swamping decision-makers with too much data. Too much data paralyzes decision-makers. Don’t forget, a large part of our job is to help them focus on what’s most important.

These suggestions may seem complicated and the very opposite of simple, and I don’t want to downplay the work required to change an organization’s behaviors and mindset. Ultimately, in the short-term, this change does require work but the payoff is immense.

Taking a KISS approach will help integrate risk management into the organization more effectively. And although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement, easier to use, more efficient and ultimately give decision-makers the information they need without overloading them.