So what?

Seems like we've been at war for a long time... World War II drifted into the Cold War and more recently War on Terror, War on Drugs, War on Poverty. Frankly it sounds more like a 'War on Commonsense' (oops, damn those renegade thought bubble).   Next we'll have a war on tsunami's.  Actually, it looks like we're almost there. Google reports 1,110 hits on "war on tsunamis" so it must be real.  We've got 20,800 hits for "war on heart disease" so that's not a bad thing but even that pales against the 8,530,000 hits that Google took 0.13 seconds to bring up when I searched for "war on terror".  

It's good to see that the essentially useless Homeland Security Advisory System (HSAS) is about to be replaced.  Steve Martin's assessment of the HSAS is probably more charitable than I or most of my security colleagues when he says: "The warnings were so vague that nobody could usefully do anything about them. The only possible purpose in issuing the warnings was to be able to say, 'I told you so' in the event of a terrorist attack. Well, that's the charitable interpretation. There are various less-charitable interpretations that are more to do with terrifying people. Surely that's the aim of terrorists though? Why would government authorities want to help them?"  Why indeed?  But that's for another section of the book.

Meanwhile, we're not sure yet what will replace HSAS but as of 30MAR11, the National Terrorism Advisory System (NTAS) "... is currently in a 90 day implementation period that began on January 27, 2011 – until the end of the implementation period, the existing HSAS will remain in effect".

I'd applaud that change if I knew what was actually going to replace it but apparently it "will more effectively communicate information about terrorist threats by providing timely, detailed information to the public, government agencies, first responders, airports and other transportation hubs, and the private sector."  Can't wait.  In the meantime, here's my suggestion for a real world threat advisory system.  Not to ignore the seriousness of terrorism to it's victims but frankly unless you live in the Middle East (which is a whole different ball game from anywhere else in the world) suicide and bathtub accidents kill more people than wannabe terrorists.

Real World Risk Advisory System (Note: If not living in America this may or may not apply to you)

I also quite like the way the CDC prepares some of it's mortality information (or at least the level of detail they go to) but this table particularly caught my eye.

Source: http://www.cdc.gov/injury/images/LC-Charts/10LC_overall_2005b-a.pdf

Some telling statistics there. If you click on the graphic or follow the link, you'll find unintentional injuries (slips, trips, falls, motor vehicle accidents, etc) is the leading cause of death in America for most of our life. It's not the biggest cause of death however. As we get older cancer (malignant neoplasms) gets more and more of us but with a current life expectancy of 79 years, most Americans are going to go down fighting with heart disease.  No votes in a "war on heart disease" that needs lifestyle changes - or is there?  It would certainly get my vote.

The basic outline of the book...

This book is being built to not only to mirror and expand on ISO31000 but equally to introduce a raft of new concepts and tools that support risk management. I’ve written it to flow logically you’ll probably get the most out of it if you have time to read it from start to finish but equally it’s being written so that you can jump into any section that you need when you need it. The book doesn’t just follow the flow of ISO31000 however.  Numerous annexes have been included to provide examples of risk templates and to expand on concepts such as enterprise risk management or opportunity realization.

Equally though, if all you need to know is how to identify and document risks, just jump right to section x.x (Identity Crisis… Will the ).  If you need a risk policy in a hurry, then head straight for Section x.y.  Likewise if your boss has told you they want a Risk Management Framework to present to the Board in 48 hours then Section x.z would be an ideal place to start.

I’ll also be including a number of Implementation Tips, Examples and Additional Information so if you just want specific how-to guides or examples of various aspects, you can simply go straight there.   When I pick up a book of this type, I’m usually looking for information to help me actually apply the material so you’ll find practical assistance and examples throughout each section as well as in the Annexes.

Section 2 will deal with some fundamental terms and definitions on which the rest of ISO31000 is predicated.  For the most part they are consistent with they way we understand terms in common usage however there are some particular differences in the way ISO31000 applies them which are worth understanding.

Section 3 will be about the underlying Principles of Risk Management in order that anyone applying ISO31000 will have a consistent understanding of they ways in which risk management can be applied.  This section also discusses some of the concepts behind how risk management could, should and would be applied if implemented fully.

Section 4 will focus on how to actually build a risk management framework for your organization, the elements and their respective interactions.   It is the precursor step to Section 5 where the rubber hits the road so to speak.

Section 5 is where risk management concepts will turn into risk management practice.  This is the section that most people in any given organization will have the most interaction with, whether in complex risk analysis, simple risk assessments or in contributing to implementing risk treatments.

You’ll ideally need to have a copy of ISO31000 handy.  You could simply implement risk management from the contents of this book however, I’m assuming that you bought this book because you’d like to implement risk management the ISO31000 way.  It’s not my intention to duplicate ISO31000 and hence you won’t find it repeated word for word here.  What I’ve attempted to do is to offer at least one if not several interpretations of how you might choose to actually apply the standard.
The book aligns with the flow of ISO31000 but there are some sections that simply don’t align specifically with just one part of the Standard.  You’ll find these sections in Section 7 Enhanced risk management.

 Figure 2: Relationship between Principles, Framework and Process (Source: ISO31000)

Risk Communication - Perception and Deception

Another simple example of poor or misleading risk communication can be found in the O. J. Simpson murder trial.  One piece of information that OJ’s defense team were able to quash was the prosecutions assertion that spousal abuse leads to murder.  The defense argued that Simpsons history of assaulting his wife, Nicole Brown Simpson was not relevant to whether or not he had murdered her.

Alan Dershowitz, a Harvard Law Professor in his book about the case argued that in the United States:
“As many as 4 million women are battered annually by husbands and boyfriends. Yet in 1992, according to the FBI Uniform Crime Reports, a total of 913 women were killed by their husbands and 519 were killed by their boyfriends.  In other words, while there were 2 ½ to 4 million incidents of abuse, there were only 1,432 homicides.  Some of these homicides may have occurred after a history of abuse but obviously most abuse, presumably even more serious abuse, does not end in murder” [8]

Essentially the defense argued that based on these figures, there is less than one homicide per 2,500 incidents of abuse and they used this to argue that there was no evidence of domestic violence being a prelude to murder.  While this is factually true, it is not a useful statistic.

Not only was it not useful but it may well have misled the court. The correct question to ask should have been: “How many women were murdered by men who had previously abused them?”  At the time of the trial, statistics showed that out of every 100,000 battered women, 45 were murdered. Of those 45, 40 were murdered by men who had previously battered them.  In short, 90% of murdered women who had been battered by their partners had in fact, been killed by their partners.  Rather than a 1 in 2,500 probability, past data suggested a statistically significant probability of 90% that OJ was the murderer.

It’s also worth bearing in mind that the death of a woman at the hands of a partner who has previously battered her may appear predictable in hindsight but when only 1 in 2,500 battered women go on to be murdered, this statistic has little if any utility when predicting the likely risk of murder.
Does a 90% probability constitute evidence of OJ’s guilt? Of course not!  Whether or not it would have influenced the jury is another story. We can never say for certain but ask yourself – is it likely that the way in which this information was presented would have influenced your views?

A Call to Action

Given what you now know, is it any wonder that our political leaders and the general public have trouble understanding and prioritising risks such as terrorism, crime, health, national security and hundreds of other risks.  It seems that even in the 21st century with all our amazing communications technologies we have a long way to go to master the simple act of communication risk in any meaningful fashion.  The groundwork on how to present risks using natural frequencies has been done for us by practitioners in areas such as medicine, psychology and statistics. Perhaps it is time that we as risk professionals, managers and policy makers started to look more closely at exactly how we choose to present our risk data?

==================
[8] Dershowitz, Alan (1997), Reasonable Doubts: The Criminal Justice System and The O.J. Simpson Case, Touchstone, New York, USA.

Risk Communication - Using Natural Frequencies

Following on from the previous blog entry, if we want to understand why otherwise knowledgeable health professionals should be so consistently ill-informed, consider this the results of some research by Gerd Gigerenzer. [iv] He first phrased the following question to HIV counselors in probabilities, as is fairly typical of the way statistics are presented to counselors and medical professionals.

“About 0.01 percent of men with no known risk behavior are infected with HIV. If such a man has the virus, there is a 99.99 percent chance that the test result will be positive. If a man is not infected, there is a 99.99 percent chance that the test result will be negative. What is the chance that a man with no known risk behavior who tests positive actually has the virus?”

Most people think that it is 99.99 percent or higher (including most of the counselors in the above study).  Now consider the same question worded differently.

“Imagine 10,000 men who are not in any known risk category. One is infected and will test positive with practical certainty. Of the 9,999 men who are not infected, one will test positive.  So we can expect that two men will test positive.”

From this latter question, you can easily see that the odds are roughly 1 in 2 or 50% that someone from a low-risk category who has a positive test result is actually HIV positive.

The reason that the above wording appears so much clearer is because our brain absorbs the information in a distinctly different way. Presenting the data using natural frequencies means that we are evaluating it using numbers that we can intuitively understand. It yields the same result but is much easier for our brains to calculate that result.   The difference between these two ways is most easily seen in an illustration. Presenting the data in a complex formula produces the right answer but is anything but intuitive.

Using natural frequencies or presenting the same information in a tree based on actual numbers of people as shown below yields the same result but is much easier for us to calculate the correct answer.

The significance of this information for low risk individuals should not be underestimated.  Countless people have endured traumatic psychological stress, lost jobs, separated from spouses, participated in unprotected sex with HIV positive persons or committed suicide as a result of false positive tests.  By 1987 for example, 22 blood donors in Florida had committed suicide after being told that they were HIV positive.   An analysis of these cases many years later concluded that the chances were at most only 50-50 that these individual were actually infected. [v]   The downstream impacts of poor risk communication are not confined to the recipients of the communication either. The potential for legal action against Doctors or government agencies is just one example of a potential cascading spiral of risk begetting risk.

It’s worth noting that for men in high-risk categories (homosexual men or IV drug users for example) with a base rate of 1.5% HIV infection, the chance of a false positive is less than 1 percent.  In a group of 10,000 homosexual men we would expect about 150 to be HIV positive and with practical certainty they will all test positive.  Of the 9,850 who are HIV negative, it is likely that 1 would test positive.  The chance therefore of this person receiving a false positive is therefore 1 in 151 or less than 1 percent.

As you can see from the example above, the way in which we communicate risk can  have a significant impact. Risk communication can of itself, introduce considerable risks where none existed if it is not carefully considered.  The problem of inappropriate risk communication is by no means rare but it is relatively easily addressed. An example of how the above information could be better communicated would be to provide patients and counselors with the same information presented in terms of natural frequencies as outlined below. [vi]

"Depending on the exact procedure used, an HIV test is likely to be positive for about 998 of 1,000 people infected with HIV. About 1 in 10,000 persons will generate a false positive result. False positives can be reduced by repeated testing using different methods but not completely eliminated as certain medical conditions and laboratory errors can still generate false positives. About 1 in 10,000 heterosexual men with low-risk behavior are infected with HIV. Of those 10,000 low-risk men, one is likely to be infected and will almost certainly test positive (99.8% likelihood). Of the 9,999 non-infected men, 1 will also test positive. Thus we expect that out of 2 men who test positive, only 1 has HIV. This is the situation you would be in if you were to test positive and are in a low-risk group. Your chance of having the virus would be about 1 in 2". [vii].

It should go without saying by now that for persons with no known risk behaviors, a second HIV test should be conducted before confirming the positive diagnosis but how would you know this unless the risks are adequately communicated.

====================

[4] Gigerenzer, Gerd (2002), Calculated Risks, Simon & Schuster, New York, USA
[5] Stine,  G. J. (1996), Acquired immune deficiency syndrom: Biological, medical, social, and legal issues. (2nd ed.), Prentice Hall, Englewood Cliffs, NJ USA.
[6] Adapted from Gigerenzer (2002)
[7] Gigerenger, Hoffrage and Ebert (1998)

Risk Communication Issues

Communication is intrinsic to risk management, yet it’s all too easy to forget to adequately communicate the results of that analysis. This is especially true for complex issues such as terrorism, natural disasters or national security where we require specialist knowledge to understand the issues in any depth. There are a couple of very simple things that we can do however to improve our risk communication.

It’s beyond the scope of this article to cover all the elements of risk communication but it’s worth singling out at least one critical element of risk communication: how we as risk professionals communicate the nature of risks to our leaders, laypersons and the general public.

“Badly” is unfortunately often the way in which we communicate risks.  Consider if you will, that most people are more afraid of terrorism than driving yet as the United States statistics show, an average of 100 Americans are killed each year in terrorism related events while 40,000 to 45,000 Americans are killed on the roads in the same period.  Somewhere between 50,000 and 100,000 Americans will die each year in hospital from documented and preventable medical errors [i] while roughly 400,000 die annually from tobacco related illnesses. Despite this, both the level of fear and expenditure of funds to redress these risks are broadly speaking inversely proportional to the actual consequences.  Clearly, given that these statistics are relatively consistent across most of the developed nations effective risk communication is not one of humankind’s strong points.

We are not going to solve global risk management issues with a wave of the magic wand but there are some things that we can do.   We have any number of options available to us including one on one conversations, meetings, emails, newsletters and mass media.   The issue however is not how to communicate but rather what to communicate.  The key challenge lies in the way our brains are programmed to consider risks.  Our brains are finely tuned instruments for assessing immediate fight or flight risks but our ability to consider more complex risks is a relatively recent invention of the mammalian neo-cortex.

Large numbers and abstract ideas are accordingly not what we do best.  Saying that next year 40,000 out of 300 million people will probably die on the roads while 19,000 will be murdered and the average deaths from terrorism are 100 people per year simply doesn’t register in any meaningful way for us.  The numbers are simply too large and too abstract for us to really comprehend. A better way to present complex risk information is to break it down into natural frequencies.

To illustrate this concept, let’s examine a potentially fatal risk for which we have some existing data and research available.  Imagine that you are responsible for publishing public health risk information for counselors and Doctors and have to produce a leaflet for patients who are about to undertake an HIV test. By way of background, I should add that false positives are not uncommon. When an HIV test produces a positive result, the blood sample is therefore normally retested once or twice in the lab to verify the result.  Despite this additional testing, a small number of cases (roughly 0.01%) can still yield false positives (or false negatives) for a variety of reasons including medical conditions, accidental swapping of blood samples and data input error.  Most HIV information does not mention this seemingly minor false positive rate and a study of 21 HIV/AIDS information leaflets in America found that precisely none of the leaflets mentioned even the possibility of a false positive. [ii]

America is not alone in this oversight and another example of poor risk communication was confirmed in a 1998 German study of pre-test counseling for HIV tests. [iii] Twenty counselors were assessed and although they were very knowledgeable about most aspects of the topic, they exhibited significant gaps in the interpretation of tests.  Of the 20 counselors in the study who gave pre-test counseling to a client with no known risk behavior (eg: homosexual, IV drug user), 5 incorrectly claimed that false negatives never occur and 16 incorrectly claimed that false positives never occur.  The reasons for this inaccurate information included poor risk communication in their training, the illusion of certainty in testing and a failure to understand that the proportion of false positives is highest in low risk patients.

==========================

[1] Kohn, L. T., Corrigan, J. M., and Donaldson, M. S. (2000), To err is human: Building a safer health system, DCS National Academy Press, Washington, DC, USA
[2] Reported in Gigerenzer, Gerd (2002), Calculated Risks, Simon & Schuster, New York, USA
[3] Gigerenzer, Gerd, Hoffrage, Ulrich and Ebert, A. (1998), Aids counseling for low risk patients, Aids Care, 10, 197 – 211

“A picture is worth a thousand words.” Fred R. Barnyard

I’m a visual person and a lazy reader with not a lot of spare time in my life. Perhaps you are also. If so, I’m writing this book for you.

If you wanted an illustration for example about different risk perceptions, have a look at this construction worker squatting on a beam 20 feet up in the air, while chipping away at it. Not worrying enough that there is someone working directly below, he is also not wearing eye protection, footwear or fall arrest equipment. The 'best part'(?) is that he is happily belting away on the only attached section of the beam...   And no, I didn't have to go hunting far for this picture. I just took it from on the verandah of my flat in Cambodia.

Wherever possible, I’ll use a graphic, a table or a callout box to summarize information and in few places put in some key examples, extraneous but interesting additional information and general implementation tips. Hopefully this will make your journey through the book quicker and easier.

Here are a few that I've already written but let me know if you'd like to see any other concepts illustrated with a diagram.

List of Tables
Table 1: Example PESTLE Analysis Table
Table 2: Examples of Sources of Risk Facing an Organization
Table 3: Examples of common sources of risk
Table 4: Example of how to document a complex risk
Table 5: Risk Analysis Techniques
Table 6: Qualitative versus Quantitative Analysis
Table 7: Example risk consequence descriptors
Table 8: Example risk likelihood descriptors 99
Table 9: Talbot's Top Ten Tips for Presenting Risk Assessments
Table 10: Finance Security Activities
Table 11: Common Cost and Risk Drivers in Procurement
Table 12: Talbot’s Top Ten Tips for Picking an SME

List of Figures
Figure 1: Risk Informed Decision Making
Figure 2: Relationship between Principles, Framework and Process (Source: ISO31000)
Figure 4: ISO31000 Risk Management Process
Figure 5: How People Interpret Natural Frequencies vs. Probabilities
Figure 6: Example Risk Matrix
Figure 9: Risk Bubble Chart
Figure 10: Example of risk matrix used to present complex data
Figure 11: Risk Drivers and Total Cost of Ownership


List of Examples
Example 1: Linking Risk Management to Value Creation
Example 2: Demonstrating Mandate and Commitment
Example 3: Risk Management Policy
Example 4: XYZ Risk Assessment Report - Introduction
Example 5: Presentation of Risk Information in Natural Frequencies
Example 6: XYZ Risk Assessment Report - Communication and Consultation
Example 7: XYZ Risk Assessment Report - External Context
Example 8: XYZ Risk Assessment Report - Internal Context
Example 9: Example of Control Adequacy Rating System
Example 10: Positive Outcomes from Negative Risks
Example 11: Applying the Eight Step Risk Treatment Development Process

List of Additional Information and Other Research
Additional Information 1: Emotions Drive Risk Decisions
Additional Information 2: Human Factor Analysis and Classification
Additional Information 3: Keeping it Iterative and Dynamic

List of Implementation Tips
Implementation Tip 1: Being Transparent and Inclusive
Implementation Tip 2: Mandate and Commitment
Implementation Tip 3: Assessing the current situation
Implementation Tip 4: Facilitating a Risk Workshop
Implementation Tip 5: CASE - Writing a Watertight Risk Statement
Implementation Tip 6: The Art and Adventure of Writing a Risk Treatment
Implementation Tip 7:  Eight Step Risk Treatment Development

Why you might like this book...

There are lots of great books out there on risk management. There’s also lots of excellent academic research to support what we know about risk management.  They are all worthy of your time but time is one thing that is in short supply. Equally there is one type of risk management book that is also in short supply… The ‘how the heck do I actually do it?’ type of book.  And more particularly, how do I learn to do it with minimal investment of my time and energy.

Perhaps like me you’ve had to learn things on the fly, interpret academic works and experiment. You’ll still need to do that for the rest of your life but as a head start I wanted to write a book on how to relatively painlessly make risk management work for your organization. I’ve collected what I believe to be the best of risk management thinking so far and done my best to apply them to the simple processes of ISO31000 in enough innovative ways to help you be a successful risk manager.

Risk, according to ISO31000 is the “effect of uncertainty on objectives” and this wonderfully succinct definition sums up the nature of risk in just five words.  This definition however is different from the way in which we typically use the word because it includes both desirable and undesirable outcomes.  It accepts that risk invariably includes both positive and negative outcomes.  And I’d agree - risk and opportunity are inseparable. If for example, you lose a months salary gambling at the casino, you would probably see this as a negative outcome.  For the casino however it is most certainly a positive outcome.  It may even turn into a positive outcome for you if it serves as a cheap lesson to prevent you from gambling in future.  Similarly if you spend $400 on a car insurance policy, you don’t need to leave $20,000 sitting in your bank to cover a potential accident and now have the opportunity to put a deposit down on an investment property.

It’s not that simple of course. At the risk of somewhat understating things, we live in uncertain times.  Life is changing faster than anytime in recorded history and the only certainty in the 21st century is change.  We learn to live with new technologies, strange inventions, frequent career changes, global financial crises, climate change and a raft of uncertainties on a sea of opportunity and crisis.
If the amount of uncertainty is increasing at the same time as our population, technology and global communications, then it follows that the “effect of uncertainty” is likely to increase and we can expect to see this (and I would argue – are seeing this) reflected in the volatility of outcomes.  Five years of unprecedented worldwide financial growth was followed by the biggest international financial for decades.  Equally in our personal and corporate lives, we live in a time when both hazards and opportunities abound.  It has never been so easy to succeed in our objectives nor as easy to fail spectacularly. Organizations and individuals alike face a range of risks from a variety of quadrants and it is no accident that the first international risk management standard came to being in the early 21st century.

As illustrated in Figure 2 (page 19), ISO31000 offers not just a process for risk management but also a number of principles for how to apply it and a framework for implementation.  Collectively, these three elements offer the outline of an organizational risk management system.  ISO 31000 is a true international risk management standard and fits well along side other well recognized international standards like the ISO 9000 series of Quality Management standards. This international flavor will be critical for the many organizations operating globally as well as for those that simply need a consistent risk management approach.

Why I'm writing this book?

Risk management isn’t especially easy – but it isn’t that hard either.  We manage risk every time we cross a road or drive a car, and mostly we do just fine. Such risk management practices are of course a far cry from managing risks for a large organization or for a nation but even so, the processes for managing risk are not that hard to learn. This book is being written to show you gentle reader, how for minimal investment of time, you can do exactly that.

ISO31000 gives us the what to do – but not how to do it.  I’ve been doing risk management professionally for a couple of decades now and I’m a big fan of it.  Risk management has been an easy target for naysayers and justifiably they can often point to cases where it is either overly complex or ineffective.  The title alone of Douglas Hubbard’s book  “The Failure of Risk Management” sums up how many people are feeling about risk management following the latest of many financial crises. But popular as this view may be, it’s misguided. Risk management isn’t overly complicated and it hasn’t failed us. We’ve simply failed to apply what we already collectively know about the topic – and I might add have largely failed to build on what we know with sound basic science and research.    I wanted to redress this balance share with you some of the more practical ways that you can apply sound risk management.

In November 2009, around the same time as the aforementioned global financial crisis was starting to really be felt, the International Organization for Standardization (ISO) finally released the long awaited and in some circles at least, eagerly anticipated first international risk management standard.  ISO31000:2009 Risk Management – Principles and Guidelines (ISO 31000) has been developed with the input of subject matter experts from around the world, from a variety of disciplines industries. The Standard aims to provide organizations with guidance and a common platform for managing different types of risks, from many sources irrespective of the organizations’ size, type, complexity, structure, activities or location.

But does it succeed in this noble goal?  Yes. And no.  By the nature of a standard, it has to be brief and widely applicable. But that strength is also it’s weakness and that’s where this book comes in – the ‘how’ of ISO31000 can’t fit into a single book. I’ll have the luxury of a lot more pages than the 24 brief pages of ISO31000.

Hopefully I’ll achieve my goal of making risk management more accessible. You be the judge.

FAQ 2: Some more questions for the doubters...

Is ISO31000 a good risk management approach for me? 

Chances are good that it is. How does a $30 billion organization build an enterprise risk plan that not only works but also is understandable to everyone in the organization? How do you create a risk management framework in a day? It's all here.

Is it just another passing management fad that will be a waste of time? 

Total Quality Management (TQM), 6 Sigma and many more management theories have all come and gone.  Oops, that’s not quite right.  Many of them including TQM, 6 Sigma and project management body of knowledge have come and have been so widely accepted that they are simply part of our modern business landscape.  Like project management or financial management, risk management is a core skill for every manager today and will only become increasingly important as we are challenged to do more and more with less and less. 

Will I have to cram more things into my already busy working day? 

In this book I’ll show you how to seemingly mystically being able put your finger on the inadequacies of your organizations current risk plan within minutes, how to write a risk plan that will actually get funded and many more time savers.  If you need to build user friendly, scalable risk management framework, would you like to then be able to present it in a way that has the rest of your organization thanking you instead of cursing you? Risk management when done correctly following a few simple and basic rules will save you a lot of time. 

Is ISO31000 better than the other risk management frameworks?

Strictly speaking, no it’s not.  There are many reasons however for choosing to use ISO31000 over other risk management tools.  Firstly, it’s an international standard so it’s had a lot of scrutiny and is widely accepted as a robust approach to risk management.  Secondly, it’s a generic standard so it can be applied to all types of risk so that organizations can compare and prioritize risks from across the organization in a consistent framework. This approach allows decision makers to prioritize risks in a consistent fashion on an apples for apples basis. Thirdly it has been designed to provide not just a process for risk management but a framework which integrates with other management standards such as ISO9000.  And last but not least is the consideration that should best efforts fail and for some reason you have to defend your risk management practices in a court of law or the court of public opinion, it will be much easier to hold up an international standard as your approach than to have to explain and defend a system that you’ve designed from scratch, no matter how great it may be.

Is ISO31000 a process or a framework?

Yes. It’s many things. The process is just a part of ISO31000 however it is often considered to be the strongest and most unique element of the standard.  It involves applying logical and systematic methods to help you consider and manage risks. There are many risk management processes already in existence and they all have their respective merits and limitations.  ISO31000 process is arguably as good as any of them but has the additional benefit of being an international standard. That means that it’s transportable across borders, consistent in application and easy to argue in support of when defending your processes to managers, investors or (should the worst happen) in a court of law.  Very briefly the process can be summed up as: 

• communication and consultation

• establishing the context

• identifying, analyzing and evaluating risks 

• treating risks

• monitoring, reviewing and documenting risks and risk treatments 

Do I have to be a risk management guru or dedicate my life to risk management in order to be able to use it? 

Not at all. This book is for anyone who is sick of analyzing risk management failures after the fact and would like a simple approach for making better decisions.  Case studies offered here range from planning a staff picnic to enterprise risk management for multi-national corporations. If you're sick of the standard menu of risk management options and prepared to enter a world of plain English risk management that helps you make better use of resources, this book is for you.

Do I have to implement all of it? I just need to do a risk assessment.

No. You can pick and choose from what you need. The objective is to get you started with what you need as quickly as possible and to free up your time for other tasks.  If you want to jump straight in to a section have a look at the Jumpstart Section for suggestions. 

Do I need to be a risk evangelist? 

No. Definitely not. Just take what works for you if and when you need it.  The stuff in here will work whether you are passionate about it of not.  It’s just another perspective on business and fundamentally risk management is just about making better decisions faster.  That’s it in a nutshell.

Do I need to apply it across the whole organization? 

No. 

ISO31000 (or any form of risk management) can be applied to the entire organization (that’s called enterprise risk management) or you can simply pick and choose where and how you want to apply.  It can be used in a workgroup, a project, across a division or simply to specific functions, areas or activities. 

FAQ – ISO31000 Doubters Read This

The fact that so many nations have worked on the development of ISO 31000 gives it great credibility. The standard will provide a vehicle for the risk profession to harmonize concepts, irrespective of the country. It will overcome confusion and help stakeholders to understand the risks that are being communicated. 

– Peter Janus

I first came across ISO31000 in 1999.  Or more correctly I should say that I came across it’s predecessor, AS/NZS4360:1999 Risk Management Standard.  I was working in security risk management at the time and consulting to a company that had just adopted AS4360 as their risk management process.  I was asked to do a security risk assessment for my clients hydrocarbon production facility in accordance with 4360.  That seemed like a reasonable enough idea but frankly, I was skeptical that one risk standard could work for all types of risk.  Surely I thought, risk management for financial portfolios is different to risk management for security issues is different to engineering, project management, safety and health, etc?  So many uniquely different types of risk management for each specialized field – how can they all be addressed by one very short standard.

But do it we did, and in the process I became a convert to the process that is now enshrined in ISO31000.  Before I sing the praises of the standard, lets go back to basics for a moment and answer the question of why do we even need a standard?  Surely there are any number of ways to do risk management.  Yes.  There are.  And that’s why we need a standard.  So that organizations have a consistent approach that enables ‘apples for apples’ comparison when assessing which risks and which divisions need the most resources.  Equally to provide a consistent approach that individuals, once skilled in that single approach can hit the ground running and quickly adapt it to any organization or circumstance they find themselves in.

To be fair, if you’re anything like me, you probably find standards pretty dry reading.  ISO31000 is no exception to that fine principle. That’s not a criticism of the standard but simply reflects the reality of building a generic standard that will work for any organization.  For very good reasons, it is deliberately generic and this is one of its strengths – and one of its weaknesses.

Here are some of the most common doubts that people have before engaging with risk management and indeed some of the questions you may be considering while you decide if this book is for you.

Why invest in risk management?
At it’s simplest; risk management is about making better decisions faster.  There are any number of models and systems promoted by management consultants and the like, which seem to determined to make risk management into some sort of self-licking ice-cream.  The goal of risk management isn’t risk management per se, but to support organizational (or indeed individual) objectives.  Good risk management practices can help you to optimize the application of finite resources to achieve objectives.
ISO31000 has a longish list of  ‘why apply risk management’ in it’s introduction which I don’t propose to repeat here.  If you asked me however to sum up the objectives and benefits of risk management, these are the key points I would address:

• Better information for decision making
• Improved service delivery, reporting systems, outcomes and accountability
• Optimization of limited resources
• Protect the organizations people & assets
• Provide stakeholder confidence
• Opportunity realization

The ‘last but not least’ on this list is one area that is often overlooked.  Risks can have benefits as well as costs and the same processes that can avert misfortune can bring good fortune.

The 'Answer' to the Problem with RIsk Management

This is a follow on from my previous article: "The Problem with Risk Management".

The reason why we are so collectively poor at judgment and decision-making when it comes to complex risks is due to a variety of hardwired biases or heuristics.   I hasten to add that these heuristics are not actually a bad thing. They can be incredibly valuable if for example, a car mounts the curb and careens towards you. You don’t want to pause to calculate trajectories and options. No, you want the simple rule that says “big thing coming at me fast is bad!” and the response that says “jump!”

One example of a bias that works against us with more complex risks is the ‘availability heuristic’ whereby people predict the frequency of an event based on how easily an example can be brought to mind. Essentially it operates on the notion that "if you can think of it, it must be important."   That’s great when our ancestors regularly saw snakes in the wilderness. In the 21st century however, after weeks of watching the twin towers collapse and years of political rhetoric about the war on terror, people have been conditioned to fear terrorism and to see it as a much greater risk than it actually is.

The media play a big part in this. They don’t report deaths due to diabetes, heart disease or motor vehicles simply because they are so commonplace. Events like homicide and airline accidents are rare but spectacular so they get reported. It’s ironic but the rarer the event, the more we see it so the more common we believe it actually is. A classic instance of biased risk ratings is the fear and relative overestimation of the risk of flying compared to driving even though motor vehicle fatalities are much more common than plane-crash fatalities. Equally, studies show that people rate the chance of death by homicide higher than the chance of death by stomach cancer, even though death by stomach cancer is five times higher than death by homicide. Commonplace deaths such as medical errors and road accidents are not newsworthy and as a result don’t get a chance to trigger our availability heuristic even though medical errors are potentially the third leading cause of death in the United States.

We have a range of other equally impressive biases. ‘Optimism bias’ is the belief that we'll do better than most others engaged in the same activity and it goes some way to explaining why we think that car accidents are more likely to happen to ‘other people’. A classic example was a university study  which asked students, which of 18 positive and 24 negative events (eg: getting a good job, developing a drug problem) were more likely to happen to them and to others. On average, students considered themselves 15% more likely than others to experience positive events, and 20% less likely than others to experience negative events.

We also have a ‘control bias’ where people are more likely to accept risks if they feel they have some control over them, driving being one common example.  We are also especially attuned to risks involving people and small children with little regard to how likely they actually are.  The ‘affect heuristic’ says that an overall good feeling toward a situation leads to a lower risk perception, and an overall bad feeling leads to a higher risk perception which helps people underestimate risks for actions that have some ancillary benefit (eg: smoking, skydiving).

In short, we are a bundle of biases and it’s amazing that we have any conscious understanding of risk at all.  I’ll talk more about these biases and what to do about them in Section 7.16 Human Error and the Psychology of Risk but for the moment suffice to say that our limbic system operating at an unconscious level is what determines how we ‘feel’ about risks and most of the time, it drives our behaviours. Although reliance on affect and emotion is a quicker, easier and more efficient way to navigate in a complex, uncertain and sometimes dangerous world, there are many decision- making circumstances when there is no substitute for deliberation and analysis.

If we can collectively learn to however slightly, improve the way our two risk management brains interact, that slightest improvement in the re-allocation of funding is likely to vastly improve organizational performance, societal health, longevity and wellbeing. In order to do this, however, we need to understand the issues and have the right tools for the job.  Hopefully this book will go some way towards helping you as a manager or a risk professional to bring amygdala and neocortex into alignment.

The Problem With Risk Management

The menace of global terrorism has been labeled the greatest threat to western civilization since communism and yet swimming pools, peanuts and lost deer kill more Americans every single year. 

Paul Joseph Watson

Risk management in the 21st century isn’t working. Given the issues I’m about to describe it’s more amazing when we get risk management decisions right than when we get them wrong. The problem with risk management per se, isn’t our risk management systems – it’s the squishy organic bit in the systems. The human being to be exact and to be even more precise it’s the human brain which causes most of our trouble with managing risks in this complex world of ours.

I’m not suggesting that it was always thus. Once upon a time we lived in small communities where the biggest risks we faced were which food was safe to eat and which animals looked upon us as food. Over the course of the 100 million years or so that we lived like this, we developed a wonderful risk management system. It’s known colloquially as the ‘fight or flight’ response. Originally discovered by the great Harvard physiologist Walter Cannon, this response is hard-wired into our brains and represents a genetic wisdom designed to protect us from harm. The response mechanism lives in an area of our brain called the hypothalamus which when stimulated, initiates a sequence of nerve cell firing and chemical release that prepares our body for running or fighting. So far so good. An ideal system for defending ourselves and our clan from attack or avoiding the sabre tooth tiger.  The hypothalamus is controlled by the Amygdala, a part of the Limbic system which in turn is responsible among other things for the processing and memory of emotional reactions.  It’s only the size of an almond, and yet it has the ability to manipulate the entire body with its stored impulses.

Unfortunately for the amygdala we live in a vastly more complex world than that of our Neanderthal ancestors. We drive cars, operate computers, ingest artificial carcinogens and face issues of international terrorism, climate change, balancing healthcare budgets, investing in education and many more risks which the limbic system simply isn’t equipped to face.  Luckily we have been developing another risk management system in parallel to that 100 million year old fight or flight response.  It’s called the neocortex and it is well suited to complex analysis, logic and statistical modelling that we need to deal with modern risks.  Sadly, at only 2 to 3 million years old the neocortex still basically in the equivalent of beta testing.

Now if both these parallel systems played together nicely we wouldn’t have a problem. The sad fact is that they generally don’t. The ancient system (let’s call it ‘feeling’) where we make decisions based on emotion is lower down the brain stem and it’s fast, fast, fast at making decisions and reacting. The neocortex (let’s call it ‘reason’) needs data and time to make an assessment and is a more complex piece of work generally.  ‘Feeling’ therefore is in pole position to hijack the workings of our mind and take over our risk management decision-making – and usually it does. Even for risk professionals, using ‘reason’ to assess risks takes training and discipline. In a nutshell, when it comes to risk management, it turns out that we make most of our decisions based on emotion rather than being the nicely logical beings that we would like to think we are.

Not convinced yet?  OK then. Why do polls regularly show that people are more scared of terrorism than heart disease when heart disease kills roughly 1,000 times more people per year?  It is the conflict between these two risk management systems (head and heart) that explains why most people are more scared of sharks than diabetes, despite diabetes killing approximately 75,000 Americans per year and sharks having killed 50 Americans during the past 339 years!

If it were just being scared of going into the water we probably wouldn’t really care.  But it’s more than just an aversion to swimming. Big decisions get made on small issues and our political leaders have learned to exploit our fear based decision making to garner support for their preferred initiatives. To be fair to our leaders they are somewhat stymied in their ability to fund the right initiatives due to most peoples difficulty in understanding the true risks.  Sadly, as a result there is public support for spending trillions of dollars and countless lives on initiatives such as the ‘war on terror’ yet little if any support for prevention of heart disease, road safety, disaster management and a multitude of other issues that are manifestly more significant.

Have a look at my next article for 'the answer to the problem with risk management'.

Jumpstart your risk management efforts with practical tips that save you time, effort and money…

I have a confession to make…  I want to change the world and I want to do it with risk management.  We waste too many resources, damage our environment and put too many peoples lives at risk due to poor judgment and inappropriate resource allocation.

This book and others to follow are the way in which I would like to change the world if only ever so slightly, and if they help people to make better risk informed decisions then I will be happy to have contributed, however slightly.