Mensa has discovered risk management.

It is well that AML take steps to protect its assets from risk of damage or loss. The membership database, for example, is Mensa's second greatest asset, so one would expect that prudent measures, such as controlled access, redundant servers and a rigorously enforced backup plan, have been employed to mitigate risks to its security and integrity.

But what are we really protecting ourselves against? Mensa's greatest asset is, of course, its members (of which the database is merely an electronic representation); yet, paradoxically, the AMC appears to have taken the view that the organization's greatest asset is also a significant source of risk. This view has led the AMC to take two actions that can be attributed directly to risk management—ASIE 2004-022, adopted in March 2004, which makes the SIGs a "membership benefit"; and ASIE 2004-111, adopted in September 2004, which requires that at least one member of the hospitality committee for AGs, RGs, LDWs, and Colloquia complete a food safety course.

Roommate-matching at gatherings and ride-sharing or carpooling to events were brought up as discussion items at an AMC meeting with the suggestion that these activities ought to be discouraged or prohibited, but no action was taken. Nonetheless, the 2004 AG Committee decided not to offer roommate-matching as a gathering service for fear of the risk involved.

When news of the weight that risk management was being given by the AMC in its deliberations and decisions reached the membership, questions inevitably arose: Why should Mensa discourage carpooling when virtually every business, governmental agency, and other organization encourages employees or members to carpool as a means of reducing air pollution and conserving energy resources? Why should Mensa curtail roommate-matching at gatherings, when gathering committees have been doing it for years without incident? How does making SIGs a membership benefit reduce any risk they pose? And does having a member take a food safety course shift responsibility for any food-related mishaps from the organization to the member? How are risks identified and evaluated?

Vigorous discussion of these questions and others took place on the M-Grapevine Yahoo! Group, with Cookie Bakke, a member of the AMC Risk Management Committee (RMC), speaking for the RMC. But no clear answers were forthcoming. The RMC's position seemed to be, in general, that risk management was a complicated business best left to professionals in the field, and that to make a clear statement about how risk was determined could itself pose a risk to Mensa. After protracted discussion, Cookie posted on M-Grapevine a statement written for the purpose by John DiLiberto, chairman of the Risk Management Committee.

In this statement, DiLiberto said,

I have read [sic] some write, and others say, that if we haven't had a particular type of loss in the past it means there is unlikely to be such a loss in the future. That is simply incorrect. An individual entity's loss experience is not necessarily an indication of the likelihood of future loss. It is the loss experience of a large number of similarly situated entities that suggests the likelihood of future losses for any one entity.

Similarly, I have read and heard some say that the Risk Assessment Report and the work of the RMC have not quantified the cost of Mensa's probable and/or possible future loss(es) and the cost of mitigating those losses. Rarely does one entity have enough loss experience and/or exposure to yield a statistically credible quantification of its cost or risk vs. cost of risk mitigation. There simply is no basis to calculate, for example, that the risk of being sued (successfully or otherwise) by someone injured while participating in a Mensa activity is 1 in "x" hundred (or thousand, or ten thousand) and the range of values of the loss sustained is from "y" to "z", while the cost of avoiding or mitigating that loss is "a" dollars. Sorry, the RMC can't do it.

After a bit of research, I found some information that helped me understand how the process works and get some feel for levels of risk involved. "General Security Risk Assessment Guidelines," published by ASIS International, "the preeminent international organization for professionals responsible for security", list a seven-step process for risk assessment and management.

1. Understand the organization and identify the people and assets at risk.
2. Specify loss risk events/vulnerabilities.
3. Establish the probability of loss risk and frequency of events.
4. Determine the impact of the event.
5. Develop options to mitigate risks.
6. Study the feasibility of implementation of options.
7. Perform a cost/benefit analysis.

Similar and more detailed guidelines published by the Federal Transit Authority (MA-26-0022, Risk Assessment in Fixed Guideway Construction, FTA 1994) describe a method of assessing risk that, although imprecise, illustrates a way of ranking risk or viewing a number of risks relative to one another. What follows here is a summary of the FTA risk evaluation method.

Assign risk probability. The first step is to assign a risk probability rating to possible risk events. The FTA guidelines use the four values shown below; ASIS uses five rankings, which add a "moderately probable" category in the middle.

Determine severity rating. The next step is to determine the severity or criticality rating for possible risk events. The FTA guidelines use six severity ratings, from 0 to 5, and the ASIS guidelines use only five, numbered 1 through 5. The terminology used to describe the impact of the criticality ratings is dependent on the nature of the organization, project, or enterprise being evaluated; here, I've used general financial effects to suggest possible impacts on Mensa:

Evaluate risk level. The final step in the risk assessment process is to determine a risk level for the possible risk events. The FTA guidelines make this task easy by simply multiplying the risk probability rating by the severity rating. The resulting products are then divided into low-level (0-4), medium-level (5-9) and high-level (10-20) risk events.

Mitigate the risk. The level of an event's possible risk having been determined, the next task is to develop a risk mitigation strategy. The FTA guidelines suggest four types of risk mitigation:

• Avoid the risk by preventing or eliminating it.
• Control the risk by reducing or minimizing it.
• Transfer the risk by sharing it.
• Retain the risk by accepting it.

How does Mensa manage its risks? In "Modern Risk Management," an article published in the November/December 2004 InterLoc, John DiLiberto put Mensa's approach to risk mitigation this way:

Techniques for dealing with identified exposures to loss include, but are not limited to, insurance, safety measures, special funding and avoidance. Management might well engage in extensive debate regarding which technique(s) to employ. The key to good risk management lies in identifying the particular entity's variety of exposures to loss as well as the variety of techniques with which to address them, regardless of the decisions ultimately made regarding how the entity deals with its risk(s) of loss.

The risk mitigation measures that Mensa has taken have not been made clear, either; however, it appears that, in most cases, our risk management devolves to insurance. The most common means of transferring (sharing) a risk is by buying insurance against it; that is, the cost of the risk event, should it occur, is transferred to (shared with) other policyholders.

It further appears that what we are attempting to protect against is financial loss resulting not just from some event—such as buying premises insurance against the risk of loss from a fire—but from a suit resulting from an event. This makes the risk assessment process even more difficult to estimate: what are the odds that two Mensans riding together to an event will be involved in an accident resulting in death or grievous injury AND that someone will sue Mensa as a result of it? Probabilities of this sort are multiplicative. If there are two events, each of which has a 50% chance of happening, then the odds of their both occurring at the same time are 1 in 4, or 25%. Thus, it looks like very long odds of something's happening AND someone's suing Mensa because of it. And, in any event, it looks like what Mensa's protecting itself against is itself—you and me. Mensa has met the enemy, and he is us.

There are many questions that still could be asked. To cite just two, for example:

The first step in ASIS's risk analysis process is to understand the organization being assessed. Mensa's risk analysis was performed by a consultant company. Did our consultants really understand the nature of Mensa when they did their work?

John DiLiberto and ASIS agree that the experience of "similarly situated entities" must be examined as well as that of the organization being assessed. To use ASIS's words, "Probability of loss is not based upon mathematical certainty; it is consideration of the likelihood that a loss risk event may occur in the future, based upon historical data at the site, [and] the history of like events at similar enterprises." What other entities or enterprises — a large number of them — were considered to be similar to Mensa? (Surely not service clubs. Mensa is not a service club.)

More questions could fill another article—but the questions about process and judgment aren't the whole of the matter. More important is the effect that risk management procedures are having on Mensa, primarily because they seem misplaced or excessive in consideration of our own history. Common sense argues that if the mitigation measures chosen alter the nature or mission of the organization, then something's amiss. Using ASIS's words one final time: "While financial cost is often a factor, one of the more common considerations is whether the strategy will interfere substantially with the operation of the enterprise."

Here's how Mensa's risk management practices appear to one long-time member: "Perhaps folks have overreacted to risk management stuff. [In my opinion] they haven't. Even when 'rules' are not in writing we are being forced to jump through numerous additional hoops."

And to another: "It's about a pervasive attitude of paternalism. Father Knows Best may have been a great TV series, but it hardly seems an appropriate method of dealing with the owners of a corporation, which is the status of the members. Mensa has traditionally been a member-driven organization. When there are burdensome rules, volunteerism drops off. What takes its place? The corporate mentality."

And here's how they appear to a young woman who enjoys gatherings and invests freely of her time to host as well as attend them, but who has little patience for politics:

"What I see in all this risk management stuff is Mensa having a drastic shift in vision and in doing so, losing its original purpose.

"When I joined Mensa, what I found was a big house party with mostly really cool people, some pretty weird people, and some jerks. Folks ignored the jerks or helped them become less jerky, the weirdos were mostly embraced and laughed off, and bogeymen were not sought in every closet. That is changing. That makes me sad.

"It's a social organization, people. This risk management stuff is going to kill the social aspect and leave the heart of Mensa as paranoid, suspicious, and covering their asses against all sorts of potential mischief which will likely never take place."

That's what I see, too. When our risks have been managed, we may be protected — but will we still be Mensa?

    — Dick Amyx

Previous Article | Contents | Next Article