Feature Story

What Your MBA Should Have Taught You About Risk Management

Douglas Hubbard of Hubbard Decision Research, Author and consultant Norman Marks

Risk is inherent in business decisions. Here's a modest proposal for risk management strategies every leader should learn.

Odds are, you’re bad at assessing risk.

Research shows most people chronically under- or over-estimate the chances of something bad happening. Even ‘data-driven’ companies are subject to common cognitive biases in how they interpret data. However smart individual managers may be, these biases are likely to lower the quality of daily business decisions. (Daniel Kahneman won a 2002 Nobel Prize for his research in this area.)

If only your MBA program had taught you differently.

The problem is, most educational programs that prepare executives for business leadership do not deliver when it comes to teaching about risk management. General MBA curricula, at best, have holes in what they teach about risk in its many modern forms.

There are concentrations in risk management, but it’s typically not part of the core curriculum that everyone must take in order to earn an MBA. This shortcoming is becoming more and more problematic, as the rate of change and disruption in the business and technology arenas makes risk a constant factor in corporate decision-making.

On the other hand, the corporate world is littered with various risk tools, from risk registers to risk appetite statements. Executives or board members with no systematic introduction may encounter these tools almost at random in corporate life, lacking solid training in how to use them effectively.

Douglas Hubbard Douglas Hubbard of Hubbard Decision Research

Instead, better risk management opens up new opportunities in addition to reducing the impact of negative events. Therefore, risk management “should be as central to MBA training as accounting or business law,” says Douglas Hubbard, president and founder of consulting firm Hubbard Decision Research.

Hubbard says the most important thing to learn is how to evaluate decision-making methods in general.

“There could be a whole class on ‘comparative decision methods,” he says. “They need to answer the question ‘how do I really know any of these approaches really work?’"

Even ‘data-driven’ companies are subject to common cognitive biases in how they interpret data.Risk management is an essential element in effective management, agrees Norman Marks, an independent consultant who blogs about how organizations can improve their operations, with a focus on internal audit, risk management, and corporate governance.

“People have been managing risk for centuries; they just don't think of it as managing risk,” Marks says. “But they don't always do it in a disciplined and systematic manner.

“When a CEO reviews a business proposal or plan, if he is good he asks about what might happen, the likelihood and extent of rewards and the same for harms. Then he weighs them all and makes an informed decision.”

Norman Marks on audit and risk managment

Author and consultant Norman Marks

This approach sounds logical, but when cognitive biases distort the “weighing” process, sub-optimal decisions result.

Marks notes that some organizations regard 'risk management' as simply a periodic review of a list of risks. That’s an incomplete picture, he says.

“Risk is taken with every decision,” he says. “It is created or modified. The key to successfully managing risk is understanding what might happen as you run the business and seek to create value and achieve objectives, thinking about whether that is okay, then taking appropriate action.”

Marks sees good risk management as “how you address what might happen between where you are and where you want to go.

“How can you increase the likelihood and extent of success?”

A Do-It-Yourself Risk Management Course

The good news, of course, is that you can teach yourself to make better decisions involving risk.

Here is a list of potential topics for a syllabus for the essential business risk management course—a syllabus—useful to all executives to study and understand:

Common cognitive biases in how people evaluate risk.

“Be sure to include calibration of subjective probabilities, how inconsistencies in estimation and risk tolerance can be controlled, and typical misconceptions and intuitive errors about probabilities,” Hubbard says.

Basic types of corporate risk. These would include market, financial, geopolitical, operational, and competitor risk, as well as the risk of a product or business being disrupted by a new technology.

Risk quantification, addressing methods of measuring all types of business risk. This would include a focus on measuring the operational risk of cyber security threats, and in particular the emerging risks associated with the Internet of Things (IoT).

The role of audit function. What is the charge of this corporate discipline, how does it interact with upper management, and what are its limitations?

Hubbard argues that some companies approach audits too narrowly. He says auditors should look at all decision-making models in use, —whether they are based on statistics, qualitative scoring methods, or expert intuition—rather than "only including those where there is math explicitly being done."

Further, he says, “This MBA course should also emphasize that the audit function might be a disincentive for better models because it only audits what it narrowly defines as ‘models,’” Hubbard says.

The role of the risk management function. This section of the course would cover security risk management (including the Chief Security Officer and Chief Information Security Officer roles), along with a practical overview of formal Enterprise Risk Management or ERM frameworks such as ISO31000 and the COSO framework.

Risk management law. This segment should cover regulations, legal precedent, liabilities about risk management itself, and the consequences of risk events, Hubbard says.

Insurance risk mitigation. Insurance is often the primary focus of current risk management courses, and it is a central mechanism (but not the only one leadership should understand).

Every syllabus comes with a required reading list. Hubbard and Marks have written books that help explore these topics and their practical applications, including:

- “How to Measure Anything: Finding the Value of Intangibles in Business,” by Hubbard

- “The Failure of Risk Management: Why It’s Broken and How to Fix It,” also by Hubbard

- “World Class Risk Management,” by Norman Marks.

The goal should not be to make every MBA student an expert in every area of risk. Rather, it’s to equip them with foundational knowledge of more than just capital risk and insurance, in pursuit of better business decisions.

Practical Risk Management

Norman Marks suggests an even more granular list of topics for an MBA risk management syllabus.

  • Disciplined decision-making
  • How risk affects the selection of strategies, objectives, and projects
  • Integrating risk into performance management
  • Allocating capital considering risk
  • Assessing the likelihood of achieving objectives
  • Understanding risk in project management
  • The partnership between the CRO and operating management
  • When it is right to take high levels of risk
  • Working with the board on risk management, including risk appetite statements and policies
  • Understanding and addressing the culture of the organization with respect to risk, ethics, performance, customer focus, quality, and more
  • Regulatory reporting requirements around risk
  • Managing your reputation—and your organization's
  • How do you know, as CEO or senior executive, that risk management is effective
  • Risk and the extended enterprise
  • Putting cyber threats and other sources of risk into perspective

If every MBA graduate were equipped with a solid foundation in these areas, corporations might be better able to handle emerging risk categories like cybersecurity, instead of scrambling blindly to add expertise or reallocate resources as each new threat arises.