During my career as a technology leader I have worked on PCI security, lawsuits, federal and state compliance, foreign market launches and acquisitions. All of these have regulatory, compliance and legal aspects to them, and over time I’ve come to realize we are bad at dealing with such things—really bad. At the heart of being so bad at this is something I call “binary risk management.” Binary risk management can, and often does, paralyze an organization.
Binary Risk Management is a failure to recognize the probability associated with a risk and treat all risks as if they are destined to happen. If there is no risk at all, proceed. If there is any risk, no matter how small the probability of its occurrence, halt!
We have all heard something like this: “Legal says we have to replace all the images that have any text in them across our entire French site because you’re not allowed to have any English on a site in France.” I actually heard that. It turned out not to be the case, but that did not stop me from wasting quite a bit of time working on this project. I was scared. The fines were said to be “hefty” and legal said it, so it must be true. Right?
I have wasted months on work that never had to be done. I have seen a CEO need to ask a compliance department’s permission for lower-level employees to have an informal social get-together. I’ve seen an acquisition almost fall apart because of a non-existent risk (the risk was similar to your chances of catching AIDS from a toilet seat). I have many stories and I’d love to hear some of yours in the comments section.
In all these cases, the outcome of the risk materializing instead of the probability of it actually happening was the focal point of conversation. In some of these cases the probability of occurrence was, in fact, zero because the whole thing was misinterpreted to begin with, so paralyzing are specters of lawsuits and fines.
Here are a couple of rules of thumb—tenets, if you will—for dealing with regulatory, legal and compliance issues. These tenets safeguard against wasting time and money that could be better spent helping our customers and making my company more secure, compliant and safe.
- Examine the probability, speak of the probability: Examine the probability of each risk that is factored into a business decision. When speaking about a risk don’t just speak about outcomes, as if occurrence is presupposed. Speaking in probabilistic terms can help us reason more effectively about risk.
- Examine the outcome: Is the worst case really the worst case? Oftentimes things can be done in the event of a failure that soften the blow. If such mitigations are available, then the ultimate risk that should be considered is with this softened outcome, not the worst case. The wind may blow and the tightrope walker may fall, and then he will die. But wait—what if we put an air mattress at the bottom? Now the walk is not so risky. In business, we often assume and focus on the unmitigated worst case.
- Know the wording: Don’t just take for granted that “it is decreed that” you must do something. Read the law and regulation in question and know exactly what it says. You will be shocked how frequently the experts don’t do this because they are busy and overawed by perceived negative outcomes. Knowing the actual regulation can aid in finding an effective solution, not a broad CYA solution that hurts your company and customers.
Legal and compliance teams often are not compensated on business outcomes, so, for them, choices on preventing risk can be either A: Take a risk, or B: Take no risk. They often choose B. Forcing a critical examination of the wording of regulations in question, an exact understanding of the consequences, how they can be softened and a real analysis of the probability of the outcome of an event can save your company a lot of money. The money saved can be directed to achieving better outcomes for your customers.
I’d love to hear some of your examples of binary risk management. Please share in the comments.
I’d also love to hear from those legal and compliance minds that do get it (I have met a few) on other techniques for being safe and effective while avoiding paralysis that comes of binary risk management.