When challenged on introducing 'theory' to the debate on risk, I have three responses, none of them original: First, Keynes: “Practical men, who believe themselves to be quite exempt from any intellectual influences, are usually the slaves of some defunct economist.”
Secondly, Anais Nin: “We don't see things as they are, we see them as we are.”
Thirdly, Han Solo: "Hokey religions and ancient weapons are no match for a good blaster at your side, kid."
Practically, risk management is all too frequently excluded from discussion of strategy and is asked to identify risks to strategy that has been set elsewhere. Risk managers tend to take great umbrage at this state of affairs, claiming that risk management practice requires that the firm have a robust 'risk management process' in place. The real question should be: ‘Is it effective?’ My point is that there is very little evidence that risk management as it is practised is effective and ever-mounting anecdotal evidence that it is not. There are also strong and, in my mind, persuasive theoretical reasons why it cannot be as it is currently typically practised, at least on a sustained basis. And I am, by no means, alone in that view.
As for the relationship between theory and practice, Keynes’ observation in 1936 remains spot on today, and is applicable not only to economics.
More tellingly, though, the debate between theory and practice is usually nothing of the sort. Take one of my all-time favourite articles on risk: William Langewiesche's article on the crash in 1996 of Valujet 592 (here). William Langewiesche is (or was, anyway) a pilot himself, with no axe to grind. As a journalist, he took a long, hard look at the control routines that governed Valujet 592 and the accident analysis by NTSB. His conclusions were telling: “The one thing that always gets done is the required paperwork.” However, despite paperwork showing there was nothing dangerous in the hold of Valujet 592, it flew in to the ground in the Florida Everglades early on a May afternoon in 1996 killing 110 people. That seems very practical.
In my view, trying to understand why does not represent theory; on the contrary, it is the very best form of practice. Attempting to ensure that we understand how best to prevent such incidents or other, non-physical commercial contingencies - for example, financial crises, is surely how we improve. Arguing endlessly about the applicability of standards that are so abstract from reality that they do not even admit that most people act first and justify later is, to me, the far greater folly. Until we ground our practice of risk management in what both works and what adds insight, risk practitioners will remain, in your phrase “tail-end Charlies”.
I would have thought it self-evident that, without robust, empirical evidence that linear risk management routines such as COSO and ISO are effective, the imposition of these standards is based purely on theory - that reductionist approaches to risk management can and will be effective. The standards themselves are, in a very real sense, theoretical in that they are not demonstrably grounded in realistic conclusions about effective practice or robust analysis of causes of corporate failure. How do their users then get to accuse others of being 'theoretical', as if it were pejorative?
My last word, I’ll leave to the great theoretical physicist, Richard Feynman (a member of the Rogers Commission which investigated the Challenger space shuttle disaster): “It is not what we know, but what we do not know, which we must always address, to avoid major failures, catastrophes, and panics.” Is that theoretical or practical advice?