Wednesday, October 26, 2011

Likelihood versus consequence management...

It often seems that as a species (and indeed as a society) that we spend most of our efforts on managing risks after they occur, rather than preventing them from happening. .  The difference between the two approaches can be described as consequence management versus likelihood management, and is illustrated in the figure below.
Likelihood Management versus Hazard Management
This principle seems to apply whether we're talking positive or negative risk management.  For an example of consequence management of positive risks, we've probably all come across the salesperson or manager who likes to take credit when things are going well and will often put more effort into promoting this fact than they did into achieving that success. In theory, we'd all be much better off putting our efforts into increasing the likelihood of a positive business outcome, but there can be rewards for people who do little or nothing, at least until after success becomes assured. People often don't even really know the cause of their success but they do know that by trumpeting it loudly, they increase their chances of a bonus or promotion. This certainly isn't true of everyone by any means but it's a common enough trait across our collective humankind.

When to Use Consequence Management
The tendency towards managing consequences after a risk has manifested isn't necessarily a bad thing and indeed, sometimes it's entirely appropriate. If your job involves emergency management or disaster relief then ‘consequence management’ is absolutely the right area to be focused on. Natural disasters such as earthquakes are typical of risks where consequence management is more important than likelihood management. I'm not suggesting by any means, that we do away with likelihood management, but rather that we understand the role that these two elements have in any risk management strategy. With bushfire management for example, it's important to reduce likelihood by managing fuel loads, fire bans, bushfire alerts, reducing housing pressures in bushland etc, but ultimately bushfires will occur no matter what we do. Indeed the ecosystem needs them to occur in order to stay in balance. Hence, the focus has to be on resources, training and leadership to reduce the consequence of inevitable fires. For most of us however, an ounce of prevention is worth a ton of cure and this is the area of ‘likelihood management’.

The Symbiosis of Likelihood and Consequence Management
A good illustration of the relationship between likelihood and consequence management is the link between security (likelihood management) and emergency response (consequence management).  Post 9/11 when we were looking at protecting a major hydrocarbon facility from terrorist attack, we quickly came to the conclusion that we were well into consequence management territory. Security could do a lot of useful things to reduce the risk of an attack but ultimately we couldn't stop a determined adversary. At least, not without a ridiculous amount of resources and some military assistance - certainly way beyond our ability to provide cost effectively. We decided instead, to focus most or our resources on consequence management including the following steps:
  • Upgrade the muster system to get people more quickly to blast resistant emergency shelters
  • Establish reciprocal arrangements with other hydrocarbon facilities to swap cargoes so that our customers would receive continuity of supply
  • Upgrade our terrorism insurance policies
Getting the Balance Right
By way of an example with mixed results, let’s take a look at allopathic (modern western) medicine. We've achieved great advances with trauma medicine and diseases such as typhoid, malaria and bacterial infection. The track record with illness and disease however is somewhat variable and recent years seem to have seen an increasingly heavy reliance on consequence management. As you can see from an earlier blog entrycancer and heart disease (both highly preventable) are two of the leading killers in the United States and, I think we can safely say, most of the developed world. Take diabetes as another example of an incredibly preventable disease, which still has an enormous reliance on drug related consequence management therapies.

Different Strategies for the Same Risk
Even where we have that have achieved great success in likelihood management, that success is often confined to the developed world. In remote parts of Africa, such as the location where I sit while writing this paragraph, 'preventable' diseases are still killing people on a daily basis. According to the World Health Organization's 2010 World Malaria Report, malaria alone still kills 781,000 people every year with 99% of those in sub-Saharan Africa.

In developed nations, malaria risk management is all about likelihood management. In Africa it's primarily on the right hand side of the bow-tie - very much into the realm of consequence management. According to WHO, there are 225 million cases of malaria each year, most of which are treated successfully with medications after the event (ie. consequence management).  By contrast, malaria was also once rife in America and Europe.   It was so pervasive in Rome that it is even suspected of contributing to the decline of the Roman Empire. Even the word 'malaria' originates from Medieval Italian "mala aria" or "bad air" due due to its association with marshland. Simple steps such as adding screens to windows, avoiding mosquitos, draining open bodies of water and selective spraying of mosquito habitat have all but eliminated malaria from most of the world. This is 'likelihood management' working at it's best.

By contrast, likelihood management isn't working extraordinarily well with malaria in sub-Saharan Africa. To be fair, it is achieving some success and the main reasons why malaria is still rampant have more to do with much broader cultural, political and economic issues - all of which are way beyond the scope of this short article. It does go to show however, that consequence management can still work reasonably when likelihood management hasn't been enough.

Which One Is More Important?
Neither is more important than the other. Likelihood management can stake a legitimate claim to supremacy - after all, prevention is better than cure. It's a tenuous claim however and the reason is self-evident when you think about it. 'Likelihood Management' is really only about tilting the odds in our favor  Almost by definition, there are no guarantees of any given outcome. It's at this point then, that Consequence Management can pipe up and say "you'll always need me, therefore I am more important!". When we look at it more closely however, Consequence Management is always going to have a certain stigma. No matter how good we are at it, there will always be an element of 'we got here by luck' (in the case of positive outcomes) or a sense of failure and loss (in the case of negative outcomes).

It's interesting then to look at what drives our decisions in terms of which strategy to pursue and when. I suspect, it depends a lot on our own predilections, experience and capabilities. If the only tool in our toolbox is a hammer, after a while everything starts to look like a nail - or at least something which will respond to a spot of 'percussive maintenance'. The other critical element which steers our decision making however, is incentives. Think very carefully about how you incentivize your employees. Incentives drive behavior, and I've met executives who openly admit that the main risk they manage is their 'personal career risk' (ie. bonuses and promotions).

Equally, at the industry level, you'll find incentives-driven behavior. When we look at an industry such as the healthcare industry, it's easy to see an increasing focus on insurance, vertical integration and development of drugs that can be patented coming from the allopathic sector.  There aren't many patents that you can take out on a healthy diet, exercise or prevention of disease - and as a result, not as much research or marketing resources going into such things. Pharmaceutical companies focus on consequence management such as patentable drugs, because that is where they make their profit. Once you have a disease, they know that we'll pay almost anything for the cure. In the world of likelihood management, there is less money to be made but there are still plenty of profitable businesses among nutritionists, vitamin companies and gym owners.

In summary however, we can say that even in the most obvious of cases - the pursuit of good health - it's one thing to know that we should all eat healthy diets and exercise, but that simply isn't the way humans are programmed. Likelihood and consequence management both have their place in the real world - the trick is to know which one you're doing and why you chose that approach at any given time.









Monday, October 17, 2011

First Global Survey of ISO 31000 Gets Underway

The closing date for the first global survey of ISO 31000–Risk Management Principle and Guidelines has been extended to 30 November 2011 and I would STRONGLY encourage every risk management professional to take advantage of this opportunity to comment on ISO31000. NB: If you are reading this after 30NOV11, you can still join the ongoing discussion at the ISO 31000 LinkedIn group.


Why you should participate
ISO31000 has it's critics as well as it's champions. You may not agree with even ISO31000. The definition of Risk as "the effect of uncertainty on objectives" is for example still disputed, but the fact remains that it is one of the best selling management standards in the world.

Even if (maybe especially if) you don't like or agree with the Standard, this is your chance to have some input. Members of more than 70 risk management associations around the world have been invited to participate in the study which is being run through an initiative by the LinkedIn discussion group on ISO 31000. Even if you don't use ISO31000 in your organization, it's worth completing the survey just to let us know a) what you think about it and b) why your organization doesn't use it.

It takes less than 5 MINUTES to complete and it is TOTALLY CONFIDENTIAL The data collected will be represented in aggregate form without naming in particular a risk management association, LinkedIn group or entity. No individual name or company name is asked.


What the survey is about
The aim of the survey is to gauge how ISO 31000 is perceived by risk practitioners across all sectors and to provide input for the preparation of the ISO 31004 guide, (due out in 2013).

The survey has been organized by Alex Dali, moderator of the LinkedIn ISO 31000 Risk Management Standard Group with the help of a group of volunteers and Alex sums it up well when he says: "This is the first time the global risk management community active across all fields, sectors, industries and services is being invited to participate in an international survey on ISO 31000. It is a great opportunity to share your thoughts and concerns about the ISO standard on risk management".

The survey will run from 17th of October until the 31st of October 2011. You will be encouraged to participate through your National Standardisation Body, risk management association or the ISO 31000 LinkedIn group.


What is ISO31000:2009 Risk Management Standard
Issued in November 2009, ISO 31000 provides principles and generic guidelines on risk management. It can be used by any public, private or community enterprise, association, group or individual and is not specific to any industry or sector.

This is your opportunity to comment on what is one of the most significant, and best selling international standard so please take the time to provide your input via the survey: www.iso31000survey.com.  Feel free to share this link to any interested contacts, groups, associations or interested entities.

Friday, October 14, 2011

As High or Low As Reasonably Practicable (AHLARP)

We've been debating lately, how well the ALARP concept withstands scrutiny under the ISO31000 definition of risk? The answer - not very well.   In a previous blog, we looked at the traditional view of mitigating risk to be as low as reasonably practicable which is fine when we look at negative risk. Unfortunately for ALARP, the ISO 31000 definition - the effect of uncertainty on objectives - includes both positive and negative risk.  In the case of positive outcomes, we want to manage them to be as HIGH as reasonably practicable.

We decided that it was time to upgrade ALARP to AHLARP (As High/Low as Reasonably Practicable) and being visual thinkers, decided that it was time for a new model.  Along the way, we came up with new acronyms, including RTP. RTP stands for 'Risk Tipping Point' and builds on Malcolm Gladwells concept of a tipping point. It's the point where positive risk starts to outweigh negative risk.

Whether we talk about IT projects, business activities or saving an endangered species, it is fair to say that without some input of resources/effort, the initiative is more likely to fail than to succeed. Putting this into ISO31000 speak, we would say that 'objectives are unlikely to be met'. Simply putting resources into something is of course, no guarantee that it will succeed, but it's fair to say that (assuming some level of planning and quality) the more resources we put in, the lower the negative risk and the higher the positive risk.

Figure 1: AHLARP Model
Using a notional example in Figure 1 above, you can see that it doesn't take a huge amount of resources to reach the risk tipping point. A few more resources and you've hopefully managed negative risk down to the point where additional resources aren't making a huge difference to reducing hazards. Positive risk should in theory continue to increase up to the point where it (green line) starts to flatten out and increasing resources (blue line) don't have much impact.

AHLARP becomes the conceptual area where our risk strategies are achieving the optimal range of benefits for a given range of resource inputs. This infers what we already know from experience, that there is no single perfect point for risk/reward optimization, but rather a range where we are trying to balance resource (cost) with positive risk (potential benefit) and negative risk (potential loss).

Accepting that there is rarely if ever, a single point where likelihood and consequence form a point value (eg: "this risk as a 57.6% likelihood of generating $123,000 benefit") we can look at illustrating risk across a spread of outcomes. Figure 2 below, illustrates the likely spread of outcomes if we apply insufficient resources (or quality) to manage a risk.
Figure 2: Inadequate resources increase the likelihood of negative consequences
Figure 3 by comparison, looks at what we seek to do with risk management. If we had to sum up risk management in a single picture, this would be a worthy contender. What we try to do is quite simply, to push the spread of likely outcomes towards the positive. A statistician might say that we're applying resources to left-skew the possible range of outcomes. ISO31000 might say that we're attempting to reduce the 'effect of uncertainty on objectives'.
Figure 3: Applying management resources to shift risk outcomes towards the positive
Judging just how much investment is appropriate to achieve AHLARP, is of course no simple feat. Too little is, well... too little and likely to be a waste of money/time/effort with little impact on outcomes. By contrast, applying an excess of resources is just wasteful and leaves inadequate resources for other projects.  Figure 4 illustrates this idea as a general concept but sadly doesn't give us the magic formula (hey, if it was easy, there'd be no need for risk management, and few if any Enrons, HIH, Exxon Valdes, etc).
Figure 4: Range of 'prudent' investment
Determining what is 'prudent' or 'appropriate' requires significant analysis, well beyond the scope of any single book or blog entry.  That being said, there are some general principles that can be applied. It's tempting to say that 'the more risky a venture is, the more resources should be applied' but that simply isn't the case. Some ventures have significant upside risk, with little downside risk. Running a stationery manufacturer or bookshop will probably work out well without a huge need to manage downside risk. Sure, you probably won't create the next Amazon but you're likely to make a good living and steady income. A hydrocarbon plant by comparison, can turn out to be brilliantly profitable or catastrophically bad - and it can turn around from one to the other in a matter for days, weeks or months.
Figure 5: 'Prudent' is context driven
Figure 5 illustrates the different nature of investment depending on your context. 'Prudent' investment for a gas plant is likely to involve a significantly larger amount of resources and cash than making prudent investments for a bicycle manufacturer or a stationary supplier. Even if the businesses have the same turnover and relative size,  one is simply more volatile than the other. Which leads us to the concluding point.

The more volatile a risk is, the more resources need to be applied. If the green and red lines in Figure 1 have a lot of potential ranges, it's going to be expensive to stay consistently within the AHLARP zone.









Thursday, October 13, 2011

How to deal with complexity...


It's a question of context. We live in a complex world - so much so, that we could describe it as a world of complexity in a universe of uncertainty. But is this a good thing?  If more uncertainty = more risk, then more uncertainty is a good thing for an optimist but a bad thing for a pessimist. What does it mean for a risk manager though?   If you ask 100 people how to assess 'quality' of life, you're likely to get more than a hundred answers. Personally though, I measure the quality of my life by how many options I have. For me, it's all about choices. Increasing my range of options is the reason that I did the Master of Risk Management. If I’d just wanted the knowledge, I could have studied any number of texts (I do anyway) but having the paper that proclaims me as a ‘Master of Risk’ bestows upon me an increasing number of options -  not least of all the ability to legitimately work in any profession, industry or continent.

Everyone has their own value system but the pursuit of ever increasing options is what drives a lot of my decision in life. It does have it's downside though - along with increasing my options comes an increase in uncertainty (after all, I have to make more decisions), ambiguity and complexity. What prompts me to reflect on this today is that I've just received my monthly edition of 'Market Talk' from my friendly Swiss banker, Philip and this month is all about 'complexity'. It’s appropriate that I reflect on that topic while consulting in Africa at a remote camp on the edge of the Rift Valley.  While I sit here with my offshore bank accounts, mortgages, spreadsheets and blogs, the local villagers are at the other end of the complexity scale. It's a scenic place but we're deep in grass-hut, subsistence farming territory. Although we have satellite internet at camp, we're a days drive from the nearest petrol station and four hours walk from the nearest hill with phone reception.. Most of the locals are pretty happy with their lot, but I sometimes see them looking at us mzungus in a way that clearly says “gee, I wish I had all their choices/vehicles/money/toys/etc".  In truth, or at least in all likelihood, most of them couldn't cope with the complexities and ambiguities that come with such things.

Driving around in a Landcruiser looks like an easy and pleasant way to get around compared to walking (and it is) but there is an invisible complexity to the tip of that 4WD iceberg. Keeping those Landcruisers running, managing a million dollar budget, bringing food and spare parts down a 1,500 km supply line, let alone all that goes into geological exploration in Africa, are below the surface of that dusty and dented Landcruiser/iceberg. Go a little further down the rabbit hole and you find a sea of complexities. Investors, stock markets, recruitment of skilled professionals, timetables and deadlines, mortgages and leases, credit cards, exams, job applications, budgets, drivers licenses and and much, much more comprise the minutiae of life that most blog readers will be familiar with.

That’s the downside of choices. If you have only one option when it comes to job, house, education, healthcare, etc then you don’t need to consider trade-offs, or make any significant decisions. Most of the locals out here don’t have to make many decisions and I can understand the appeal of that. Every so often, I like to take a complete break and just sit on a beach for two weeks. When the biggest decision of the day is picking what to eat, it's a wonderfully relaxing lifestyle - for a short while. I couldn't live like that long term, but many people do so happily. The locals here know when the wet season comes, they know how to build a hut, plant a maize crop, what to eat for breakfast (maize porridge - the same as they had for every preceding breakfast of their lives). And for the most part, it seems that they are pretty happy with that state of affairs.  Personally... I’ll take the choices, accept the complexity, make the decisions and seek to have ever more options available to choose from.

But the blog isn't just about the 'benefits of complexity' - it's called "How to deal with complexity...'

When it comes to complexity, my approach is simple. I embrace it - and surf the wave. But this book after all, is about the 'how to' of risk management (ISO 31000 style).  There are many perspectives we can use for understanding our world a little better, but when it comes to what ISO31000 would describe as 'establishing the context' I find the VUCA model a pleasantly KISS (Keep it short & simple) approach.

VUCA is an acronym used to describe, or at least reflect on and discuss, the volatility, uncertainty, complexity and ambiguity of general conditions and situations. The term VUCA came into use in the late 1990s in the military and has been subsequently adopted in strategic leadership. One way to phrase the questions would be:
  • Volatility. How volatile is our current situation? What are the nature and dynamics of change, and the change catalysts that effect our organization?  What is the nature and speed of  those change forces? Last but perhaps most important is: what aspect or element of our situation is the most volatile (ie. 
  • Uncertainty. How much predictability do we have and in particular which areas of our business have the least levels of certainty? What issues around lack of predictability, the prospects for surprise, and the sense of awareness and understanding of issues and events should we be concerned about?
  • Complexity. How complex is our context, our business model and the environment we operate in? What are the multiplex of forces, the confounding of issues and the chaos and confusion that surround our organization?
  • Ambiguity. What level of ambiguity are we facing now or in the future? In what areas are we facing them and how are they likely to effect us?  Specifically, what are the key issues around any haziness of reality, potential for misreads, or mixed meanings of conditions and cause-and-effect confusion?
Out of all these questions, the last but perhaps most important to return to is the question of Volatility. In particular, what aspect of our situation is the most volatile? This question can take some time to answer as it’s often not going to be the most obvious. A security risk assessment that I did for a large oil project turned up all the usual risks (terrorism, war, disgruntled employees, fraud, hacking, etc) as you'd expect. None of these were particularly volatile however, as we could identify indicators which could offer months or even years of advance notice.  The only risk that could realistically change overnight was environmental activism, and the main trigger for it wasn’t even a security risk. The plant had a great operating record, but experience from other similar facilities, indicated that within 24 hours of an oil spill, we were likely to have busloads of protestors at the gate, blocking traffic and creating chaos. And at the risk of stating the obvious, the easiest (but neither not the smartest, nor safest) way to shut down a hydrocarbon facility is to organise protestors to climb the fence and drape banners over the processing equipment. It’s just too dangerous to have people in a hydrocarbon facility who haven’t done the safety induction. Even the spark from a mobile phone can have catastrophic consequences and once people get into the operations area, an emergency shutdown can cost millions of dollars. Identifying this as the most volatile security risk resulted in changing a host of procedures and systems. Nothing we did as a result of this was particularly costly, and there was already a major focus on spill preventions but on the security side for example, we:

  • prepared a safety training program and leaflets for environmental protestors 
  • reviewed security procedures to automatically trigger additional staff in the event of an environmental incident
  • updated our liaison program to reach out to the leaders of more environmental groups to ensure that we had pre-existing lines of communication

Dealing with complexity is all about understanding the range of interactions and interconnectedness of seemingly unrelated things.  Looking at complexity through the VUCA lens helps us to understand the context in which organizations (or people) operate and in particular their current and future state. Used as discussion or analysis questions, they provide not only a better understanding of the current environment, but can offer insights into to how people view the conditions under which they make decisions, plan forward, manage risks, foster change and solve problems. In particular, it can help you to:
  • Anticipate the issues that shape conditions
  • Understand the consequences of issues and actions
  • Appreciate the interdependence of variables
  • Prepare for alternative realities and challenges
  • Interpret and address relevant opportunities
You could if you so chose, take these four simple questions and evolve a semi-quantitative scale to suit your particular situation.  This might help you for example, to compare the merits and uncertainties of various projects. It could be equally useful for comparing the various elements of your financial or resources portfolios and that in itself would be valuable. Overall though, the discussion that leads to those rankings is likely to be the most useful part of the process.

As Dwight D. Eisenhower said, "Plans are worthless but planning is everything."  Similarly, our limited understanding of the world is unlikely to outlast first contact with reality - but making the attempt to understand the complexities of life, gives us the best chance of achieving objectives.