Lao Tzu on Risk Management

Those who possessed in highest degree the attributes of the Tao did not seek to show them...

Photo by Levi XU on Unsplash

“Those who possessed in highest degree the attributes of the Tao did not seek to show them, and therefore they possessed them in fullest measure.

Those who possessed in a lower degree those attributes of the Tao sought how not to lose them; and therefore they did not possess them in fullest measure.”

- Lao Tzu; “Tao Te Ching” chapter 38

Ah the joys of the single-member LLC! A single individual makes all the decisions.  A single individual feels the impact of those decisions.  No politics, no complex frameworks, no IT department. From a business process standpoint, the one-employee single-member LLC is a kind of spiritual nirvana. The single-member meditates, saying “I am at one with my company.”  And it is so.

Into this peaceful garden we introduce a thought exercise.  Does such a simple entity practice risk management? 

Risk Management for One

It’d be rare for a one-person legal entity to have a quality manual, a risk control log, a hazard analysis, or any of the major documents that would underpin a risk management framework.   But make no doubt: risk management does happen in such an “organization,” in a real and fundamental way.  Risk management takes place in the mind and the actions of the single individual proprietor.  He or she is actively thinking about risks to the business, risks to stakeholders, hazards and countermeasures and continual improvement of processes, all within the context of the business itself. Risk management happens here, absolutely. 

But the risk management is difficult to see, because typically it’s not documented.  In the nirvana of simplicity, there’s no need to document … because there’s no need to communicate complex ideas across a spectrum of individuals.  The evidence of risk management, and the review and acceptance of that evidence, occurs within the mind of one person.  The owner of a single-member LLC is all action, and (typically) no documentation. 

If we follow the advice of the ancient Chinese philosopher Lao Tzu, we can easily identify this single-member, master of his domain.  As “…one who possesses the highest attributes,” this wise sage “does not seek to show the attributes … and therefore possesses them in fullest measure.”  That’s our LLC owner!... not stopping to show his work, explain himself, or document formal rationale for risk acceptance; but just doing the job.  Extending a bit the wisdom of Master Tzu, this solo innovator is said to possess a risk management capacity which, while he does not seek to show it; nevertheless he possesses it in fullest measure.   

Risk Management for n, where n >1

But things change quickly when this little corporately-structured individual seeks a loan, or a capital investment.  Or wants to sell software to a big enterprise.  Or hires a large staff.  Faced with such events the questions come rolling in…and the questions are jarring.  Where is the quality manual?  Where is the risk register?  Where’s the safety-relevant process and procedure documentation?  Do you have records to show compliance to ISO 1234567?  Often the answer is: “We don’t have that.”  And that’s just natural.  For small companies, lack of compliance is not a bug but a feature… a sign that they don’t need all this jargon and burden to manage risks.

Stepping back for a moment: risk management seek to achieve two basic objectives: 

• Objective #1 is to reduce risk to an acceptable level. 
  
  Objective #2 is to demonstrate that risk has been reduced … in other words to document and explain the accomplishment of objective #1. 

And it’s objective #2 that becomes a challenge for small companies as they grow.  With more people and greater complexity, evidence and human judgment become unreliable… because evidence and judgment are now shared between multiple individuals.  Individuals with different minds, differences of opinion, varied philosophies, conflicting needs, etc.

In short, life gets complicated.  And when life gets complicated, gaps emerge.  Confusion grows. Stuff gets missed.

Those complications become the jumping-off point for the implementation of professional risk management frameworks at growing companies.  It is only by these efforts that we can really achieve our objective #2… to demonstrate that risk has been reduced, in a way that satisfies a variety of stakeholders.  Risk management frameworks are our platform to accomplish that.  Frameworks work.

At the same time, paradoxically, frameworks contain the seeds of failure.

Return to the Master’s Words

Objective #2 is a valid and worthy objective… but it’s also dangerous.  Because it’s boring.  It’s rote.  It relies on the tedium of process, of standards, of conservative thinking.  And most importantly, it becomes no longer founder-led (or innovator-led; or SME-led); but instead becomes led by its own function.  Maybe we call that function “risk” or “quality” or “safety” or “security”… but he point is it’s outside the core function of the company.  It’s necessarily at least one step away from the mind of the founder or innovator or SME who really understands what this company is doing in the first place.

The search for objective #2 can be corrosive to culture.  Led by processes and spreadsheets and outsiders without deep insight to the business, the organization can easily wander into the grim world of checkbox compliance.  Literally: checking the box.  Focusing on the paperwork.  Going through the motions of documentation, without really thinking about the risk itself and the best way to manage it.  Objective #2 becomes the main objective, for the simple reason that people can see and understand the documentation required to deliver objective #2. 

In their focus on objective #2, risk management professionals sometimes wander astray from objective #1. The documentation is real, but the risk management itself has disappeared or utterly failed … not by lack of process or lack of effort, but by lack of understanding. 

Which is how you get massive quality failure causing tens or hundreds of fatalities, from quality-certified manufacturing facilities. How you build nuclear plants near tsunami-prone shores without proper consideration of floods.  How big banks take on billions in sub-prime loan exposure.  And so forth.  Risk managers never meant to allow these messes. They just were not able to see truths right in front of their face.  Because their world is the world of checks and boxes and documentation …. A world comprised of these “objective #2” artifacts.  They don’t have the deeper insights to objective #1.

These burdened risk managers are Lao Tzu’s less-enlightened souls from the second line of the text.  Seeking not to lose what was accomplished; seeking to systematize risk management, they ultimately possess a lesser knowledge of it. 

Lao Tzu was famously a believer in humility, and advocated a patient and humble approach to things… not as an end in itself but as a means to win the long-game. From the Tao Te Ching chapter 43: “The softest thing in the world dashes against and overcomes the hardest.” In this, Master Tzu understood some deep truths about real-world risk management:

• Risk management frameworks require humility of innovators, who must submit their insight and capabilities to the authority of a process framework to manage risk effectively.  

• And in return, good risk management requires the reciprocal humility of risk managers, who must recognize that their frameworks and documents are less-insightful stand-ins for the deep understanding of innovators, who often did the job quite capably as individuals.

Alas, Master Tzu searched far and wide for a humble innovator and a humble risk management consultant.  Never were two such rare creatures observed together in the same moment.