Our Recent Posts


No tags yet.

The Rumsfeld Matrix

"There are known knowns. There are things that we know that we know. There are known unknowns. That is to say, there are things we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know."

As a person who spends most of his working life thinking about Risk I regularly return to these six sentences. Spoken by Donald Rumsfeld (then USA Secretary of Defense) in February of 2003, these six sentences are, to my mind, a superb summary of what ought to be at the very core of thinking & planning around risk identification.

Implicit in Rumsfeld's words (and the matrix) is that in order to identify all identifiable risks that every situation must be viewed from at least two different perspectives: Us and Them; Company and Customer; Worker and Manager. This 'dual counterpoint' process of identifying risks helps us (a) conceptualise the situation and importantly (b) focus our potential blind spots.

The Rumsfeld Matrix can be a very useful model for individuals & systems in identifying risk. BUT, the model itself, no matter how widely implemented will fail without an accompanying suitable Risk Culture. To that end, I contend there are four key 'cultural concepts' required in the system -

  1. Habit & Discipline not Control & Compliance

  2. Good News Fast, Bad News Faster!

  3. Trust, but verify

  4. Risk awareness is everyone's business

Habit & Discipline not Control & Compliance

The first action a system must embark upon is to shift "Risk Activity" (i.e. risk identification, mitigation, processes, functions) from being bound by a sense of 'control & compliance' to being a function of 'habit & discipline'. That maybe easier said than done!

Certainly, the role of active leadership and commitment is essential to this task. Leaders must 'walk the walk' and 'talk the talk'. They must seek out opportunities to speak to the individual & collective responsibility of habit & discipline, to have balance in expectations (i.e. scorecards), to coach & support positive habitual behaviour and to remove the language of 'control', 'compliance' and 'zero tolerance' from "Risk Activity" discussions.

This shift is, no doubt, a long(er) term play: but a system reliant on 'control & compliance' will always be a second-rate system (at best). Why? Because a 'control & compliance' reliant system will always result in "Risk Activity" being primarily owned by someone/some-group one step (at least) removed from where the risk exists. Here, the "Risk Activity" becomes 'tick-a-box' and 'compliance'. Witness the sub-prime meltdown as a key example to the ineffectiveness of 'control & compliance' reliant systems.

Good News Fast, Bad News Faster!

The second action a system must embrace is the absolute encouragement & welcoming of 'bad news'. Indeed, good news ought to travel through a system quickly. But, bad news must travel even more quickly. Good news must be the 'sound' to the Bad news 'light': Good News Fast, Bad News Faster!

Again, leadership is critical in this task. "Shoot the messenger" has to be removed as a reaction option (sometimes default) to bad news. This is true at both an individual and system level. Review Panels, Risk & Audit Committees, Leadership teams, Advisory Councils and so forth must resist the temptation (conscious or otherwise) to simply make 'examples' of bad news. These bodies have an essential role in encouraging the swift ascent of risks & bad news notwithstanding the impact of these on the larger system.

Only once "Good News Fast, Bad News Faster!" becomes entrenched will individuals within a system be free and willing to speak frankly & fearlessly.

Trust, but verify

Ronald Reagan was fond of expressing his relationship with Mikhail Gorbachev and the Soviet Union as being built on the maxim: Trust, but verify. This is a wonderful, simple phrase which encapsulates exactly how a great risk culture ought to function.

Individuals & groups within a system must be trusted: and they must feel that they are trusted. This is core to the concept of responsibility. But this is not enough! This trust must be accompanied with verification. It is within the verification that the accountability exists & grows.

This symbiotic relationship between responsibility and accountability is absolutely essentialto a long term, sustainable & effective risk culture. Without "Trust, but verify" the concepts of "Habit & Discipline" & "Good News Fast, Bad News Faster!" will not survive.

Risk awareness is everyone's business

Finally, a system seeking to encourage & develop a positive Risk Culture must reinforce (at every possible opportunity & level) that Risk awareness is the responsibility & accountability of everyone within the system.

Note the focus on 'awareness'. This is deliberate and essential. Too often systems seek to enforce all "Risk Activity" at all levels within a hierarchy - this is overreach and destined to failure. Why? Because not all individuals or groups within a system have the capability, knowledge and expertise to undertake all "Risk Activity" (risk identification, mitigation, processes, functions). Everyone in the system, though, can be and should be Risk aware.

Embedding sound Risk Activities in a system is not easy. And the results will never be perfect (that is to say, we can never escape the unknown unknowns).

But a focus on 'dual counterpoint' thinking coupled with cultural shift as outlined herewith gives us a good chance of maximum success.

Our Recent Posts