Sunday, October 21, 2012

Three years to change perception of risk?

As individuals, we are prone to making poor risk decisions, yet it is potentially within our power to predict and calculate any number of risks, including murder, earthquakes, market crashes, or identity theft. Nevertheless, it is important to keep in mind, as Bruce Schneier points out, “risk management is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel like it’s not something worth worrying about.” [1]

Let's say that we wanted to change peoples minds about something. Say for example, you wanted to convince the travelling public that it's safe to fly again, after a major terrorist attack involving aircraft hijacking. How long would it take? A long time. The evidence seems clear. Even with trillions of dollars in resources, it apparently takes three years or perhaps even five years to change peoples perception of the risk.  At least, that is what US road fatalities data suggests.

In the September 11 terrorist attacks, 2,974 people tragically lost their lives. The public was justifiably horrified, and several trillion dollars was allocated to counter-terrorism measures. In the same year, however, a staggering 42,196 people lost their lives in motor-vehicle fatalities with scarcely a comment in the media. Fear of hijacking, understandable though it may be, contributed to a drop of more than 30 percent in US domestic air travel in 2002; people chose to drive rather than fly. Meanwhile, US motor-vehicle fatalities (a number that was previously steady or falling) increased by 809 people that same year; from 42,196 fatalities in 2001 to 43,005 in 2002.  [3]

It can often be difficult to demonstrate a clear cause and effect between risks and outcomes, and this situation is no different. The above statistics however were not entirely unexpected. In December 2001, David Myers, professor of psychology at Hope College, postulated a further eight hundred road deaths due to people driving rather than flying in 2002, adding that “in just one year the terrorists may indirectly kill three times more people on our highways than died on those four fated planes.” [2]   Further indication of the lasting effect of this risk perception is that the average annual road fatalities in the five years after 2001 was 1,140 higher than the average five years before 2001 (41,848 versus 42,989). Yes, that's a total of 5,702 additional people were killed on the road in the five years following the September 11 attacks. In fact, it wasn’t until 2007, that road fatalities dropped below their 2001 levels.

It is of course, much more than the scope of this article to confirm that the drop in road fatalities was linked to rebuilding confidence in aviation. Change in perceptions about seatbelts and drink driving as well as improvements in motor vehicles have all played their part. It's striking however to look at the data graphically and it's clear that something changed significantly around 2008. Perhaps it was just the effect of the global financial crisis (GFC) - and that did cross my mind. So I had a look at the statistics regarding how many passengers actually flew each year in the United States. It turns out that the GFC did have an impact, but not enough to completely explain the road fatalities. From a low in 2002 of 670,604,493, passengers increased by roughly 5 percent per annum until 2007 but it took three years to return to the pre-2001 levels.  [4]  From 2007 onwards, it does seem likely that the GFC had some impact on both road fatalities and aviation passenger levels, but even so, it seems likely that it took most Americans up to five years to believe that flying was safer than driving - or at least, safe enough to take it up en masse.

Is this really a surprise? Anybody who has tried to convince someone that a belief held doesn’t match the facts, knows perception doesn't always align with facts. On the contrary, as John Kenneth Galbraith put it so eloquently, "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everyone gets busy on the proof."

It's not only difficult for us to change other peoples minds but it's hard for them to change their own mind. Equally significantly, it's very difficult for us as risk managers to truly absorb new information in a way that changes our behaviours. In his latest book Changing Minds: The Art And Science of Changing Our Own And Other People's Minds (Leadership for the Common Good), Howard Gardner, a cognitive scientist, describes this phenomenon succinctly:
"People underestimate how difficult it is to change minds. ... When you’re little, your mind changes pretty readily, even if nobody pushes it. We are natural mind-changing entities until we are 10 or so. But as we get older and have acquired more formal and informal knowledge, then it’s very, very hard to change our minds. ... I’m not stating that on small matters it’s difficult to change people’s minds. A coffee break at 3:00 rather than 1:00—that’s trivial. But on fundamental ideas on how the world works, about what your enterprise is about, about what your life goals are, about what it takes to survive—it’s on these topics that it’s very difficult to change people’s minds. Most people, by the time they’re adults, not only have become used to a certain way of thinking, but in a sense it’s work for them [to change] because their neural pathways become set."
So, is it official that it takes five years to change peoples perception of a risk? Not by a long shot. But it's an interesting question to ask.


[1] Schneier, B (2007), The Psychology of Risk management, 28 February 2007, available at, viewed 20 August, 2011

[2] Myers, David (2001), “Do We Fear the Right Things?”, Observer (Journal of the American Psychological Society), December, 2001

[3] Motor vehicle fatality statistics calculated by U.S. Department of Transportation, Research and Innovative Technology Administration (RITA), Bureau of Transportation Statistics (BTS), ‘Table 2-17: Motor Vehicle Safety Data’.Viewed 20 October 2012.

[4] Aviation statistics calculated by U.S. Department of Transportation, Research and Innovative Technology Administration (RITA), Bureau of Transportation Statistics (BTS), Passengers
All Carriers - All Airports. Viewed 21 October 2012.

Sunday, August 26, 2012

What is Risk Management?

I love the simplicity and inclusiveness of the ISO 31000 definition of risk ("the effect of uncertainty on objectives") and think it is probably the best of a large number of alternatives for a definition of risk.  On the other hand, the ISO 31000 definition of 'risk management' - "coordinated activities to direct and control an organization with regard to risk" leaves me more than a little underwhelmed. So, rather than just criticise it, I'd suggest the following thoughts in support of a 'better'(?) definition.

If we accept the ISO 31000 definition for risk then it follows that 'managing risk' = 'managing the effect of uncertainty on objectives"?

We could take this argument further by suggesting that if we have objectives, we would like to achieve them. If that is the case, then we could define 'risk management' as 'reducing the effect of uncertainty on objectives'.

A quantitative analyst (quant) might suggest that risk management is all about reducing volatility, but that definition is still rather vague. With their focus on volatility and pricing, quants are more focussed on reducing something abstract, than achieving objectives, so a better view of managing risk might be something like: risk management = 'increasing the certainty of achieving objectives'.

And that gets my vote for a better definition of risk management. What do you think?

Thursday, August 2, 2012

Risk Informed Decision Making

I recently spent 10 days holiday scuba diving and sailing around the Whitsunday islands with my partner and a couple of friends. Being the only one in the group with any sailing experience, I got the role of 'skipper'. It's probably not everyone's idea of a great holiday but personally I love the challenge of navigating and sailing a 40 foot catamaran that I'd never been on before, through a group of islands that I really didn't know very well.  That's partly because I enjoy learning new skills and honing old ones, but mostly because the mental challenge involved with (safely) sailing a $500,000 yacht is enormously satisfying and stimulating.

Along the way, there is plenty of time to ponder the vagaries of risk management. While sailing through Solway passage one beautiful sunny morning, I was reminded of a comment made on one of the discussion forums that I participate in.  It's popular in some circles to be something of a sceptic regarding risk management. The question raised in this forum was basically asking if risk management even works. The author in this instance was challenging the value of ISO31000 and risk management in particular. He was (rightly enough) pointing out that there is little if any, research done to show that resources applied to risk management actually return any value.  Now, I don’t believe that risk management is the panacea for all ills, and I’d definitely like to see more research done on the value of risk management. The lack of research however, doesn’t prove a case either way.

There are even a few people (a minority to be sure) who would go so far as to suggest that risk management generates little or no value, and is simply is a fad invented by management consultants.  It amused me to reflect on this view while passing through Solway Passage. Solway is a picturesque but narrow channel between Whitsunday and Hazelbrook Island. It looks benign enough, but if you try to pass through when tide and wind are opposed, the turbulence and eddies in the channel that can rotate your boat 90 degrees. Add in the shallow patches, rocks on both sides, the possibility of a whale or two transiting at the same time, and you have a situation that's far from benign.

If the risk management sceptics were correct, anyone could blithely hire a $500,000 yacht and sail it through Solway with beer in hand, and scant regard to wind or tide.  It's ludicrous however, to suggest that such an approach would be overly helpful.  It's more likely, that the passage would quickly become littered with broken boats and flotsam. 

On the other hand, a few basic risk management strategies, such as acquiring some navigational skills beforehand and planning the journey based on tides and weather, are likely to increase your chance of meeting objectives (eg: reaching a safe anchorage without damaging the boat or crew).  Certainly, I might have gotten through with just a beer in my hand, and a vague lookout for rocks. Indeed most boats would probably get through just fine, but we're talking here about the 'effect of uncertainty on objectives'. The more we reduce the uncertainty, the more likely we are to achieve objectives.

It’s useful to be sceptical and ask the hard questions regarding the value of risk management, but such those questions are best answered in academia.  Real world examples such as scuba diving or sailing through Solway Passage, demonstrate that risk management does indeed add value. Indeed, it was amusing to me during this holiday, to wonder why it is that some people still feel the need to ask if risk management adds value.  Perhaps they feel erudite or learned by asking such questions, but to me it seems about as useful as asking "why bother with management, leadership or safety?"

As for ISO31000.... Did I use ISO31000 to get through the Solway Passage? No, I didn't (I'm not THAT much of a risk nerd). I did however, follow an intuitive human process that aligns nicely with the ISO31000 risk management process. I looked at my objectives for the trip (getting safely and happily to Whitehaven Beach), took stock of the tide, charts and weather (context) to see what threats and opportunities I might face (identify risk), looked at the interaction of the various factors (risk analysis), considered the situation against my risk attitude (risk evaluation) and chose my time/place/rigging/etc. to sail (risk treatment). Along the way I communicated with the crew (at least the ones who weren’t too seasick to comment), consulted the charts and monitored the situation.  

Perhaps it doesn't matter so much which risk management process you use, so long as you use one. It just so happens however, that the ISO31000 process is consistent with the way that most of us process and manage risk. 

Sunday, June 10, 2012

Until you do it, it’s still an unknown...

No matter how well you prepare, and how much you might think you understand a risk, there is a special category of risks which are worthy of the title...

"Until you do it, it's still an unknown.

One of my personal heroes made history with just this type of risk. Joe Kittinger rode a balloon to 102,800 feet (31,300 m) then stepped out into space.
He fell for four minutes and 36 seconds, reaching a maximum speed of 614 miles per hour (988 km/h) before opening his parachute at 18,000 feet (5,500 m). Pressurization in his right glove malfunctioned during the ascent, and his right hand swelled up to twice its normal size. He set records for highest balloon ascent, highest parachute jump, longest drogue-fall (four minutes), and fastest speed by a human being through the atmosphere.  To give you an idea, just how amazing this is, he set these records on August 16th, 1960 and they are yet to be beaten.

That could be about to change however, with a "giant leap for one man" later this year. Austrian skydiver Felix Baumgartner will jump from a pressurized capsule under a balloon at 120,000 feet wearing  only a spacesuit.
Felix Baumgartner and Joe Kittinger beside the capsule that will take Baumgartner into space

Jonathan Clark, the medical director for Red Bull Stratos, the team assembled to help Baumgartner reach his lofty goal, gets credit for coining a new category of risk management, describing this amazing feat "Until you do it, it's still an unknown." As he plummets 23 miles in the highest skydive ever, Baumgartner will possibly become the first person to break the sound barrier in free fall but the uncertainties are countless:

  • What happens when Baumgartner encounters the shockwaves that will occur when he breaks the speed of sound?
  • How many things have to go right for him to succeed?
  • What's the likelihood of everything going right?
  • What are the consequences of a failure in components x, y or z?
  • Instability in freefall is one of the biggest risks for normal skydiving. Only one person in history has jumped from this height and instability plagued much of his fall until he opened his drogue shute. 

The modern parachute was invented in the late 18th century by Louis-S├ębastien Lenormand in France, who made the first recorded public jump in 1783. Since then parachuting has evolved in many ways but it’s still unclear what will happen when Baumgartner steps out of his capsule. Whatever happens, it's a groundbreaking feat - in more than 50 years no one has been able to (or been courageous enough) to free-fall from higher than 102,800 feet.

Until you do it, it’s still an unknown,”