Rethinking Risk Management: Critically Examining Old Ideas and New Concepts

by Rick Nason

Rick Nason challenges the status quo of risk management which mindlessly follows third-party frameworks and does too little independent thinking. He argues that risk management acts as “The Department of No” while ignoring upside risk. He envisions risk management as a strategic player in value creation rather than a cost center.

“Defining risk management as increasing the probability and magnitude of good risk while decreasing the probability and severity of bad risk implies balance, and risk management is nothing if not an exercise in balance. It is a balance between art and science, process and judgment.”

What causes risk in an organization? The author introduces the Delphi Method to uncover potential risks, rank them, and identify ways to manage them. “The Delphi Method is a discussion technique that allows for cognitive diversity to produce innovative ideas to come to the fore without the concerns of groupthink and bureaucracy preventing progress.”

Complexity. “In my experience almost every risk management problem of consequence falls into the realm of complexity. The problem is that almost every risk management response is a complicated one. Thus, there is a fundamental mismatch.” (If you are unfamiliar with the difference between simple, complicated, and complex systems, I highly recommend Nason’s other book It’s Not Complicated).

“Business and the economy are complex, and thus by extension, risk management is complex… There are three main steps for managing complexity: They are (1) recognize whether the issue at hand is simple, complicated, or complex, (2) think ‘manage, not solve,’ and (3) engage a ‘try, learn, adapt’ approach.”

“With the ‘try, learn, adapt’ approach, it is not so much the knowing of tactics that is important, but the creativity of the tactics. You need to try things. You need the flexibility to actually make mistakes. You need the humility to realize that you cannot always know the answer a-priori, and furthermore, you may not know the answer ex-ante. You need an open mind to learn intuitively, rather than textbook learning, where the new idea becomes codified into a new process. After all, you must remember that complex systems are not reproducible like complicated systems. Thus, what worked one time is not likely to work the next time.”

Process or Judgment? “Complexity requires judgment. You cannot digitize or codify responses to complexity. Complex situations require a manager who has the experience, the wisdom, and the courage to make judgments and the creativity and tenacity to continue to adjust their decisions. It requires real-time, context-specific management.”

Complicated risks can be managed by rules and processes. “The tricky thing is that occasionally, these seemingly complicated risks will take on patterns of complex risks. Then, a switch in management techniques needs to be made. Knowing when to make this switch from complicated thinking, and thus, process-based management, to complex thinking and judgment-based management is, perhaps, one of the most critical, yet, one of the rarest characteristics in effective risk management.”

Risk Frameworks. “Very quickly, frameworks tend to become risk management, rather than a guide for risk management. In other words, people manage to the framework, rather than manage risk—two very different things.”

“I believe that risk management is most effective when it has structure for the simple and complicated parts, and for everything else, very limited structure to enable the flexibility needed for dealing with complexity… Data can give us clues to complexity, and that can be helpful, even though we cannot use that data directly to solve complexity.”

Unmeasurable Risks. Nason has an M.S. in physics, a Ph.D. in finance, and he is a CFA. Clearly he is not intimidated by math. On the contrary, he is supremely qualified to recognize the limitations of  quantitative metrics.

“Experienced risk managers realize that it is often the unmeasurable qualitative risks that are the more significant ones… A risk map plots the risks of an organization on a chart that shows the probability of the risk occurring on the vertical axis, while the magnitude of the risk is plotted on the horizontal axis… When the risk map has the X-axis covering both negative and positive risks, then the goal is to lower the probability and magnitude of negative risks and to increase the probability and magnitude of positive risks.”

Risk Culture. “Great risk management simply will not occur if the risk culture stinks… Too often, the culture is set up to let those know that if they are the cause of a risk outcome, then there will be consequences… This leads to a culture of fear and… more seriously, it leads to hiding events from risk management.” Nason notes that middle management is generally where risk culture gets set.

“One method for creating a proper risk culture is to foster an environment where honest and well-thought-out mishaps are encouraged and rewarded… Obviously, anything that threatens the viability of the firm, or puts human health or safety at risk should not be tolerated. However, a culture that encourages managers to take prudent business risks within the level of risk tolerance will spur more creativity, more action, and likely a more enjoyable work environment.”

“Risk events should be teaching moments, not scolding and blaming moments… If the emphasis is on not making the same mistake twice, and if there is a tolerance for making a new mistake, then the organization not only accelerates its learning, but it also improves the risk culture.”

Knowing vs. Thinking. “Knowing about risk is complicated thinking. Computers are increasingly taking over the business of knowing things and managing complicated systems. Instead, it is incumbent on the modern risk management to understand things, rather than just know them. Creativity is more important in risk management than knowledge. Being able to connect the dots is key. The ability to think about things is more important than the ability to know things.” Nason adds, “One criticism I have about the current wave of highly trained risk engineers is that they understand the mathematics, but they do not understand how businesses work and how markets and industries work.”

Too Much Risk Management? “Risk homeostasis is a well-documented phenomenon that states that people will react in such a way that they take riskier actions to counteract the risk prevention mechanisms in place until the overall level of risk is the same or even greater.” Nason argues that the risk management function should be as lean as possible. “Leanness implies that everyone is responsible for risk.”

Rick Nason is a leading-edge business scholar.  My only criticism of this book is that the publisher did not employ a competent copy editor. There are excessive grammatical errors and typos for a final draft. A noteworthy error is the recurring use of the phrase “risk-adverse” when the author clearly means “risk-averse.”


Nason, Rick. Rethinking Risk Management: Critically Examining Old Ideas and New Concepts. New York: Business Expert Press, 2017. Buy from Amazon.com.