Book Review – The Failure of Risk Management (2nd Edition)

Reading the first edition of “The Failure of Risk Management: Why it’s Broken and how to Fix it”,by Douglas Hubbard, back in 2009 was a professional epiphany for me.  Having been working in business continuity management for about five years at this stage, I was aware of the prevalence of many questionable practices in risk management.  But seeing how entrenched these methods were, and how confident people were in their efficacy, I wasn’t sure if I was alone in having doubts.

It was therefore wonderful to come across a book that clearly, but rigorously, explained what was going wrong and, more importantly, provided a clear road map for improvement.  Since that time, I have recommended the book to anybody who has attended our training courses, many of our consulting clients and, basically, anybody else who listened.  I was delighted to hear of the release of the second edition, but would it live up to my hopes?

The second edition retains the essential look and feel of the original but has clearly been updated throughout; with many useful references to recent events, particularly in the area of cyber security.  The most obvious addition in the new edition is a completely new chapter (Chapter 4), laying out a simple approach to making the initial transition to quantitative techniques.  This forms a “red-thread” throughout the rest of the book.  There is also important new material on a number of topics, principally:

  • Utility theory (Chapter 6);
  • Inconsistency in expert judgements (Chapter 7); and
  • The analysis of near-misses (Chapter 12).


All of this adds up to a slightly longer, but still very readable, book.

Sadly, the same flawed risk management practices that were highlighted in 2009 are still prevalent today, despite the sustained efforts of Hubbard and others; so the importance of this book has not diminished.  The release of this excellent second edition is very timely and I would thoroughly recommend it to anybody working in any aspect of risk management.  More importantly though, I would also recommend the book to executives and general managers: to paraphrase Georges Clemenceau, risk management is too important to be left to the risk management profession.