Those who have worked hardest and longest at risk-mitigation say that they experience this work as analytically and intellectually demanding, in ways they could not have predicted going in.
Meanwhile, others see no need for anything new, claiming that risk-control work, where it really is necessary, should simply be delegated through existing line-management structures, with each functional manager or process owner being required to identify and handle the risks within his or her own areas.
This approach breaks down at the earliest possible stage-when executives ask for risks or problem areas to be nominated for attention. When the risk-control function is simply delegated down the line, managers will generally identify only those risks of which they are aware, which align neatly with their functional or program areas, and which they are happy to disclose.
By adopting more formal risk-management structures, agencies are better able to deal with the risks that are invisible or uncertain, unrepresented or under-represented in their normal process flows, awkward in shape and size (thus not falling clearly within the responsibility of anyone official or department), or shared (where cooperation with other agencies is a pre-requisite for effective intervention).
International and global risks are larger-scale or higher-level risks than the available control mechanisms. Global Warming, emerging infectious diseases, genocide, and international terrorism are good examples.
Effective action is limited by the absence of any central control mechanism or any legal mandate or authority to act on a sufficiently broad front. Inevitably, there is where conscious opponents are involved, the “control” business turns into a continuous, dynamic game, played against opponents intent on outwitting the control operation. Examples of such opponents include terrorists, drug smugglers, fraud artists, hackers, and thieves.
There may also be “conscious” opponents such as viruses that mutate and evolve through a invisible risks are those which by conscious design or by some quirk of their nature, do not reveal themselves. Their magnitude is usually uncertain, resulting in serious under-investment in control.
Examples of harms which often go unreported or under-reported include: corruption; extortion; drug dealing; date rape; fraud; gambling; prostitution; many forms of white-collar crime; and crimes within the family reliance on international treaties and voluntary cooperation between agencies, organizations, and nations. It is difficult to divide the work, the costs, and the credit between the contributing parties.
Control operations exist in an environment of multiple and competing perspectives on the problem, often without any effective political process to resolve them.
Control strategies must always take the opponent adaptations into account. Winning the control game requires close monitoring and study of the opponents’ moves, along with understanding and undermining their strategies. Risk control becomes a game of intelligence and counter-intelligence such as sexual or physical abuse.
To tackle such risks, an agency must first uncover them. Systematic measurement is a critical first step in developing an effective control operation. Proactive and intelligence work are vital for scoping and detection – for helping to reveal the true nature and extent of the risk and to ensure that interventions are designed around the whole of the risk rather than the tip of the iceberg.
Risks where prevention is paramount involve unthinkable disasters – for instance, nuclear or biological terrorism.
It is extremely difficult to estimate the probabilities and magnitude of the risk. This makes it hard to set the budget for control. The norm is serious under-budgeting. It is inherently problematic to justify the cost of such work, given the absence of visible disasters. It is also difficult to measure preventive performance.
Where performance is enhanced by risk-taking, the culture may reward and even celebrate excessive risk-taking by those who can get results and “get away with it.” Pressure for performance may impel employees to “drive close to the edge” to the brink of disaster.