The Cheese Theory of Risk Management
Stopping something going wrong is all about how hole-y your cheese is. Have you got cheddar or Jarlsberg in your risk control strategy?
If you’ve followed this blog, you’ll know risk management is front and centre.
It underpins everything.
Since I’ve been saying most people suck at risk management, I figured I’d best show how to do it well.
I started with flagging the three traps we often fall into when assessing risk: familiarity, perceived control and confirmation bias.
Now I’m going to walk you through how to do it right.
The explanation I still reach for first when explaining risk prevention is cheese.
Introducing…
Bear with me. I promise it’ll make sense soon.
Let’s get started…
Risk management has four steps
Each risk management methodology has its own framework and names for specific steps, but in essence they all do the following:
Work out what could go wrong
Work out what you could do to stop it going wrong (prevention)
Work out what you’d do if it happened despite your best efforts to stop it (mitigation)
Decide which prevention steps you’ll do, then do them.
The last step is the most important one, but you have to do the first three to get to the last one.
Here’s how…
Step 1: Work out what could go wrong
This is as simple as a list of the risks you’re facing.
You don’t need to rank the list according to how likely it is to happen, or how bad the outcome might be if it does.
As a starting point, you’re assuming over a long enough time period, the risk you’ve identified is gonna get you.
Like this:
That’s the basis for your risk list.
Most risks you’ll think of will be things you don’t want to happen.
Sadly, we know most do happen, every day, to someone on this planet.
So, it’s onto…
Step 2: Work out how to stop the risk reaching you
No doubt you’ve heard the saying prevention is better than cure.
This is absolutely the case when you’re on the receiving end of something potentially going wrong. You want to prevent it getting to you, or at least lower the odds.
Putting controls between you and the risk is how you stop it getting to you.
Now we come to the Cheese Theory…
Imagine each control you put between yourself and a hazard is a slice of cheese.
Solid cheese - like cheddar - stops the risk reaching you entirely.
A hole in the cheese - like you’d find in Jarslberg - lets it through eventually.
How do we know which slices are cheddar and which are Jarlsberg? And if you’ve got Jarlsberg, which ones are more hole-y than others (and not in a good way)?
There’s a framework for that:
The Hierarchy of Controls
…which looks like this:
Elimination is cheddar. A solid slice of cheese with no holes. You remove the hazard entirely. Job done.
Let’s take a financial risk as an example: your relationship turns financially abusive.
You can eliminate the risk of this by never having a relationship.
Here’s how the risk to you looks now:
One slice of cheddar - an elimination control - is worth dozens of slices of Jarlsberg.
But elimination isn’t always possible or practical, or even desirable.
For example, the side effects of never having a relationship might outweigh the risk of that relationship turning financially abusive.
Which brings us to everything else…
The (more effective) top half
As you move down the hierarchy of controls from most effective to least effective, it’s all about the cheese-to-holes ratio.
Along with elimination, the next two can achieve near-complete risk control:
Substitution to replace the hazard with something less dangerous. For example, instead of a romantic relationship, you only have friends and family in your life (perhaps also a really good vibrator, and/or a subscription to Make Love Not P*rn?) You basically swap out a romantic relationship with its attendant risk of financial abuse for something else.
Engineering controls to change the environment. For example, you set very clear boundaries on the relationship, perhaps keeping all finances separate (as long as that doesn’t end up being abusive, like this example from financial adviser Christine Lusher).
I say ‘near-complete’ because they’ll never be 100 per cent effective.
Done right, they can get close, but Jarlsberg can never beat cheddar.
(And no, I’m not posing this cheese competition in terms of taste. Obviously Tarago Shadows of Blue is the winner in that case, and I will not be entering into further debate on the matter).
The (less effective) bottom half
At the bottom of the pyramid, you’ll find hole-y cheese abounds.
These controls are weak. They will definitely fail at some point.
They are:
Administrative (admin) controls to change behaviour. Like money date nights where you talk about money and agree what you’re going to do. They’re nice to have, and maybe they work to flag when the relationship reaches risky territory early, but they don’t prevent bad behaviour. You can be in a relationship and do date nights and still end up on the receiving end of financial abuse.
Personal protective equipment (PPE) is the last line of defence. Akin to a seat belt in a car, or steel-capped boots when you’re on a processing plant. For example, a buffer fund with cash you can access to fund your exit. For it to work, you have to do it right: ensure only you have access to the account. But it can still be a good protection.
…but there’s a problem with humans
If a risk control involve a human decision, no matter where it sits on the hierarchy of control, you have to assume it’ll fail.
This was one of the biggest ‘aha!’ moments of my engineering degree.
We were doing a risk management unit and you had to work out how much you’d reduced the probability of a given risk depending on what controls you’d put in place.
Any control relying on a human decision made no change to probability.
Yep. The bottom line: humans will eventually stuff up.
This is technically correct and definitely appropriate on the processing plants where I’ve worked, where you might get killed in any number of terrifying and painful ways.
But it’s not much practical use in personal finance. You can automate a lot of money things, but human decisions will have to happen despite your best efforts.
Which is why the answer to this is the same as my answer to many of life’s conundrums, including ‘what snack do I fancy right now?’: more cheese.
Here’s why…
How controls prevent the risk reaching you
Using any of the four non-elimination types of controls means you’re using hole-y cheese.
Like this:
You then have to look at the efficacy of a given control to decide if it’s got lots of holes or not.
If you can’t or won’t eliminate the risk entirely, the prevention part of the risk management game becomes:
Can you find slices with the fewest holes (i.e. controls that are as effective as possible - substitution or engineering controls)?
If not, can you find any slices at all - even if they’re admin controls or PPE - to put between you and the risk?
Put as many slices as you deem reasonable between you and the hazard.
Over a long enough time frame, if you don’t have an elimination control, you can expect the risk to get through.
Like this:
But don’t dismiss any slice just because it’s not perfect.
Every bit of cheese reduces your probability of the risk reaching you. Even a control that only works one time in a hundred reduces your overall exposure.
Stack enough imperfect controls and the cumulative effect is substantial.
One hundred slices of Jarlsberg reducing your risk by 1 per cent each leaves you with a 63.4 per cent chance the risk doesn’t reach you on a given occasion, compared to 100 per cent certainty it will eventually if you do nothing.
That’s not a trivial improvement.
And that’s how it is for most financial stuff.
Cheddar is an elusive goal, achievable in only a few very specific circumstances. You’re mostly going to have Jarlsberg. So there’s at least some chance you’ll come into contact with the risk eventually.
So it’s onto…
Step 3: Work out what you’d do if it happened
Prevention is preferred, but prevention fails.
I don’t think of this as pessimism. It’s just the honest acknowledgement that Jarlsberg is the only feasible option in most cases.
Over a long enough time frame, the risk gets through.
So alongside prevention, you need mitigation, specifically:
What’s your plan for if/when the risk arrives on your doorstep?
This is best to work out in advance, for three reasons:
You’re dumber when you’re financially stressed, to the tune of 13 IQ points. If you wait for financial stress to strike before making a plan, you’re probably going to end up with a suboptimal outcome. Do the plan now. Then you’re at least not starting with a blank page when freak-out level misery arrives.
You might come up with controls that have to happen in advance. For example, one of your responses might be ‘claim on insurance.’ Which is all well and good if you got the insurance beforehand. They’re no use unless they’re in place.
It’ll help you sleep better. Most worry is the absence of a plan. You don’t know what you’d do, and the wondering nags at you. Writing down what you’d do is the best recipe for sound sleep I’ve found.
Back to the financial abuse:
For this scenario, let’s imagine that despite your best screening processes, the relationship you’re in becomes abusive and you want to leave.
Perhaps your response plan includes:
Calling support services, like 1800 Full Stop. (Side note: wondering why I haven’t also listed 1800 RESPECT? Take a gander at this article from The Conversation.)
Accessing online sites with advice and checklists, like Your Toolkit.
Using savings to fund your exit - for temporary accommodation, for example.
Letting your workplace know what you’re going through so you can access paid leave and/or their support services.
Letting friends or family know what’s happening so they can run interference and support you.
Mitigation doesn’t prevent the bad thing.
It changes what the bad thing does to you if/when it arrives.
The goal is to make the consequence survivable, with the least amount of misery possible.
If your response plan includes anything you need to do in advance - like you’ll have to save now if you want that buffer fund in place - add it to your prevention controls list.
Now’s where the rubber really hits the road:
Step 4: Decide which prevention steps you’ll actually do, then do them
This is where most risk management frameworks fall apart:
The doing.
You can build the most beautiful risk register in the world, have the best prevention plan around and have a gold-standard response ready to mitigate.
If you don’t act on it, you’ve just got a very well-documented list of things that are going to happen to you.
The engineering way to approach this is to prioritise your potential controls.
If I were doing this on a processing plant, I’d prioritise the controls according to how likely I thought the risk was to happen, and how bad the outcome was likely to be if it did happen:
High likelihood + high consequence = non-negotiable. Must implement effective controls, or you’re asking for trouble.
Low likelihood + high consequence = still worth acting on. The downside is too severe to ignore.
High likelihood + low consequence = manage it, but don’t let it eat your capacity.
Low likelihood + low consequence = acknowledge, implement controls that don’t rob your ability to prevent bigger stuff, and move on.
But you’re not a processing plant.
You’re a human, and as we’ve established, you’re not necessarily the best person to estimate likelihood especially.
I reckon it makes sense to put at least some preventative steps in place for every risk you identify if you can afford the time, energy and financial cost.
Here’s two examples on preventative controls for typical risks most people face…
Example 1: Job loss
Losing your job - being fired or made redundant - is high likelihood over a working lifetime.
It’s also high consequence without mitigation options, so you might consider:
A buffer fund is not optional. It’s a load-bearing control.
Having multiple income streams reduces the potential impact of job loss, but you have to do this in advance.
Retraining, or keeping your qualifications up to date so you can more easily go back to work after an extended break, tends to be worthwhile.
If you have debt or dependents, income protection insurance may be especially worth considering, and you can pay for it inside superannuation if you can’t afford the hit to your cashflow.
Example 2: Relationship financial abuse
This is lower likelihood but has catastrophic consequences:
It’s worth having at least one bank account to which you are the only signatory and no one else has access, i.e. don’t share your banking password. This is so you have cash to fund an exit in the worst-case scenario. Think of it as staying money - as in, I could leave if I wanted. I choose to stay.
Stay active in your finances: have your own credit history, and your own understanding of your financial position regardless of your relationship status.
Don’t sign anything unless you understand it. No amount of ‘If you loved/trusted me, you’d do this’ is acceptable to pressure you into something that makes you uncomfortable, or simply don’t know what it means.
Maintain a way to earn an income, just like for potential job loss. Most women go back to abusive relationships because they have to choose between an unsafe home and sleeping in their car. Being able to earn money is important.
Your list might look different. The point is to make deliberate decisions, not to react only when the risk finally gets through your cheese.
What’s next?
Now it’s your turn.
What risks are you facing in your finances?
Can you find a slice of cheddar to stop them reaching you, or at least some Jarlsberg?
And what will you do if the risk makes it through your cheese?
If you want a simple template to use for your own risk management planning, you’ll find one on the Money School resources page:
Now, the important bit:
Add the preventative steps you want in place to your to-do list. Schedule calendar time to get them done if you need to.
Hope you found this post helpful - lemme know what did/didn’t work for you in the comments.
And next, I’m planning to write about the slices of cheese available to you for preventing climate change wrecking your finances. Coming up soon!