The role of the business case in risk management

Well-conceived and thoroughly researched business cases can play a pivotal role in improving the quality of organizational decision-making. The business case does not however, stand by itself as a risk management tool. It is simply part of a toolbox for analyzing and making decisions about proposed risk treatments.

Whatever risk treatment you’re considering, and whatever means you used to identify it, the business case is designed to determine and enunciate the value of that treatment. In Figure 1, we’ve used the ISO31000:2009 Risk Management Standard process to illustrate the role of the business case. Quite simply, it supports analysis, selection and implementation of risk treatments.

Figure 1: The Role of Business Cases in the context of ISO31000 Risk Management Process

At the risk of stating the obvious, lets go back to basics for a moment. Any proposed risk treatment should relate directly to a specific risk or risks. For example, if risk number one in your risk register is “Failure to deliver organizational outcomes within budget due to inadequate financial reporting” you might end up with a range of risk treatments, each of which will have different merits.  It’s worth pointing out at the moment that ‘risk’ includes both opportunities and threats (benefits and costs). Accordingly, you might also choose to rephrase the above risk in as an opportunity, such as “Increased profitability due to cost reductions resulting from improved financial reporting”.

Irrespective of how you phrase this risk, lets say that in our hypothetical example, you have identified two main treatments to address it. You’ll note from the examples in Table 1, that we’ve included a reference to which risk(s) each treatment addresses.

Table 1: Example of Risk Treatment Plan

In this hypothetical treatment plan (Table 1) each treatment has a reference to the risks it addresses. Risk Treatments number 1 and 2, primarily address risk number 1 but they also contribute to reducing the risks associated with risks 5 and 8. It’s not important what risks 5 and 8 actually are (it’s a hypothetical example remember). Risk number 8 may in fact be addressed primarily by Treatment number 4 and potentially also be improved by Treatments 1 and 11. It’s a complicated scenario but it’s worth remembering when you are defining the benefits of treatment number one, that you should consider it’s impact on risks number 5 and 8. You never know, it could be the indirect benefits of your proposed risk treatment that sways the decision makers in favor of supporting it. Add in ALL the intangible and indirect benefits. They all count.

The Evolution of Risk Management...

It is sometimes tempting to respond to a risk or an incident, with a knee-jerk response by throwing time, money and effort at a quick fix.  That’s entirely understandable, given that our risk management decision-making evolved from a fight or flight response.  As Daniel Kahneman says in his latest book, "Thinking, Fast and Slow"we have two risk management decision making processes. Our ancient limbic brain is largely unconscious and it makes rapid decisions based on memory and emotions. Our more recently developed mammalian brain (neocortex) has the capacity for detailed analysis, abstract thought and logical inquiry. Unfortunately our logical brain is easily distracted, painfully slow and hard to engage, while our Limbic brain is (in todays modern world) wrong as often as it is right.

So, as it turns out, despite millions of years of evolution, we still make the majority of our risk management decisions in the emotional center of our brains.   This was fine when we lived in small Paleolithic communities, but the complexity of the modern world means we need better approaches to decision making.  Fortunately, we do have the capacity for analysis, and with hundreds of years of research in science, finance and engineering to name but a few, we have a pool of knowledge to draw on.

Until recently, when ISO31000 Risk Management Standard defined risk as “the effect of uncertainty on objectives”, risk management focused on negative risks. In this scenario, risk was bad, and had to be avoided, mitigated or to be transferred to another party through outsourcing or purchasing insurance. This led to risks being addressed as separate compliance issues and not integrated or managed broadly across the organization. Only comparatively recently has the role of Chief Risk Officer been created with the main focus (as it needs to be) on business integration, enterprise risk management and value creation.

Effective implementation of risk management into organizations and projects is not common.  Organizations that have tried to integrate risk management into their business processes have reported differing degrees of success and some have given up the attempt without achieving the potential benefits.  Aligning risk management with standard management systems including financial systems, workplace health and safety (WHS) and human resources is a key element of success in this area.  Existing platforms such as ISO9000 Quality Management and Balanced ScoreCards also help to demonstrate alignment with the business and are a key element of the process.

Linking business management to strategic risk management means setting up the corporate "infrastructure" for risk management. The evolving risk management function is designed to enhance understanding and communication of risk issues internally, to provide clear direction and demonstrate senior management support.  To be effective, this risk management framework needs to be aligned with the organization’s overall objectives, corporate focus, strategic direction, operating practices and internal culture.  Additionally, in order to ensure risk management is a consideration in priority setting and budget allocation, it needs to be integrated within existing governance and decision-making structures at the operational and strategic levels.

Emotions Drive Risk Decisions

“Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is.” 

Douglas Adams, The Hitchikers Guide to the Galaxy

Despite our best intentions, education, intelligence and analytical ability, there is plenty of evidence to support the assertion that we make our risk management decisions base on emotions. Hard to believe - but true. We’re not the logical beings that we might like to think we are when it comes to risk management. Studies have shown in fact that stroke victims who have damaged the part of the brain that controls emotions are often incapable of making decisions. Even when provided with obvious rational data to make a decision, they often are unable to simply settle on one option.

And yes, we are perfectly capable of analysis and logic – we just don’t use it as often as we think we do. The neo-cortex in our mammalian brain can reason and make more nuanced trade-offs about long term risks but it's also much slower than our other systems. We actually have two systems for managing risk:

• a primitive intuitive system in our Limbic brain (mostly centred in the amygdala) which deals with fight or flight type risks
• a more advanced analytic system in the neocortex which is pretty good at abstract concepts 

Our limbic system in particular, is very fast, relatively autonomous and for very good survival reasons, able to hijack our thought processes for fight or flight responses. Unfortunately it doesn’t care in the slightest about abstract concepts like cancer or climate change and given it's primacy in our decision making, it's a real challenge for our neocortex to over-ride the amygdala.

Not yet convinced? Head around to the back door of a hospital one day and have a chat with the Doctors and Nurses standing outside smoking. Ask them if they understand the long term risks of smoking… Then ask them what they are doing about it. The immediate pleasurable sensation that smoking releases is appealing directly to the limbic system which is busy self-medicating for depression. Feeling bad is a very visceral and immediate risk. Lung cancer is a very real but entirely abstract risk and you can tell which system is in control - at least for the smokers among us.

Equally, the motorcycle racer has a fair idea of the risks associated with racing, but it's fun! The limbic brain is balancing up the risks and it feels good, so the potential risks of broken bones, paraplegia or death although real, are abstract concepts that our emotional brain struggles to fully evaluate.

So what what's so important that it's worth writing a whole book about?

If you have a specific issue or question that you’d like to address, please let me know but here's a short list of thoughts that are finding their way into the book.

Let's start with the three most common errors when doing a risk assessment:

1. Inadequate risk identification.  Will the real risk please stand up! How to identify and document a risk in watertight fashion.
2. Failure to show a link between proposed treatments, the risks and organizational objectives.  Watch out for an example of a risk register which links risks to both organizational objectives and to treatments.  If you can't show these linkages, then why should your treatments get funding?
3. Failing to understand the context.  Don’t do it. If you don’t nail the context, you will never get agreement on the risks.  

Why failure to identify risks is the leading cause of inadequate risk assessments

Inevitably, we will fail to anticipate or identify many risks simply by the nature of uncertainty.  The main problem is typically a failure to explicitly state a risk in terms which allow stakeholders to accurately consider it and agree on effective treatments.  You can't just say 'Terrorism' is a risk or 'Climate Change' is a risk. Those aren't risks! They are words from a dictionary. Have a look at 'The CASE for risk identification' for a simple way to correctly describe a risk.

How to know whether or not you need a subject matter expert to help you and if so, how to select the right consultant for the job

This one is worth an entire book on it's own. The section on 'The Elusive Risk SME' will cover a ten step process that should help you find someone who has the skills you need when you need them.

How to build a watertight yet succinct risk management plan that will get funded

Ah, yes. One of the Holy Grails of risk management.  Designing a good risk management plan is one thing but as most people will agree getting it funded is a whole other step.   

How to spot the flaws or weaknesses in a risk report (yours or someone else's) in minutes

This is much easier than it looks.  Just ask these three questions:

• Do all the risk statements satisfy the four requirements of the CASE Tool? (Condition, Asset, Source, Event)
• Do all the treatment recommendations satisfy the requirements of the 4A’s? (Appropriate, Agreed, Actionable, Achievable)
• Can you easily draw a causal link back from each risk treatment to the risk that it’s treating?

That’s all there is to it. Hit those buttons and you’ll pick up 90% of the strengths or weaknesses in a risk report – and look like a guru in the process. 

How to build an all-hazards risk management framework that deals with Black Swans

Plenty of research can help you out on this.  In particular the studies that have been done into a group of organizations which continue year after year with better than average safety records despite operating in some of the most dangerous and complex arenas the world has ever seen.   ‘High Reliability Organizations’ (HRO’s) is the common term for a category of organizations such as air traffic control systems, aircraft carriers and nuclear power stations that seem to continue on and on despite dicing with calamity on a daily basis. Karl Weick and Katherine Sutcliffe have a great book on how to incorporate the lessons from HROs into your organization called 'Managing the Unexpected'.

Enterprise risk management

Enterprise Risk Management (ERM) is more than just a question of scaling up. You can’t simply aggregate all the risks for an organization into a database and say that you have ERM sorted.  What the CEO and shareholders see and what they care about at the enterprise level are often much different to risk management issues at the operational or tactical level.  If on the other hand, you implement ISO31000's Risk Management Framework, you will be 90% of the way there. Let's not over-complicate things - Enterprise risk management is just risk management with a scope that includes the entire organization.

How to introduce a continuum of risk management tools so that everybody from the cleaner to the CEO can apply appropriate risk assessment tools

Often people complain that “risk management is too complex” and usually they are right. Not because risk management is too complex but because they are trying to use a chainsaw to prune a bonsai plant.  Get the right tool for the job and you’ll be fine.  

Adapting ISO31000 to meet the needs of everyone - whether in safety, procurement, finance, security, information technology, human resources of the Board of Directors – and do it in such a way that they will buy-in to it

Read the book! OK, just kidding (sort of).  ISO31000 has been designed to be generic. It works for everyone at all levels. In fact, that’s the real power of the standard. It’s not that it’s inherently the best of all possible risk management systems – nothing could promise to do that – but when you apply it across the board it allows you to aggregate and compare risks in a consistent fashion. I was asked after a presentation in the United States recently, what I thought of risk management in the US. I replied that I thought it was great but that  there were about 432 different flavors to choose from. At the same conference two presenters had given excellent presentations on terrorism risks to US ports. One system was done by the New York Port Authority and the other was done by the US Coast Guard using Los Angeles as the first test of the model.  They were both excellent. Sadly they were so different that it was impossible to tell which port was more at risk and hence which one needed the funding most of all. 

ISO31000 is my pick because it supports an apples for apples comparison.

Managing personal career risk – why do our leaders make such (seemingly) misguided decisions?

Why do our bosses and politicians allocate resources to some items and not others that seem to be blindingly obviously of more concern?  This question has intrigued me for years, and I think I’ve come to some sort of understanding on the contradictory nature of some of these complex questions.  The answer is – as you’d expect – not so simple.  But it’s not that complicated either - but it's the 'elephant in the room' when it comes to modern risk management.

Advanced Risk Modelling

How to crunch the numbers and come up with some reliable risk management using stats, Monte Carlo modeling and more - without having to do a PhD in statistics or spreadsheets. And yes, there are some relatively easy ways to get reliable data.  It all starts when you change the mindset from a statement of "we don't have enough data to model that" to "what data do we actually need, what do we already have and what can we inexpensively source?"

Risk Management Performance Benchmarking: Performance Benchmarking and Attribution Bias

Risk Management Performance Benchmarking: Performance Benchmarking and Attribution Bias 


One of the challenges for measuring the effectiveness of risk management (or any type of management system for that matter) is a little glitch in human perception known as attribution bias.   Attribution bias is simply our tendency to invent explanations and to attribute things to a particular cause (whether real or imagined).  These attributions serve to help us understand the world and give us reasons for a particular event.

For example, let’s say that Bill gets sacked from his job. He will attribute his sacking to... 

Likelihood versus consequence management...

It often seems that as a species (and indeed as a society) that we spend most of our efforts on managing risks after they occur, rather than preventing them from happening. .  The difference between the two approaches can be described as consequence management versus likelihood management, and is illustrated in the figure below.

Likelihood Management versus Hazard Management

This principle seems to apply whether we're talking positive or negative risk management.  For an example of consequence management of positive risks, we've probably all come across the salesperson or manager who likes to take credit when things are going well and will often put more effort into promoting this fact than they did into achieving that success. In theory, we'd all be much better off putting our efforts into increasing the likelihood of a positive business outcome, but there can be rewards for people who do little or nothing, at least until after success becomes assured. People often don't even really know the cause of their success but they do know that by trumpeting it loudly, they increase their chances of a bonus or promotion. This certainly isn't true of everyone by any means but it's a common enough trait across our collective humankind.

When to Use Consequence Management
The tendency towards managing consequences after a risk has manifested isn't necessarily a bad thing and indeed, sometimes it's entirely appropriate. If your job involves emergency management or disaster relief then ‘consequence management’ is absolutely the right area to be focused on. Natural disasters such as earthquakes are typical of risks where consequence management is more important than likelihood management. I'm not suggesting by any means, that we do away with likelihood management, but rather that we understand the role that these two elements have in any risk management strategy. With bushfire management for example, it's important to reduce likelihood by managing fuel loads, fire bans, bushfire alerts, reducing housing pressures in bushland etc, but ultimately bushfires will occur no matter what we do. Indeed the ecosystem needs them to occur in order to stay in balance. Hence, the focus has to be on resources, training and leadership to reduce the consequence of inevitable fires. For most of us however, an ounce of prevention is worth a ton of cure and this is the area of ‘likelihood management’.

The Symbiosis of Likelihood and Consequence Management
A good illustration of the relationship between likelihood and consequence management is the link between security (likelihood management) and emergency response (consequence management).  Post 9/11 when we were looking at protecting a major hydrocarbon facility from terrorist attack, we quickly came to the conclusion that we were well into consequence management territory. Security could do a lot of useful things to reduce the risk of an attack but ultimately we couldn't stop a determined adversary. At least, not without a ridiculous amount of resources and some military assistance - certainly way beyond our ability to provide cost effectively. We decided instead, to focus most or our resources on consequence management including the following steps:

• Upgrade the muster system to get people more quickly to blast resistant emergency shelters
• Establish reciprocal arrangements with other hydrocarbon facilities to swap cargoes so that our customers would receive continuity of supply
• Upgrade our terrorism insurance policies

Getting the Balance Right
By way of an example with mixed results, let’s take a look at allopathic (modern western) medicine. We've achieved great advances with trauma medicine and diseases such as typhoid, malaria and bacterial infection. The track record with illness and disease however is somewhat variable and recent years seem to have seen an increasingly heavy reliance on consequence management. As you can see from an earlier blog entry, cancer and heart disease (both highly preventable) are two of the leading killers in the United States and, I think we can safely say, most of the developed world. Take diabetes as another example of an incredibly preventable disease, which still has an enormous reliance on drug related consequence management therapies.

Different Strategies for the Same Risk
Even where we have that have achieved great success in likelihood management, that success is often confined to the developed world. In remote parts of Africa, such as the location where I sit while writing this paragraph, 'preventable' diseases are still killing people on a daily basis. According to the World Health Organization's 2010 World Malaria Report, malaria alone still kills 781,000 people every year with 99% of those in sub-Saharan Africa.

In developed nations, malaria risk management is all about likelihood management. In Africa it's primarily on the right hand side of the bow-tie - very much into the realm of consequence management. According to WHO, there are 225 million cases of malaria each year, most of which are treated successfully with medications after the event (ie. consequence management).  By contrast, malaria was also once rife in America and Europe.   It was so pervasive in Rome that it is even suspected of contributing to the decline of the Roman Empire. Even the word 'malaria' originates from Medieval Italian "mala aria" or "bad air" due due to its association with marshland. Simple steps such as adding screens to windows, avoiding mosquitos, draining open bodies of water and selective spraying of mosquito habitat have all but eliminated malaria from most of the world. This is 'likelihood management' working at it's best.

By contrast, likelihood management isn't working extraordinarily well with malaria in sub-Saharan Africa. To be fair, it is achieving some success and the main reasons why malaria is still rampant have more to do with much broader cultural, political and economic issues - all of which are way beyond the scope of this short article. It does go to show however, that consequence management can still work reasonably when likelihood management hasn't been enough.

Which One Is More Important?
Neither is more important than the other. Likelihood management can stake a legitimate claim to supremacy - after all, prevention is better than cure. It's a tenuous claim however and the reason is self-evident when you think about it. 'Likelihood Management' is really only about tilting the odds in our favor  Almost by definition, there are no guarantees of any given outcome. It's at this point then, that Consequence Management can pipe up and say "you'll always need me, therefore I am more important!". When we look at it more closely however, Consequence Management is always going to have a certain stigma. No matter how good we are at it, there will always be an element of 'we got here by luck' (in the case of positive outcomes) or a sense of failure and loss (in the case of negative outcomes).

It's interesting then to look at what drives our decisions in terms of which strategy to pursue and when. I suspect, it depends a lot on our own predilections, experience and capabilities. If the only tool in our toolbox is a hammer, after a while everything starts to look like a nail - or at least something which will respond to a spot of 'percussive maintenance'. The other critical element which steers our decision making however, is incentives. Think very carefully about how you incentivize your employees. Incentives drive behavior, and I've met executives who openly admit that the main risk they manage is their 'personal career risk' (ie. bonuses and promotions).

Equally, at the industry level, you'll find incentives-driven behavior. When we look at an industry such as the healthcare industry, it's easy to see an increasing focus on insurance, vertical integration and development of drugs that can be patented coming from the allopathic sector.  There aren't many patents that you can take out on a healthy diet, exercise or prevention of disease - and as a result, not as much research or marketing resources going into such things. Pharmaceutical companies focus on consequence management such as patentable drugs, because that is where they make their profit. Once you have a disease, they know that we'll pay almost anything for the cure. In the world of likelihood management, there is less money to be made but there are still plenty of profitable businesses among nutritionists, vitamin companies and gym owners.

In summary however, we can say that even in the most obvious of cases - the pursuit of good health - it's one thing to know that we should all eat healthy diets and exercise, but that simply isn't the way humans are programmed. Likelihood and consequence management both have their place in the real world - the trick is to know which one you're doing and why you chose that approach at any given time.

First Global Survey of ISO 31000 Gets Underway

The closing date for the first global survey of ISO 31000–Risk Management Principle and Guidelines has been extended to 30 November 2011 and I would STRONGLY encourage every risk management professional to take advantage of this opportunity to comment on ISO31000. NB: If you are reading this after 30NOV11, you can still join the ongoing discussion at the ISO 31000 LinkedIn group.


Why you should participate
ISO31000 has it's critics as well as it's champions. You may not agree with even ISO31000. The definition of Risk as "the effect of uncertainty on objectives" is for example still disputed, but the fact remains that it is one of the best selling management standards in the world.

Even if (maybe especially if) you don't like or agree with the Standard, this is your chance to have some input. Members of more than 70 risk management associations around the world have been invited to participate in the study which is being run through an initiative by the LinkedIn discussion group on ISO 31000. Even if you don't use ISO31000 in your organization, it's worth completing the survey just to let us know a) what you think about it and b) why your organization doesn't use it.

It takes less than 5 MINUTES to complete and it is TOTALLY CONFIDENTIAL The data collected will be represented in aggregate form without naming in particular a risk management association, LinkedIn group or entity. No individual name or company name is asked.


What the survey is about
The aim of the survey is to gauge how ISO 31000 is perceived by risk practitioners across all sectors and to provide input for the preparation of the ISO 31004 guide, (due out in 2013).

The survey has been organized by Alex Dali, moderator of the LinkedIn ISO 31000 Risk Management Standard Group with the help of a group of volunteers and Alex sums it up well when he says: "This is the first time the global risk management community active across all fields, sectors, industries and services is being invited to participate in an international survey on ISO 31000. It is a great opportunity to share your thoughts and concerns about the ISO standard on risk management".

The survey will run from 17th of October until the 31st of October 2011. You will be encouraged to participate through your National Standardisation Body, risk management association or the ISO 31000 LinkedIn group.


What is ISO31000:2009 Risk Management Standard
Issued in November 2009, ISO 31000 provides principles and generic guidelines on risk management. It can be used by any public, private or community enterprise, association, group or individual and is not specific to any industry or sector.

This is your opportunity to comment on what is one of the most significant, and best selling international standard so please take the time to provide your input via the survey: www.iso31000survey.com.  Feel free to share this link to any interested contacts, groups, associations or interested entities.

As High or Low As Reasonably Practicable (AHLARP)

We've been debating lately, how well the ALARP concept withstands scrutiny under the ISO31000 definition of risk? The answer - not very well.   In a previous blog, we looked at the traditional view of mitigating risk to be as low as reasonably practicable which is fine when we look at negative risk. Unfortunately for ALARP, the ISO 31000 definition - the effect of uncertainty on objectives - includes both positive and negative risk.  In the case of positive outcomes, we want to manage them to be as HIGH as reasonably practicable.

We decided that it was time to upgrade ALARP to AHLARP (As High/Low as Reasonably Practicable) and being visual thinkers, decided that it was time for a new model.  Along the way, we came up with new acronyms, including RTP. RTP stands for 'Risk Tipping Point' and builds on Malcolm Gladwells concept of a tipping point. It's the point where positive risk starts to outweigh negative risk.

Whether we talk about IT projects, business activities or saving an endangered species, it is fair to say that without some input of resources/effort, the initiative is more likely to fail than to succeed. Putting this into ISO31000 speak, we would say that 'objectives are unlikely to be met'. Simply putting resources into something is of course, no guarantee that it will succeed, but it's fair to say that (assuming some level of planning and quality) the more resources we put in, the lower the negative risk and the higher the positive risk.

Figure 1: AHLARP Model

Using a notional example in Figure 1 above, you can see that it doesn't take a huge amount of resources to reach the risk tipping point. A few more resources and you've hopefully managed negative risk down to the point where additional resources aren't making a huge difference to reducing hazards. Positive risk should in theory continue to increase up to the point where it (green line) starts to flatten out and increasing resources (blue line) don't have much impact.

AHLARP becomes the conceptual area where our risk strategies are achieving the optimal range of benefits for a given range of resource inputs. This infers what we already know from experience, that there is no single perfect point for risk/reward optimization, but rather a range where we are trying to balance resource (cost) with positive risk (potential benefit) and negative risk (potential loss).

Accepting that there is rarely if ever, a single point where likelihood and consequence form a point value (eg: "this risk as a 57.6% likelihood of generating $123,000 benefit") we can look at illustrating risk across a spread of outcomes. Figure 2 below, illustrates the likely spread of outcomes if we apply insufficient resources (or quality) to manage a risk.

Figure 2: Inadequate resources increase the likelihood of negative consequences

Figure 3 by comparison, looks at what we seek to do with risk management. If we had to sum up risk management in a single picture, this would be a worthy contender. What we try to do is quite simply, to push the spread of likely outcomes towards the positive. A statistician might say that we're applying resources to left-skew the possible range of outcomes. ISO31000 might say that we're attempting to reduce the 'effect of uncertainty on objectives'.

Figure 3: Applying management resources to shift risk outcomes towards the positive

Judging just how much investment is appropriate to achieve AHLARP, is of course no simple feat. Too little is, well... too little and likely to be a waste of money/time/effort with little impact on outcomes. By contrast, applying an excess of resources is just wasteful and leaves inadequate resources for other projects.  Figure 4 illustrates this idea as a general concept but sadly doesn't give us the magic formula (hey, if it was easy, there'd be no need for risk management, and few if any Enrons, HIH, Exxon Valdes, etc).

Figure 4: Range of 'prudent' investment

Determining what is 'prudent' or 'appropriate' requires significant analysis, well beyond the scope of any single book or blog entry.  That being said, there are some general principles that can be applied. It's tempting to say that 'the more risky a venture is, the more resources should be applied' but that simply isn't the case. Some ventures have significant upside risk, with little downside risk. Running a stationery manufacturer or bookshop will probably work out well without a huge need to manage downside risk. Sure, you probably won't create the next Amazon but you're likely to make a good living and steady income. A hydrocarbon plant by comparison, can turn out to be brilliantly profitable or catastrophically bad - and it can turn around from one to the other in a matter for days, weeks or months.

Figure 5: 'Prudent' is context driven

Figure 5 illustrates the different nature of investment depending on your context. 'Prudent' investment for a gas plant is likely to involve a significantly larger amount of resources and cash than making prudent investments for a bicycle manufacturer or a stationary supplier. Even if the businesses have the same turnover and relative size,  one is simply more volatile than the other. Which leads us to the concluding point.

The more volatile a risk is, the more resources need to be applied. If the green and red lines in Figure 1 have a lot of potential ranges, it's going to be expensive to stay consistently within the AHLARP zone.

How to deal with complexity...

It's a question of context. We live in a complex world - so much so, that we could describe it as a world of complexity in a universe of uncertainty. But is this a good thing?  If more uncertainty = more risk, then more uncertainty is a good thing for an optimist but a bad thing for a pessimist. What does it mean for a risk manager though?   If you ask 100 people how to assess 'quality' of life, you're likely to get more than a hundred answers. Personally though, I measure the quality of my life by how many options I have. For me, it's all about choices. Increasing my range of options is the reason that I did the Master of Risk Management. If I’d just wanted the knowledge, I could have studied any number of texts (I do anyway) but having the paper that proclaims me as a ‘Master of Risk’ bestows upon me an increasing number of options -  not least of all the ability to legitimately work in any profession, industry or continent.

Everyone has their own value system but the pursuit of ever increasing options is what drives a lot of my decision in life. It does have it's downside though - along with increasing my options comes an increase in uncertainty (after all, I have to make more decisions), ambiguity and complexity. What prompts me to reflect on this today is that I've just received my monthly edition of 'Market Talk' from my friendly Swiss banker, Philip and this month is all about 'complexity'. It’s appropriate that I reflect on that topic while consulting in Africa at a remote camp on the edge of the Rift Valley.  While I sit here with my offshore bank accounts, mortgages, spreadsheets and blogs, the local villagers are at the other end of the complexity scale. It's a scenic place but we're deep in grass-hut, subsistence farming territory. Although we have satellite internet at camp, we're a days drive from the nearest petrol station and four hours walk from the nearest hill with phone reception.. Most of the locals are pretty happy with their lot, but I sometimes see them looking at us mzungus in a way that clearly says “gee, I wish I had all their choices/vehicles/money/toys/etc".  In truth, or at least in all likelihood, most of them couldn't cope with the complexities and ambiguities that come with such things.

Driving around in a Landcruiser looks like an easy and pleasant way to get around compared to walking (and it is) but there is an invisible complexity to the tip of that 4WD iceberg. Keeping those Landcruisers running, managing a million dollar budget, bringing food and spare parts down a 1,500 km supply line, let alone all that goes into geological exploration in Africa, are below the surface of that dusty and dented Landcruiser/iceberg. Go a little further down the rabbit hole and you find a sea of complexities. Investors, stock markets, recruitment of skilled professionals, timetables and deadlines, mortgages and leases, credit cards, exams, job applications, budgets, drivers licenses and and much, much more comprise the minutiae of life that most blog readers will be familiar with.

That’s the downside of choices. If you have only one option when it comes to job, house, education, healthcare, etc then you don’t need to consider trade-offs, or make any significant decisions. Most of the locals out here don’t have to make many decisions and I can understand the appeal of that. Every so often, I like to take a complete break and just sit on a beach for two weeks. When the biggest decision of the day is picking what to eat, it's a wonderfully relaxing lifestyle - for a short while. I couldn't live like that long term, but many people do so happily. The locals here know when the wet season comes, they know how to build a hut, plant a maize crop, what to eat for breakfast (maize porridge - the same as they had for every preceding breakfast of their lives). And for the most part, it seems that they are pretty happy with that state of affairs.  Personally... I’ll take the choices, accept the complexity, make the decisions and seek to have ever more options available to choose from.

But the blog isn't just about the 'benefits of complexity' - it's called "How to deal with complexity...'

When it comes to complexity, my approach is simple. I embrace it - and surf the wave. But this book after all, is about the 'how to' of risk management (ISO 31000 style).  There are many perspectives we can use for understanding our world a little better, but when it comes to what ISO31000 would describe as 'establishing the context' I find the VUCA model a pleasantly KISS (Keep it short & simple) approach.

VUCA is an acronym used to describe, or at least reflect on and discuss, the volatility, uncertainty, complexity and ambiguity of general conditions and situations. The term VUCA came into use in the late 1990s in the military and has been subsequently adopted in strategic leadership. One way to phrase the questions would be:

• Volatility. How volatile is our current situation? What are the nature and dynamics of change, and the change catalysts that effect our organization?  What is the nature and speed of  those change forces? Last but perhaps most important is: what aspect or element of our situation is the most volatile (ie. 
• Uncertainty. How much predictability do we have and in particular which areas of our business have the least levels of certainty? What issues around lack of predictability, the prospects for surprise, and the sense of awareness and understanding of issues and events should we be concerned about?
• Complexity. How complex is our context, our business model and the environment we operate in? What are the multiplex of forces, the confounding of issues and the chaos and confusion that surround our organization?
• Ambiguity. What level of ambiguity are we facing now or in the future? In what areas are we facing them and how are they likely to effect us?  Specifically, what are the key issues around any haziness of reality, potential for misreads, or mixed meanings of conditions and cause-and-effect confusion?

Out of all these questions, the last but perhaps most important to return to is the question of Volatility. In particular, what aspect of our situation is the most volatile? This question can take some time to answer as it’s often not going to be the most obvious. A security risk assessment that I did for a large oil project turned up all the usual risks (terrorism, war, disgruntled employees, fraud, hacking, etc) as you'd expect. None of these were particularly volatile however, as we could identify indicators which could offer months or even years of advance notice.  The only risk that could realistically change overnight was environmental activism, and the main trigger for it wasn’t even a security risk. The plant had a great operating record, but experience from other similar facilities, indicated that within 24 hours of an oil spill, we were likely to have busloads of protestors at the gate, blocking traffic and creating chaos. And at the risk of stating the obvious, the easiest (but neither not the smartest, nor safest) way to shut down a hydrocarbon facility is to organise protestors to climb the fence and drape banners over the processing equipment. It’s just too dangerous to have people in a hydrocarbon facility who haven’t done the safety induction. Even the spark from a mobile phone can have catastrophic consequences and once people get into the operations area, an emergency shutdown can cost millions of dollars. Identifying this as the most volatile security risk resulted in changing a host of procedures and systems. Nothing we did as a result of this was particularly costly, and there was already a major focus on spill preventions but on the security side for example, we:

• prepared a safety training program and leaflets for environmental protestors 
• reviewed security procedures to automatically trigger additional staff in the event of an environmental incident
• updated our liaison program to reach out to the leaders of more environmental groups to ensure that we had pre-existing lines of communication

Dealing with complexity is all about understanding the range of interactions and interconnectedness of seemingly unrelated things.  Looking at complexity through the VUCA lens helps us to understand the context in which organizations (or people) operate and in particular their current and future state. Used as discussion or analysis questions, they provide not only a better understanding of the current environment, but can offer insights into to how people view the conditions under which they make decisions, plan forward, manage risks, foster change and solve problems. In particular, it can help you to:

• Anticipate the issues that shape conditions
• Understand the consequences of issues and actions
• Appreciate the interdependence of variables
• Prepare for alternative realities and challenges
• Interpret and address relevant opportunities

You could if you so chose, take these four simple questions and evolve a semi-quantitative scale to suit your particular situation.  This might help you for example, to compare the merits and uncertainties of various projects. It could be equally useful for comparing the various elements of your financial or resources portfolios and that in itself would be valuable. Overall though, the discussion that leads to those rankings is likely to be the most useful part of the process.

As Dwight D. Eisenhower said, "Plans are worthless but planning is everything."  Similarly, our limited understanding of the world is unlikely to outlast first contact with reality - but making the attempt to understand the complexities of life, gives us the best chance of achieving objectives.

An example of a Risk Management Procedure

In case you haven't gathered, I'm a fan of straightforward documents. This is especially true of when you want people to take action. Fifty page procedures rarely get followed - or even read. The following however, is an example of a risk management procedure which addresses six main areas:

• Scope
• Purpose
• Reference
• Definitions
• Responsibilities
• Procedure
• Documentation

=========================


RISK MANAGEMENT PROCEDURE

SCOPE
This procedure provides information for all personnel who are responsible for risk management.

PURPOSE
The objectives of this risk-based system of internal control are to assist JBS in achieving its strategic objectives for the benefit of the community by:

• protecting our people, the community, and commonwealth assets (financial, property, and information)
• facilitating optimal use of resources and provide a system for setting priorities when there are competing demands on limited resources
• assisting us to realise opportunities 
• providing stakeholders and the Australian Community with grounds for confidence in the Organization
• supporting innovative decision making through recognition of threats and opportunities
• improving service delivery, reporting systems, outcomes and accountability

REFERENCE

• ISO31000:2009 Risk Management Standard
• Risk Management Policy
• Strategic (Enterprise) Risk Management Guideline
• Program (Divisional) Risk Management Guideline
• Project Risk Management Guideline
• Operational Risk Management Guideline
• JBS Risk Monitoring and Reporting Manual
• Risk Management Team Intranet Site

DEFINITIONS
Barrier
An existing control. includes systems and procedures already in place to mitigate risks.

Consequence
Collective sum of all impacts to the capabilities of an organization(s) including long term and indirect effects such as combined health, economic, and psychological impacts.

Environment
Conditions or influences comprising built, physical and social elements, which surround or interact with stakeholders and communities.

Escalation Factors
Conditions that lead to increased risk due to improvement or diminution of barriers or controls, Eg. Maintenance, foreign currency conditions, failure to audit or inspection treatments or controls.

Hazard
Something which has the potential to adversely impact (ie. cause harm) to an asset if not controlled or if deliberately released or applied. Eg. explosives, bio-hazards, flammable liquids, firearms, trojan, virus et cetera.

Likelihood
The qualitative of semi-quantitative assessment or estimation of whether an event will occur, Used as a qualitative description of probability and frequency.

Impact
The immediate downstream result of a risk manifesting. Multiple direct or indirect impacts, when aggregated, form the collective consequence(s) of the risk event.

Risk
The effect of uncertainty on objectives.

Risk level
The relative measure of risk as defined by the combination of likelihood and consequence.

Risk Management 
The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. The coordinated activities to direct and control an organization with regard to risk.

Risk Treatment
Measures that modify the characteristics of organizations, sources of risks, communities and environments to reduce risk,

Source (of Risk)
A real or perceived event, situation or condition with a real or perceived potential to cause harm or loss to stakeholders, communities or environment.

Threat
An indication of something impending that could attack the system. includes strategic threats such as a regional conflict or tactical threats such as impending physical attack. threats are usually measured in terms of intent and capability. the term includes known (stated or assessed intention or determination to inflict pain, loss or punishment on someone or something) or unknown (undeclared, hidden or potential) threats. Malicious threats such as system hacks, data destruction, data modification, theft of iP, bomb threats, sabotage, fraud, can be categorized within a range going from rational (obtaining something of value) to irrational (attack against of assets without benefit).

Treatment
Controls that are proposed (i.e. not yet existing) to reduce or mitigate the likelihood or consequence of an event occurring, that is to reduce the residual risk.

Vulnerability
The susceptibility of stakeholders, communities and environment to consequences of events.


RESPONSIBILITIES
Risk management is a core management requirement and integral part of day-to-day operations. As individuals we all play our part in managing risk and staff at all levels are responsible for understanding and implementing JBS risk management principles and practices in their work areas.

Division Heads, Line Managers, and Team Leaders are responsible for applying agreed risk management policy and strategies in their area of responsibility and are expected to:

• Ensure that risk management is fully integrated with corporate planning processes and considered in the normal course of activities at all levels 
• Identify and evaluate the significant risks that may influence the achievement of business objectives
• Assign accountability for managing risks within agreed boundaries
• Ensure that a risk based approach is communicated to our people and embedded in business processes
• Comply with JBS and Government standards which relate to particular types of risk
• Define acceptable levels for risk taking and apply fit for purpose mitigation measures where necessary
• Design, resource, operate, and monitor internal risk management systems
• Monitor the effectiveness of the system of risk management and internal control 
• Report identified weaknesses or incidents to executive management in timely fashion
• Provide quarterly risk management and treatment progress reports to executive management

The Chief Risk Officer is responsible for the development, coordination, and promulgation of the JBS Risk Management Framework including monitoring and reporting systems capable of identifying and reporting new and evolving risks.  The Branch will coordinate training and assistance regarding implementation of the risk management framework, and ensure adequate information is available to all staff.
The CEO is responsible for managing risk across the organization.

PROCEDURE
ISO31000 was developed with the objectives of providing a generic framework for identification, analysis, assessment, treatment and monitoring of risk.  The JBS Risk Management process follows the ISO31000 methodology (illustrated below).

Figure 1: ISO 31000 Risk Management Process

The process of managing risk at JBS involves:

• establishing the context associated with the program goals and activities;
• identifying the risks (including identifying the likelihood and consequences associated with each risk);
• analyzing the risks;
• assessing and prioritizing the risks;
• treating the risks (including a cost/benefit analysis of the treatment options); and
• continually monitoring and reviewing the risks and treatments

This is illustrated below in Figure 2 where responsibilities for each step are shown by the lines entering and leaving the respective element of the process flow.

 Figure 2: Risk Management Process Flow at JBS


This procedure should be read and applied in conjunction with the relevant JBS Risk Management Guideline and tailored accordingly to the appropriate level of area/activity being managed. These Guidelines and tools have been developed for the following organizational levels:

• Strategic (Enterprise) Risk Management Guideline
• Program Risk Management Guideline
• Project Risk Management Guideline
• Operational Risk Management Guideline

Establish the context.
Define the stakeholders and review the levels of acceptable risk using tools such as consultative groups, and develop risk evaluation criteria. Successful RM requires the effective engagement of stakeholders and subject matter experts.  Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved.  RM goes far beyond being a technical or political process - it is also a communications process.

Identify risks.
Identify and describe the sources of risk, stakeholders, communities and environments.  Scope the vulnerabilities and describe the risks.  There may be great diversity of opinion on the actual risks and their various sources, given different perceptions, knowledge and experience.

Analyze risks.
Analyze the risk associated with the problem by determining the likelihood and consequence of the identified risks.

Evaluate risks.
Compare risks against risk evaluation criteria, prioritize the risks and decide on risk acceptability.
Treat risks.
Identify and evaluate the treatments. Respond to the level of risk by deciding which source of risk, stakeholders, communities or environment can be addressed, either by increasing resilience or robustness, to reduce risk. Model changes to obtain the new level of risk. Select treatments, plan and implement.

Communication and consultation.
Where stakeholders and communities contribute to the decision making process there is a much larger pool of information and expertise to enable appropriate solutions to be developed. For catastrophic events communication and consultation is considered extremely important. Communication and consultation develop resilience amongst stakeholders and communities and will be invaluable in terms of regaining control of business activities.

Monitor and review.
Systems that monitor and review risk, and its management, must be established and maintained. Latent and residual risk are ever-present.  RM must be on going to ensure that change and uncertainty can be accommodated.

DOCUMENTATION
Each stage of the risk management process should be appropriately documented to retain knowledge and satisfy audit requirements. Documentation should include objectives, information sources, assumptions, methods, decisions, and results.
Individual projects and groups maintain Risk Registers, and enterprise risks are escalated to a Strategic Risk Database (SRDB).

Decisions concerning the extent of documentation may involve costs and benefits and should take into account the factors listed in Clause 5.2. At each stage of the process, documentation should include:
a) objectives;
b) information sources;
c) assumptions; and
d) decisions.
The Appendices include examples of a risk register and treatment plan, however more detailed templates are also available from the Risk and Security Intranet site.

=======================
The above procedure and process flow examples work equally well for all types of procedures. If you'd like to download templates in MS Office format, you can find them at my download page: http://www.juliantalbot.com/Downloads.htm

Different views for this blog...

Blogger recently started offering some different ways to view and read the articles created here so I thought I might share them with you.

They all have some merit depending on your reading style but my favorite is snapshot view. See what you think:

• http://31000risk.blogspot.com/view/snapshot (my favourite) 
• http://31000risk.blogspot.com/view/sidebar is pretty handy for quickly skimming the blog titles
• http://31000risk.blogspot.com/view/timeslide is a quick way to get a feel for the articles and graphics overall
• http://31000risk.blogspot.com/view/flipcard is OK but (in my opinion) not very helpfulk
• http://31000risk.blogspot.com/view/mosaic is er, a bit of a mish-mash

Hands up if you love Swiss Cheese

I love Swiss cheese. And I’m not talking about the dairy comestible. In my view, there are better cheeses out there – but few better risk management concepts. Swiss-cheese theory is a beautifully elegant way of illustrating the idea that before any risk can manifest, multiple barriers must be breached. This applies both to negative and positive risks although, in the case of opportunities, one might like to rephrase it that multiple enablers must all line up.

Rather than just talk about it though, the easiest way to explain Swiss-cheese theory is with a picture.

Figure 1: Swiss Cheese Example

By way of example, the 2009 bushfires in Victoria, Australia, which claimed 173 lives and injured 414 people, were a classic Swiss cheese scenario that had been building for many years.  To highlight but a few pre-conditions to these sad statistics:

• The Australian population had been moving increasingly to rural areas in search of lifestyle benefits for at least a decade. 
• Building codes which allowed people to move into high risk bushfire areas, didn’t (at the time) require a ‘bushfire attack assessment’ and were based on fire temperatures of 730 degrees Celsius although bushfires can peak at approximately 1,330 degrees.
• Victoria had experienced a decade of drought conditions. Combined with forest management practices, which focused on environmental habitat protection at the expense of controlled burns to reduce fuel loads, created ideal pre-conditions for fire. 
• Unique weather conditions in February 2009 condition for the loss of life.   The Forest Fire Danger Index (FFDI) based on rainfall, evaporation, wind speed, temperature and humidity  considers a rating between 12 and 25 as a "high" degree of danger. Any day having a danger rating of over 50 is considered an "Extreme" fire danger day. The FFDI on Black Saturday, 7th of February, 2009, reached 180, the worst fire conditions ever recorded.

Changes to any one of the above factors wouldn’t necessarily have stopped the fires, but could without question have significantly reduced the death toll.  Of course, there are many more factors and the above illustration is simplistic in the extreme but like 'Black Swans' they were immediately apparent in the post-event coronial inquiries.

The Basic Idea Behind Swiss Cheese


The Swiss-cheese model was initially developed by James Reason to illustrate how analysis of major accidents and catastrophes tended to reveal multiple, smaller failures that allowed a hazard to manifest as a risk.   Although looking primarily at safety risks, his research also indicated that human error was consistently the largest contributor to risk management failures.  It is reasonable to say that human competence or accuracy is equally behind the vast majority of successes.

In Reason’s model, each slice of cheese represents a barrier, any one of which is sufficient to prevent a hazard turning into consequences.  Swiss-cheese theory works on the assumption that no single barrier is foolproof.  They all have failings or ‘holes’ and when the holes are allowed to align, a risk event can manifest as negative consequences.  The interdependent nature and benefits of redundant layers of mitigations associated with the protection-in-depth principle is illustrated by the Swiss-cheese.

In my experience with risk management and incident investigation, I have yet to see a serious incident which didn’t require half a dozen or more pre-conditions to all align. Some of these were pre-event and some post event but in every case, any one of a number of barriers could, if it had been effective, have either reduced the magnitude of consequences, or in many cases, have completely prevented the incident.

It doesn’t take a big leap of faith to understand that opportunity realization works in similar ways. For a major project to succeed, any number of steps and pre-conditions have to line up. Remove funding, planning, competent staff, executive management support and invariably, you will see an adverse impact on the project outcomes.

Swiss cheese theory may look like a simple illustrative tool but it has profound implications for the way that we manage risk. In terms of preventing losses, it's linked to the fundamental idea of protection-in-depth. What this means for us as risk managers, is that when we build risk mitigation plans, the multiple layers of treatments need to integrate and support each other. It’s a near certainty that on a long enough timeline, every risk treatment will fail or leave vulnerabilities.  The trick is to make sure that they don't all fail concurrently.

Equally, every opportunity realization project needs to have mutually supporting enablers that build on each other, assuming (not unreasonably) that at some point each will require the support of another project element.  Swiss cheese… the best thing since sliced bread!

It's not just about the numbers...

The previous article (It's a question of values) discussed how to tell if risk management is supporting organizational objectives.  In the ideal world, it's not a difficult thing to do: metrics such as payback period, Net Present Value (NPV) and Return on Investment (ROI) give an easy cost/benefit calculation. At the very least, you can usually tell if you achieved some tangible benefit. In practice it's not so easy and that's what this article is about.  (By the way, if you're very short of time, the key points are summed up in Table 1 below, but if you're like most of us and only moderately short of time, it's probably worth reading the full article.)

The So-called ‘Soft’ Benefits
Unlike most business investments, risk management is often seen as delivering a 'soft' benefit. By this, I mean that the benefit is sometimes difficult to measure directly. Typically, there is likely to be a benefit, but it is unclear whether the predicted savings will be realized in the bottom-line or otherwise quantified.  Risks are by their nature, abstract concepts - things that may or may not occur, and hence any proposed risk treatments have abstract benefits. Even if you do implement a risk treatment:

1. The risk may not realized and the predicted consequences never occur, 
2. The risk occurs but the scope and damage are less than predicted. 

This issue of soft vs. hard benefits doesn't invalidate the risk management business case, but it does make it rather unusual. While most business cases include both hard and soft benefits, many of the important benefits with risk management have in the past been ill-defined or unstated.

Making Intangible Benefits 'Tangible'

There is no such thing as ‘perfect risk management’. All risk management involves making trade-offs, some of those stated, but many unstated.  More often than not, it's these unstated or seemingly 'intangible' elements that will make or break the case for risk management.  We will often also have to make decisions and trade-offs regarding perceived versus actual risks.  Sometimes managing the actual risk will also mitigate the perceived risks and vice versa.  Sometimes not.

Sometimes it may appear that the perceived risks are more important than the actual risk, and other times vice versa.  There are many reasons, why we might choose to focus more on managing perceived risks.  For example, removing nail clippers from airline passengers may have little to do with managing the actual risk of hijack but it is part of the process that visibly demonstrates that something is being done.  In fact, the risk of hijack is usually perceived by the travelling public, to be much higher than it actually is. The greater risk associated with airline hijackings, is therefore not one of hijack but the risk that people lose confidence in aviation safety, with the resulting economic costs and the increased road fatalities.  

Similarly, it will often be appropriate to put in place measures such as tamper proof packaging on food and drugs even though it is still entirely possible to contaminate the goods inside.  Such measures in practice will only deter the lazy or ignorant would-be poisoner, but they do reassure the consumer to continue purchasing the product.

Of course, these issues of perceived versus actual risk are largely subjective and will vary depending on individual risk criteria and level of understanding. Many risk management projects have more benefits to an organization than the ones that are cited, but some of these benefits may be difficult to quantify in absolute terms. A significant driver in the decision-making process is likely to be personal or organizational agendas, which will involve greater or lesser good to various parties.

Don't lose heart however. I'm about to give you a bundle of ideas regarding how you can identify seemingly intangible risks and illustrate the value they add.

Some Practical Tips on How to Measure the Immeasurable

Firstly, it's worth going out on a limb by saying that intangible benefits are something of a misnomer. All benefits are quantifiable - if we think laterally.  Intangible benefits in this context, represent benefits that are difficult, or impossible, to accurately predict and measure in financial terms. Often, however, these intangible benefits can be quantified into Key Performance Indicators such as percentage market share, or industry ranking. Some simple examples of intangible benefits to be considered when evaluating and measuring the performance of a risk management project include:

• Brand Advantage - reinforcing, advancing or changing an organization's reputation as a safe and/or well managed place to work
• Strategic Advantage - working towards or meeting overall corporate objectives
• Competitive Advantage – getting into markets ahead of competitors faster and less expensively, better addressing customer needs, meeting changing market demand, scaling easily and more cost effectively, and gaining market share
• Intellectual Capital - increase in relevant knowledge gained by risk management and other staff, and the perceived market value from those gains
• Organizational Advantage - enabling an organization to function more effectively, or reinforcing or recreating a corporate culture 
• Risk Avoidance - the risk of NOT implementing a solution

Table 1: Metrics for Measuring Intangible Benefits

Every company or organization has objectives that are measured in non-financial terms. Some of these include improvements in branding, image, customer satisfaction, product development time, employee recruitment, and many others come in this category. Reaching these objectives should ultimately translate into either financial savings or increased income, but the objective and progress towards it are measured first in non-financial terms. Does your proposed action contribute to one of these objectives? If so, it deserves some attention.

If you were writing the business case for risk management, I'd suggest that assigning financial value to benefits should be one of the last additions to the business case, not as is often the way, the first. If you can show in tangible terms that your proposal contributes to a business objective, the benefit is real.  If management agrees that reaching the objective has value, then the benefit has value.  That much of the value proposition is solid.

Sure, measuring the links between risk management and (say) staff skills, can be easier said than done. When trying to assign value to a risk management initiative however, sit down with your colleagues, finance team members, and managers to decide 'what is the value of reaching the objective?' and 'does the risk management framework or treatment contribute to this?'.  If the answer is yes, the only question remaining is: 'what percentage of that value should be credited to the risk treatment?' The figure you agree on may not be 100%, but it should not be 0% either.  

------------------------------------

NB. Hope it's useful reading for you. This article is actually an excerpt from another ebook titled 'The Business Case for Risk Management'. Due out in the next month or so. 

It's a question of values....

“If you can’t measure it, you can’t manage it.”

– Peter Drucker

ISO31000 (Section 3, Part A) says that risk management should create and protect value, and it’s true. Underlying this principle however, is the question: what does the organization value? The answer should theoretically be articulated in policy and in a statement of objectives. If not, it’s time to go back to square one and get some answers. Depending on the organization, what it values, could be any combination of things. The following is a partial list to get you thinking, but it’s by no means comprehensive:
• Health and safety of people
• Learning and development
• Profit
• Service delivery to customers
• Timeliness
• Quality
• Production metrics
• Reputation
• Environmental protection
• Medical or technological breakthroughs
• Publicity

Many of these are intangible benefits but boiling it down to basics… risk management should be able to demonstrate the link between risk management practices and tangible benefits for the organization. In the case of a not-for-profit organization, or government departments, this might mean benefits to the recipients of their services, but this still ‘creates value’ in terms of the organizations mandate.

Tempting though it may be to think that risk management automatically delivers benefits, that simply isn’t true. Risk management isn’t a means unto itself. Applied ineffectively it is just as capable of robbing value as any other management activity. The key word in all of this however is “demonstrate”. Ultimately an organization needs to be able to show clear tangible benefits that can be measured. If the benefits can’t be measured we are missing one of the fundamentals of a management system – a feedback loop.

Although simplistic, it’s not unreasonable to think of creating value as positive risk management and protecting value as involving negative risk management. In some areas of risk management it is easier to demonstrate these links than in others. For example, safety risk management is in many respects, based on the concept of protecting people from harm while the creation of value is often implemented through new projects or marketing initiatives. It is important to consider though, that most risk management strategies or controls will both protect and create value. For example:

• Security which protects people and assets can equally creates value by allowing your organization to open up international offices in locations which would be otherwise too dangerous to operate.
• Equally, financial portfolio management both creates and protects value through asset allocation, diversification, etc.

The key activity here is to be able to link risk management to organizational objectives and the easiest way to do that is to use key performance indicators (KPIs). If you’re lucky, your organization will already have documented objectives and strategic KPIs. If not you’ll get a chance to apply your creative talents as any good employee or consultant already knows and MSU (make stuff up). The trick is that in some fashion, the risk management framework and risk assessments must draw a link to the achievement of organizational objectives and be measurable against the KPIs.

This shouldn’t be all that complicated and can be summed up in 3 steps:

1. List the organizations key result areas (KRAs). What are the results that you want to achieve? Not all of them but just the ones which really count – ie. The KEY result areas. Eg: Profitability, safety statistics, production quantities…
2. Identify the critical success factors (CSFs) that must happen to achieve those results. What things will contribute to achieving those results? Eg: Staff training, the quality of the financial reporting systems, effectiveness of project management, etc.
3. List the key performance indicators (KPIs) that will measure whether or not the CSFs are in place. Eg: Hours of training delivered per person per year, percentage completion of training plan, implementation of new financial reporting system before end of year, etc.

Last but not least, it’s essential to be able to link risk mitigation or opportunity enhancement measures to those KPIs. If you propose for example to deliver training on xyz as part of a risk treatment plan, there should be a clear link from that training to the desired outcome.

Example 1: Linking Risk Management to Value Creation
An organization might in theory, have 6 corporate objectives, 8 critical success factors (CSFs), 10 Key Performance Indicators (KPIs). 25 risks on the risk register and 15 risk treatments.  These would probably be interlinked in a complex range of ways. For example, 5 risk treatments might support 1 or more organizational objectives).

To look at just one example of a causal pathway, lets consider the links between foreign currency fluctuations and their effects on profitability. we might for example, find the following way to demonstrate how risk management creates and protects value:

• Corporate objective #2: Maintain shareholder returns
• KRA #5: Net profit after tax of at least 10%
• CSF #5: Annual gross profit margins sustained
• KPI #2: New contracts maintain 25% or greater gross margin
• Risk: Failure to protect sales margins due to increase in raw materials prices as a result of global financial market adversely effecting currency exchange rates.
• Treatment: Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations cost of sales.

This of course shows just one slice of the KPIs, CSFs and KRAs that an organization might have but hopefully you get the general idea. Even in this simple example, the treatment (financial analysis training) probably addresses a host of issues and directly or indirectly supports a number of corporate objectives (eg: environment, health and safety, sales growth etc) however you can see from this just how easily the causal link can be drawn between ‘training’ and ‘shareholder returns’.

The emphasis here is on a 'causal pathway'. If you simply proposed a plan to “Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations on cost of sales” you might have a great idea but you haven’t demonstrated how it adds value. Using a risk management approach can help you to build your case for funding this training.

Lessons from High Reliability Organizations (HRO's)

Some of the best research in the area of risk management comes from studies into an area known as high reliability organizations (HRO’s).  HRO’s include organizations such as nuclear power plants, aircraft carriers and air traffic control. This type of organization is notable, according to Rochlin [1] because "these organizations have not just failed to fail; they have actively managed to avoid failures in an environment rich with the potential for error." That ability to actively and reliably manage to reduce the chances of mistakes occurring, rather than to avoid the hazards, has been the distinguishing hallmark of most HRO’s and their experience offers many lessons for the application of risk management at the enterprise level.

Work by Karl Weick and Kathleen Sutcliffe [2] into this area suggests that five key elements contribute to what he describes as a state of ‘mindfulness’:
1. Preoccupation with failure
2. Reluctance to simplify interpretations
3. Sensitivity to operations
4. Commitment to resilience
5. Deference to expertise

At first many of these processes appear to be self-defeating on multiple levels.  But, as Weick further explains why these processes are necessary if a high reliability organization is to be successful their validity becomes increasingly more apparent.

Preoccupation with failure
HRO’s like most organizations celebrate their successes but Weick [3] also notes “a chronic worry in HROs is that analytic error is embedded in ongoing activities and that unexpected failure modes and limitations of foresight may amplify those analytic errors.”

Reluctance to simplify interpretations
Most organizations are happy to handle complex issues by simplifying them and categorizing them, thus ignoring certain aspects. HROs, however take nothing for granted and support cultures which attempt to suppress simplification because it limits their ability to envision all possible undesirable effects as well as the precautions necessary to avoid these effects.  HROs pay attention to detail and actively seek to know what they don't know.  They endeavor to uncover those things that might disconfirm their intuitions despite being unpleasant, uncertain or disputed. Skepticism is also deemed necessary to counteract the complacency that many typical organizational management systems foster.

Sensitivity to operations
Weick describes sensitivity to operations as pointing to “an ongoing concern with the unexpected.  Unexpected events usually originate in ‘latent failures’ which are loopholes in the system’s defenses, barriers and safeguards who’s potential existed for some time prior to the onset of the accident sequence, though usually without any obvious bad effect.”  [4]

Management focus at all levels to managing normal operations offers opportunities to learn about deficiencies that which could signal the development of undesirable or unexpected events before they become an incident.  HRO’s recognize each potential near-miss or ‘out of course’ event as offering a ‘window on the health of the system’ – if the organization is sensitive to its own operations.

Commitment to resilience
HRO’s develop capabilities to detect, contain, and bounce back from those inevitable errors that are a part of an indeterminate world.  The hallmark of an HRO is not that it does not experience incidents but that those incidents don’t disable it.  Resilience involves a process of improvising workarounds that keep the system functioning and of keeping errors small in the first place.

Deference to expertise
HRO’s put a premium on experts; personnel with deep experience, skills of recombination, and training.  They cultivate diversity, not just because it helps them notice more in complex environments, but also because rigid hierarchies have their own special vulnerability to error.  As highlighted by the work of James Reason and HFACs, errors at higher levels tend to pick up and combine with errors at lower levels, exposing an organization to further escalation.

HRO’s consciously evoke the fundamental principle of risk management – that ‘risk should be managed at the point at which it occurs’.  This is where you will find the expertise and experience to make the required decisions quickly and correctly, regardless of rank or title.

Unfortunately most organizations do not work at this level, preferring to manage risk through the introduction of standard operating procedures, policy and work instructions.  While these undoubtedly have their place, and can help people to make quick and consistent decisions, a significant body of research also indicates that the blanket application of these controls can reduce individuals ‘mindfulness’ and personal responsibility, thereby contribute indirectly to increasing operating risk.

Other lessons from HRO’s
Other lessons from HROs include the strong support and reward for reporting of errors based on recognition that the value of remaining fully informed and aware far outweighs whatever satisfaction that might be gained from identifying and punishing an individual.

The Icarus Paradox
Many experiments have shown that people who succeed on tasks are less able to change their approaches even after circumstances change.  (The hammer and the nail syndrome).  Starbuck and Milliken in their analysis of the Challenger disaster said: “Success breeds confidence and fantasy.  When an organization succeeds, its managers usually attribute success to themselves or at least to their organization, rather than to luck.  The organization’s members grow more confident of their own abilities, of their manager’s skills, and of their organization’s existing programs and procedures.  They trust the procedures to keep them appraised of developing problems, in the belief that these procedures focus on the most important events and ignore the least significant ones.”  [5]

This level of complacency is a breeding ground for inadequate or ineffective organizational risk management and needs to be fully considered when reviewing the internal context and the risk management context.
==============================


 [1] Rochlin, Gene (1996) "Defining 'High Reliability' Organizations in Practice: A Taxonomic Prologue," p. 15 in Roberts, Karlene, ‘New Challenges to Understanding Organizations’, Macmillan Publishing Company, New York, USA 
[2] [3] [4]  Weick, Karl & Sutcliffe, Kathleen (2001), Managing the Unexpected: Assuring High Performance in an Age of Complexity, Jossey-Bass, New York, USA  
 [5] Starbuck, W. H. and Milliken, F. J. (1988) “Challenger: Fine-tuning the odds until something breaks”, Journal of Management Studies, Vol. 25, 319-340, New York, USA