Permission to Fail

In most organizations without professional risk managers, the amount of risk individuals are allowed to take is set informally and evaluated by tradition. This can work reasonably well if the right mix of aggressive risk-takers and cautious risk-avoiders are present, and if the traditional rules encourage optimal organizational behavior and evolution.

It can also work badly. The organization's risk decisions may be driven by personalities rather than calculation, which is bad in and of itself and also means the organization is not likely to respond appropriately to change. Individuals may spend more energy plotting ways to get credit for successes and to avoid blame for failures than making good risk decisions in the first place, and they may be rewarded for this behavior. There are strong incentives to hide or misrepresent risk. People with unpopular ideas about risk may be eliminated or marginalized, depriving the organization of essential diversity. The organization may fail slowly and expensively, steered by people enveloped in a cocoon of consensus that mutes awareness of dangers and opportunities.

Risk managers employ a variety of tools to align individual risk decisions to organization-wide risk appetite. An important one is permission to fail. The basic idea is simple: Instead of limiting in advance the amount of risk individuals are allowed to take, whether that is done formally or informally, anyone is allowed to propose any risk to the risk manager. If the risk is approved after an independent review by the risk department, the proposer has permission to fail. While successes are always rewarded more than failures, approved failures are tolerated and balanced against successes, while unapproved failures are grounds for dismissal.

One immediate advantage of this system is that responsibility for risks is identified ahead of time. You avoid the "success has many fathers but failure is an orphan" problem that results when responsibility is assigned after the outcome is known. Clear responsibility leads to better decision making. No one avoids helping for fear of being tagged with some of the blame, no one tries to take things over once success is assured. The risk-taker can solicit all the advice and help she wants, but remains an autocrat with respect to the approved risk. Committees make terrible risk decisions, and risk decisions lead to the most painful committee meetings.

The risk approval process means the organization's deliberate risks are known. Losses that do not result from deliberate risks become obvious — they are not subject to ex post facto excuses. That makes them much easier to eliminate, as it's hard to clean up what you can't see. In addition, having a database of deliberate risks allows systematic tracking to improve future risk decisions and gives management a way to monitor risk levels and control risk appetite. It can be used to ensure consistent risk decisions across many types and levels of risk in different parts of the organization.

Note that the advantages above do not depend on the risk manager making good approval decisions. They are direct results of the process. If the risk manager is any good at all, we get further advantage because independent review of risks is useful both to filter out bad ideas and to clarify good ideas. There are sophisticated quantitative techniques for selecting and sizing risks, as well as qualitative aspects to the review that lead to better decisions.

The risk manager is not double-checking assessments of the probability of success or the likely size of gains — that would be redoing the risk proposer's job. If he has to do that, the right decision is to fire the risk proposer. The risk manager's quantitative job is estimating the extent to which the risks are understood, and can be monitored and controlled. The qualitative job is estimating the willingness and ability of the risk proposer to succeed or fail fast. On the basis of both estimates, the risk is either rejected, or approved with a specific sizing algorithm, monitoring plan and exit strategy.

Perhaps the biggest advantage of "permission to fail" risk management is that risk ideas come from all parts and levels of the organization. A larger and more diverse pool means better risks can be selected, again assuming the risk manager has some ability. The person with administrative responsibility for something may not be the best innovator in that area, and in fact is often among the worst innovators. The most creative thinkers may not be the best choices for high organizational rank — in fact, there is often a conflict between the intuitive leaps that underlie attractive risks and the meticulous attention to process necessary for a large organization to remain organized.

A popular misconception is that a risk manager's function is to prevent failure. The truth is closer to the opposite. An important function of a risk manager is to give permission to fail, which is the only way an organization can succeed.