Exhibit 14.1
The Role of Good Decision Making in Risk Management
return in each case. The principle skill needed is high-quality decision making.
The Critical Role of Decision Making in
Risk Management
Good risk management ultimately depends on good decision making. Good decision making, in turn, is based on the rapid acquisition of the proper amount and kind of data, building a framework for deciding, moving forward, and incorporating feedback from past decisions as the feedback becomes available.
The field of decision science has been well researched, particularly in the past two decades, and a considerable amount of information on how to improve organizational decisions is available in the related academic and popular literature. The University of Chicago and the Wharton School at the University of Pennsylvania in particular have strong decision science specialties.
Some of our recommended books and papers on the subject are referred to throughout the chapter, as well as in the resources section at the end of the chapter. One in particular is Winning Decisions, by J. Edward Russo and Paul J. H. Schoemaker.
320
Services Delivery: Taking Care of Business
In Winning Decisions, Russo and Schoemaker outline the fundamentals to a good decision-making process:
• Framing: Framing determines the viewpoint from which decision makers look at the issue and set parameters for which aspects of the situation they consider important and which they do not. It determines in a preliminary way what criteria would cause them to prefer one option to the other.
• Gathering intelligence: Intelligence gatherers must seek the knowable facts and options and produce reasonable evaluations of “unknowables”
to enable decision making in the face of uncertainty. It’s important that they avoid pitfalls such as overconfidence in what they currently believe and the tendency to seek only information that confirms their beliefs.
• Coming to conclusions: Sound framing and good intelligence do not guarantee a wise decision. People cannot consistently make good decisions using seat-of-the-pants judgment alone, even with excellent data in front of them. A systematic approach will lead to more accurate
choices—and it usually does far more efficiently than hours spent in unorganized thinking, particularly in group settings.
• Learning from experience: Only by systematically learning from results of past decisions can decision makers continually improve their skills.
Further, if learning begins when a decision is first implemented, early refinements to the decision or implementation plan can be made that
could mean the difference between success and failure.3
Russo and Schoemaker point out that one of the biggest faults of the decision-making process is that the quality of decisions is often judged on outcome rather than the process that was used to generate the decision.
“Many people believe that good outcomes necessarily imply that a good process was used. And they assume the converse to be true as well: that a poor outcome necessarily signals a poor or incompetent process.”4 Clearly, this is not true, particularly for decisions that are close (55 percent chance of a good decision and 45 percent chance of a bad decision) or in situations involving a significant amount of outside chance or luck. In fact, a good decision-making process often produces a failure but, on average, succeeds more often than it fails. Russo and Schoemaker illustrate their point with the chart shown in Exhibit 14.2.5
According to Russo and Schoemaker, the way decisions are evaluated will affect the way decisions are made in the future. Thus, in addition to a good decision-making process, the evaluation of decisions is a critical skill. This has serious implications for improving decision making in organizations, particularly for difficult-to-make decisions, such as those related to risk management.
A good conceptual model for the risk management-decision making bal-
ancing act is depicted in Exhibit 14.3.
Risk Management and Quality Assurance
321
Outcome
Good
Bad
Deserved
Bad
Good
success
break
Dumb
Poetic
Bad
luck
justice
Process used to make the decision
Exhibit 14.2
Relationship between Decision Making and
Decision Outcomes
While there are myriad risks encountered by the professional services firm, most of them can be generally categorized into four key areas: 1. Internal risks: Risks of undesirable outcomes that emanate from activities taking place inside the firm, including financial risks, employee risks, hiring risks, and systems risks.
2. Delivery risks: Risks related to the delivery of services to clients, whether on-site or off.
3. Client risks: Risks associated with the specific client but not a particular project.
Internal risks
Delivery risks
Client risks
External risks
Controllability of risk
Controllable risks
Uncontrollable risks
Risks that are reasonably
Risks that are part of
foreseeable and can be
the environment or
controlled through
that are difficult or too
process and execution
expensive to manage
Primarily manage through
Manage through
process or policy
insurance, contingency
planning, or avoidance
Exhibit 14.3
Professional Service Firm Risk Categories and Controllability
322
Services Delivery: Taking Care of Business
4. External risks: General risks such as natural disasters arising from being in business but not associated with a specific client, project, or internal operation.
These risks can be placed on a rough continuum of controllability, as depicted in Exhibit 14.3. Internal risks tend to be the easiest to manage because they are related to the firm’s own operations and staff. Moving from left to right, delivery, client, and, finally, external risks become less and less easily controlled.
In general, controllable risks can be addressed via the usual methods—to mitigate these problems, senior management can simply dictate process, policies, and terms geared to providing the appropriate amount of f lexibility and risk reduction. As the risk areas move down the controllability continuum, the less effective process and policy become, and the more important insurance, contingency planning, and avoidance become. The best written
processes and policies have little effect on an earthquake in progress.
The following section details some sample risks that we have identified in each category, followed by a model for assessing risk and probability and evaluating options for mitigating risks.
Sample Risks by Category
The large number of risks faced by a specific professional services firm is difficult to inventory. The risks may vary by firm type (law versus medicine versus business consulting versus other), specific type of work, firm geography, client geography, staff type, project size, and even the personalities of the senior management team. We identify some of the possible risks in each category that may be faced by a professional services provider. While this list is clearly not comprehensive, it can serve as a good starter set or the foundation of brainstorming activities for firms to generate their own inventory of specific risks in each category.
Internal Risks
• Fraud/embezzlement: Internal theft by employees through fraud, embezzlement, or other intentional deceit
• Accounting error: Unintentional errors made by accounting staff that impact firm income statement, balance sheet, cash f lows, general
ledger, or other financial information
• Billing accuracy: Generation of bills that accurately ref lect the proper fixed fees, time and material, and expense charges to clients
• Hiring: Hiring practices that ensure individuals of the highest ethics
• Records: Retention of accurate client records, working papers, financial statements, and other firm operating documents for appropriate length of time
Risk Management and Quality Assurance
323
• Corporate espionage: Loss of firm intellectual property, client information, or other proprietary information to competitors
• Systems and data security: Access to computing information systems and data restricted to authorized firm professionals and staff
• Systems backup and recovery: Reliable backups of data and rapid recovery from system crashes, errors, or inadvertently deleted information
• Physical security: Physical access to firm and client project sites and security of working papers and firm property
• Staff malfeasance: Theft of property, disparagement, or other deliberate misconduct by staff members that damages the firm
• Intellectual capital: Loss or theft of critical intellectual capital that distinguishes the firm or gives it competitive advantage or advanced capabilities
• Staff departures: Resignation of key internal staff due to retirement, dissatisfaction, outside recruiting, moves, or other reasons
• Succession: Firm senior and junior leadership succession plans
• Resource management: Pipeline of resources to be available for new business as well as proper management of resources during downtimes
Delivery Risks
• Skills: Availability of the specific skills or knowledge on the team to successfully complete the project or service
• Scope: Well-defined parameters for project or service activities; clearly delineated goals and milestones and an unambiguous understanding of
what will be regarded as successful completion in advance of com-
mencement of the project or service
• Underbidding: Underestimate of level of effort, skill set required, or other resources required to complete the project
• Execution: “Do-ability” of the project (Do resources or skills exist within the firm, or any firm, for successfully delivering the project or service—also known as the “bridge-to-the-moon” problem?)
• Dependencies: Project or service tasks that depend on client initiatives, staff, timelines, dates, or other events not controlled by the firm
• Third-party reliance: Reliance on outside individuals or entities for completion of critical tasks in delivery of the project or service (e.g., third-party contract labor)