Certainty, or at least the illusion of it, has become a consumer product. Insurance companies, investment advisors, the medical profession and politicians appeal to our desire for certainty and market it to us unceasingly. Our desire for certainty is part of our emotional and cultural inheritance yet despite the marketing hype, certainty remains as elusive as ever. Risk management isn’t the easiest thing to do well in our daily lives, and if your job involves managing risk for a large organization or for national policy decisions, it can look even harder. The good news is that risk management needn't be that complicated. Researchers are handing us ever more information about all facets of risk management and now we even have an international standard which provides us with an apples-for-apples framework in which to apply all this great research and technology.
If you think about it in simple terms, danger stalks throughout our lives. Other than the adrenaline junkies among us, most people would find it a lot easier to enjoy life if there weren't so many things trying to kill or maim us. Slips, trips, falls, terrorists, snakes, peanut allergies and falling space debris conspire to do us harm. It can seem like there are so many more ways to fail than ways to succeed. As an IRA statement commented when talking about a failed assassination attempt “…remember we only have to be lucky once. You will have to be lucky always”.
Shadowed by peril as we are, you would think that we'd be pretty good by now at differentiating between high and low risks. But you’d be mistaken. We agonize over pandemics and mad cow disease which kill less than 1,000 people per year around the world. At the same time we fill our shopping carts with processed foods and tobacco products while in America alone, heart disease kills 700,000 and smoking kills 400,000 every year.
After eons of cultural, scientific and biological evolution we are yet to acquire a good understanding of this concept known as risk. Yet evolution has programmed us with a variety of habits and patterns that cause us to fear some risks out of all proportion. Our pre-historic brain evolved to face fight or flight risk scenarios which still drive our risk decisions in our modern world. Our biggest risks today are relatively abstract and ‘fight or flight’ wasn’t equipped to deal with managing long term risks of heart disease, motor accidents, cancer or global warming.
Every year in the OECD, motor vehicle accidents kill roughly 390 times more people than terrorism. Even in 2001, road fatalities in the US were equal to those from a September 11 attack every 26 days. Our policy makers would do well to consider the difference in magnitude when allocating resources to prevent these two avoidable causes of mortality. Easier said than done of course. Sensible calculation of real-world risks is a multidimensional challenge that sometimes seems entirely beyond even the smartest of us. One day we may perhaps manage risks exceptionally well, but for now it is certainly something we can learn to do better. You need only visit the emergency department of any hospital to see first hand the results of this decision-making process going awry. Habits such as smoking, poor diet and complacency lead almost inevitably to the cancer, heart disease and the motor vehicle accidents that make up the bulk of admissions. At the same time, you only need to look outside the doors of that hospital to see the number of doctors and nurses who still smoke. They know all too well, the long-term dangers but our ancient brain only sees the short-term benefits.
The goal of this book is to build on the lessons and experiences gained in over 25 years of risk management to show you in plain English how to manage risk the ISO31000 way and to do it fast. The fast bit isn't as important as getting things right but I'm trying to write the book I wish that I'd had 20 years ago - a single source primer in all things risk. A ridiculous ambition of course, given the size of the field and the simple fact that by the time any book hits the streets it's out of date. Still, you have to start with a goal in mind so my goal is to summarize what's out there in a way that you can apply it to help you make risk management a faster and easier process.
Think of risk management much like quality management, financial management or project management. From humble starts, such things become part of the tapestry of management theory and modern business. They might not get so much hype and attention as they once did but neither are they going away. The generic approach in ISO31000 provides guidelines on implementing a multitude of various tools in a coherent and credible manner - no matter who or where you are. The trick is now to keep rolling out that menu of options, techniques and ideas as to how to actually go about implementing it.