Saturday, April 30, 2011

5.3.2. The external context – what’s outside the door?

ISO31000 includes an important step for 'Establishing the External Context' and suggests some of the issues that are important. With with a scant 125 words however, it doesn't really tell us much about what that might look like. So that's where this article comes in.

Establishing the external context starts with a broad scan of the external environment with a specific focus on those factors that could effect the organization or are otherwise related to the organizations activities and objectives. And it’s not a one-time process - organizations need to constantly monitor the external environments as well as the agendas and views of external stakeholders. One useful tool or prompt for analyzing the external context is a tool referred to as PESTLE.

PESTLE is an acronym for Political, Economic, Societal, Technological, Legal and Environmental factors. PESTLE analysis allows the external environment to be investigated systematically by use of an easy to apply acronym. It’s not overly concerned with an organizations internal context nor it’s strengths and weaknesses. Important though these are, they are covered in the Internal Context phase.  It can be used in a variety of ways but one simple approach is to start with a bullet point list around the following factors, which you can then develop them into a narrative.  For a larger risk assessment it may even be appropriate to use each of the following as section heading:

  • Political factors are the extent to which governments or political influences are likely to impact or drive global, regional, national, local and community trends or cultures.  They can include political stability, foreign policy, trade practices and industrial relations. 
  • Economic factors include global, national and local trends and drivers, financial markets, credit cycles, economic growth, interest rates, exchange rates, inflation rates and cost of capital.
  • Societal factors include culture, health consciousness, demographics, education, population growth , career attitudes and emphasis on safety. 
  • Technological factors include computing, technology advances or limitations, artificial intelligence, robotics, automation, technology incentives, the rate of technological change, research and development, etc
  • Legal – Legislative or regulatory issues and sensitivities 
  • Environmental factors include global, regional and local climate, adverse weather, natural hazards, hazardous waste and related trends 
For those of you not familiar with PESTLE analysis, a simple example of a basic PESTLE for a resources company operating in the mythical land of Panaland, might look something like the following table.

External factors
Media and intelligence reports indicate civil war is likely if the general elections do not go well
Civil war would increase our security costs and potentially lead to cessation of operations
A change of government by force may nullify our existing mining leases
The handling of the election by the UN will largely determine the potential for civil war
The organization has influential relationships with the existing government but limited relationships with the opposition party
Gold price is increasing
Operating costs remaining steady
Profitability is likely to increase, allowing further exploration for additional resources this year
Gold price is inversely linked to global financial markets
Cost of labor & fuel need to remain steady
Education, healthcare and income for local populace is generally improving
Cost of labor may increase however availability of skilled labor is showing a corresponding increase.
Political stability will be the key dynamic to increase the supply of skilled labor
Communication infrastructure in Panaland has grown exponentially in recent years with mobile telephony and 3G internet now widespread
This is likely to reduce operating costs in the field and improve safety significantly. It also allows us to deploy a number of additional technologies for advanced field analytics.
The timing or delays of mobile phone towers in our lease area will be the key determinant of our benefit from these technologies.
Legislative changes planned for the mining act this year.
Corruption continues to be widespread
It is likely that the changes to the act will involve additional costs for the organization.
As the company grows we are increasingly a target for a) demands for bribes and b) scrutiny by legislators and shareholders.
Any legislative changes are likely to be dependent on the outcomes of the election.
Poverty and low public service wages are the key drivers of corruption in Panaland. Any changes in these are likely to correspondingly effect our ability to operate.
Panaland has limited environmental legislation however XYZ is a global operator and environmental protection compliance legislation continues to increase.
XYZ operations in all countries need to meet minimum standards for environmental compliance globally.
This is likely to necessitate additional budget for monitoring and compliance, and may also require additional budget for operating changes.
Global environmental awareness and demands for higher standards are likely to be driven by the G8 nations.

It can also be useful to draw up a list of the key factors in each category, consider their implications for the organization and then consider the following dynamics using the RUSE model:

  • Relevance: Will they become more or less important over time?
  • Urgency: Will they impact in the short-term, medium-term and/or long term?
  • Significance: How critical are they to the organization
  • Effect: Will they have a positive or negative impact on the organization?

Depending on your context and the nature of the organization, another model, which might be worth using for detailed context studies, is VUCA. VUCA is an acronym used to describe or reflect on the volatility, uncertainty, complexity and ambiguity of general conditions and situations. The term VUCA came into use in the late 1990s in the military and has been subsequently adopted in strategic leadership. One way to phrase the questions would be:

  • Volatility. How volatile is our current situation? What are the nature and dynamics of change, and the change catalysts that effect our organization?  What is the nature and speed of  those change forces?
  • Uncertainty. How much predictability do we have and in particular which areas of our business have the least levels of certainty? What issues around lack of predictability, the prospects for surprise, and the sense of awareness and understanding of issues and events should we be concerned about?
  • Complexity. How complex is our context, our business model and the environment we operate in? What are the multiplex of forces, the confounding of issues and the chaos and confusion that surround our organization?
  • Ambiguity. What level of ambiguity are we facing now or in the future? In what areas are we facing them and how are they likely to effect us?  Specifically, what are the key issues around any haziness of reality, potential for misreads, or mixed meanings of conditions and cause-and-effect confusion?

These elements can help us understand the context in which organizations operate and in particular their current and future state. Used as discussion or analysis questions, they provide not only a better understanding of the current environment, but can offer insights into to how people view the conditions under which they make decisions, plan forward, manage risks, foster change and solve problems. In particular, it can help people:

  • Anticipate the issues that shape conditions
  • Understand the consequences of issues and actions
  • Appreciate the interdependence of variables
  • Prepare for alternative realities and challenges
  • Interpret and address relevant opportunities

There are obviously any number of ways to analyze external context so I'm not by any means suggesting that PESTLE, VUCA or RUSE are the only, or even the best way, to do so.  You might for example, choose to simply include a few paragraphs, or even a longer discussion much like the following example.


External Context

XYZ Organization (XYZ ), based in Panaland is a 100% owned subsidiary of the UK based, ABC Megagroup Ltd.  The principal activity of XYX is mining and exploration for minerals in a lease area in western Panaland.

 Figure 1: Map of Panaland

The United Republic of Panaland comprises approximately 245,087 km² in central America bordered by Gonga Gonga to the north, Dirkistan to the west, and Zamawi to the south. The country's eastern borders lie on the Deepblue Ocean.  

Shortly after achieving independence from Chipan in the early 1860s, Panaland established a one-party political system which came to an end in 1985 with the first democratic elections held in the country since the 1770s. Panaland has a five-level judiciary combining the jurisdictions of traditional and British common law. 

The population of Panaland is approximately 38,000,000, with an estimated growth rate of 2 percent. Population distribution is extremely uneven, with density varying from 1 person per square kilometer to 81 per square kilometer in the mainland's well-watered highlands, to 134 per square kilometer in the capital city region. More than 80 percent of the population is rural. Sydbourne, the largest city is the commercial centre, seaport and the new capital.

The economy is mostly based on agriculture, which accounts for more than half of the GDP, provides approximately 85 percent of exports, and employs 80 percent of the workforce. Topography and climate, though, limit cultivated crops to only 4 percent of the land area.

Panaland has significant amounts of natural resources including gold, diamonds, coal, iron ore, uranium, nickel, chrome, tin, platinum, coltan, niobium and natural gas. It is the third-largest producer of gold in the Americas after Gonga Gonga and Lawali. Lack of infrastructure and development has hampered the extraction of these various resources however efforts are being made at the national level to address this.

Panaland is part of the American Economic Community.  Recent public sector and banking reforms, and revamped or new legislative frameworks have all helped increase private-sector growth and investment. Short-term economic progress also depends on curbing corruption and cutting back on unnecessary public spending.

According to the Transparency International Corruption Perceptions Index, Panaland at a ranking of 126 is the least corrupt country in Central America with a corruption incidence of 17.8%. 
Prolonged drought during the early years of the 21st century has severely reduced electricity generation capacity as the majority of Panalands electricity supplies are hydro-electric. Plans to increase gas and coal-fired generation capacity are likely to take some years to implement, and growth is forecast to be increased to seven per cent per year.

Health and sanitation are ongoing issues in Panaland where malaria is the leading cause of death in children who survive the neonatal period and HIV/AIDS is the leading cause of death in adults.

Thursday, April 28, 2011

5.3 Keeping it in context

For me context is the key - from that comes the understanding of everything."

Kenneth Noland

Risk Management, like any other discipline, needs to be considered within the context in which it is applied.  'Establishing the context' sounds complicated but if you break it down into a series of logical steps, it simply involves understanding the background of the organization, the operating environment and the underlying drivers which effect the organization. Nothing too frightening in that hopefully. 

What it aims to provide is an appropriate appreciation of the factors that may influence the ability of the organization to achieve its objectives, and to what extent they are influences. The output from this step is a statement of the organizational environments, influences objectives and criteria for success.  It defines the scope and objectives for any risk management study, and is fundamental to setting the stage for all that follows.

It's easy to try to shortcut this process but failing to fully understand the context  fundamentally flaws the quality of the any risk analysis and treatment. Broken down to it’s fundamentals, the objective of understanding the context is to:
  • Determine and document the environment in which the organization operates 
  • Determine and document the key drivers in that environment
  • Clearly articulate the organization’s objectives
  • Define tolerances and criteria against which risks will be measured
  • Specify scope and objectives for risk management, and the outcomes required
  • Define a set of key elements for structuring the risk identification and assessment process.
A point worth highlighting in this search for meaning, is that although humankind has responded to uncertainty for millennia, risk based decisions made today are unlikely to remain valid for as long as the same decisions would have been 100 years ago.  We accordingly need to take a big picture view of the context, and search far and wide, rather than simply looking at the obvious.  ISO31000 addresses this by looking at four elements of the context and these are what we'll look at in the next articles:

Sunday, April 24, 2011

A risk by any other name...

"Most controversies would soon be ended, if those engaged in them would first accurately define their terms, and then adhere to their definitions."
Tryon Edwards

Defining 'risk' should be a relatively simple matter. Despite this, it remains a contentious aspect of risk management, and represents one of the more significant differences between the various disciplines, standards and methods of risk management.  Personally, I like the ISO31000 definition of risk which is the “effect of uncertainty on objectives” because it is succinct and includes the concept of desired and undesired outcomes. 

Positive and Negative Outcomes of Risk?
For the sake of completeness, it’s worth looking at a couple of other definitions. One of the areas which is becoming less contentions, but is still not universal, is the question of whether risk includes both positive and negative outcomes so let's look at this question first. 

According to OHSAS 18001:2007, “Risk is Combination of the likelihood and consequence(s) of a specified hazardous event occurring.”  The New Oxford American Dictionary defines it as “a situation involving exposure to danger” while ‘AS9100 Revision C Aerospace and Defense Quality Standard’ defines risk as “An undesirable situation or circumstance that has both the likelihood of occurring and a potentially negative outcome.”   and the International Aerospace Quality Group define risk as “a measure of future uncertainties in achieving program performance goals within defined cost and schedule constraints. It has three components: 1. a future root cause, 2. a likelihood assessed at the present time of that future root cause occurring, 3. the consequence of that future occurrence.” 

The above definitions are how we typically perceive risk. But are they right?  Not in my opinion, nor in the opinion of the subject matter experts who signed off on ISO31000. Risk definitely involves exposure to negative outcomes, however it’s all but impossible, to imagine a scenario where a risk doesn’t also offer benefits.  If, for example, you lose a months salary at the casino, you would probably see this as a negative outcome but for the casino, the same event is a positive outcome.  It may even turn into a positive outcome for you if it serves as a cheap lesson to prevent you from gambling in future.   We could debate this concept but instead let’s take a look at the issue through the lens of some scenarios. 
  • Scenario #1: Ian, a professional soldier and friend of mine, works for private military company’s (PMC) in a variety of war zones. He undoubtedly takes risk and puts himself into “a situation involving exposure to danger” but is that the end of the story?  No. Not by a long shot.  Ian who has a PhD and was a senior staff officer in the Australian Army takes home a very significant pay packet which helps him put his kids through school and save for university. He also uses his considerable skills to bring peace to conflict regions and his intelligence analysis helps saves the lives of combatants and non-combatants alike. Ian also gets a lot of ancillary benefits like travel, adventure and camaraderie among his peers.
  • Scenario #2: Michelle travels overseas regularly for business and often to dangerous parts of the world.  Her employer spends a lot of money putting in place measures to protect her while there. Are they addressing risk? Yes, of course. But they are spending that money on security to achieve a benefit. Without the security measures put in place the organization couldn’t achieve it’s core mission to “help Australian businesses of all sizes, across all sectors, to succeed in international trade and investment”. And without the risks that Austrade takes, the Australian community would in turn receive much reduced economic benefits.
  • Scenario #3: A gambler puts $135,300 down on ‘red’ at the roulette table. Ashley Revell, a 32-year-old Londoner, sold all his possessions and stood in a rented tuxedo on Sunday 11th of April 2004 surrounded by family and friends to bet everything on a single spin of the roulette wheel. The ball landed on red 7 and he walked away with $270,600.  He took a risk not because he wanted to be exposed to danger but because he wanted to be exposed to opportunity. Equally, the casino was working on the same basis. Risk may not be a zero sum game but in this (unusual) case the casino was on the negative consequences (losing) side of the equation.
  • Scenario #4: Two hijacked aircraft fly into the World Trade Centre towers. Although, a tragic event with massive negative consequences, it also brought a range of positive outcomes to some groups, not least of all being enormous profits to the defense industry.  Some of the definitions provided above also include the concept that risk involves “a specified hazardous event occurring” which is something I would take issue with. A risk doesn’t have to be identified for it to exist.  The 9/11 attack is just one of many instances where risk existed but wasn’t specifically identified until after the event.
Including both desirable and undesirable outcomes makes our use of the word ‘risk’ slightly different from it’s common usage in the community and leaves it open to the criticism that only risk professionals use in this way.  This is a fair comment but it overlook two key issues:
  • ISO 31000 was written for risk professionals; and,
  • There is no risk that does not have both positive and negative outcomes.
An increasingly large number of standards are adopting the concept of positive and negative consequences.
  • A possible occurrence which could affect (positively or negatively) the achievement of the objectives for the investment.”  (Risk Analysis & Management for Projects - RAMP)
  • An uncertain event or set of circumstances that should it or they occur would have an effect on achievement of one or more project objectives.” (APM Body of Knowledge)
  • An uncertain event or condition that if it occurs has a positive or negative effect on a project’s objectives.” (A Guide to the Project Management Body of Knowledge)
All of these are fine in their own way but the wonderfully succinct ISO31000 definition sums up the same principles in just five words.

Is There Risk Without Objectives?
One other key element in the above definitions and the ISO31000 definition is the use of the word ‘objectives’.  To my mind, without objectives, there is no risk. OK, that’s semantics to a certain extent, but by way of example lets consider the risks associated with cancer or earthquake (and yes, by themselves they are 'events' not 'risks' so let's consider the risk of dying at the hand of those events):
  • An earthquake cannot hold any risk for me if I don’t have the objective of living a long injury free life (equally if keeping my house intact isn't an objective of mine then there is no risk in that regard).  
  • Equally if I contract cancer but have no concern about living or dying, cancer is just an event for me not a risk.    
Sure they can have consequences and we can calculate probabilities, but they are measures of risk – not risk, per se.  You might argue that my being injured in an earthquake is material, but if I don't care, then it’s probably only material to my family or external observers.  By way of example,  we can measure the likelihood and consequence of a leaf falling from a tree. But is it a risk for the leaf? Perhaps it's a risk for me if it covers my lawn and I have to rake it up. Sure there is 'risk' but... if there are no objectives (like me keeping my lawn clean) then let's not call it a risk. It's just an event -  and therefore, outside our sphere of concern. This might sound slightly pedantic, but the terminology is critical to getting traction in risk management.

Tuesday, April 19, 2011

Some favourite quotes on risk management

  • Success is 99 percent failure”  Soichiro Honda
  • Experience taught me a few things. One is to listen to your gut, no matter how good something sounds on paper. The second is that you're generally better off sticking with what you know. And the third is that sometimes your best investments are the ones you don't make.” Donald Trump 
  • "We have no future because our present is too volatile. We have only risk management."  William Gibson (Pattern Recognition)
  • "Plans based on average assumptions are wrong on average."  Sam L. Savage
  • Playing it safe is the riskiest choice we can ever make.” Sarah Ban Breathnach
  • "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everyone gets busy on the proof."  John Kenneth Galbraith
  • "It’s impossible that the improbable will never happen." Emil Gumbel (Il est impossible que l’improbable n’arrive jamais, in Statistics of Extremes, 1958.)
  • "The most important questions of life are indeed, for the most part, really only problems of probability." Pierre-Simon Laplace (Théorie Analytique des Probabilités: 1812)
  • "To be alive at all involves some risk." Harold Macmillan
  • "The first principle is that you must not fool yourself, and you are the easiest person to fool." Richard P. Feynman, Nobel Prize–winning physicist
  • Every model is wrong, but some are useful.” George Box
  • "Do as little as needed, not as much as possible." Henk Kraaijenhof
  • "Named must your fear be before banish it you can." YODA, from Star Wars: The Empire Strikes Back
  • Anticipate the difficult by managing the easy”  Lao Tzu
  • If you do not change direction, you may end up where you are heading.”  Lao Tzu
  • "All courses of action are risky, so prudence is not in avoiding danger (it’s impossible), but calculating risk and acting decisively. Make mistakes of ambition and not mistakes of sloth. Develop the strength to do bold things, not the strength to suffer."Niccolo Machiavelli, The Prince
  • "If you don’t make mistakes, you’re not working on hard enough problems. And that’s a big mistake." —Frank WIlczer 2004 Nobel Prize winner in physics 

Sunday, April 17, 2011

The CASE for risk identification

“The first principle is that you must not fool yourself, and you are the easiest person to fool.”
Richard P. Feynman, Nobel Prize–winning physicist

Not long ago, I was invited to facilitate the review and update of a risk management plan for an IT project that had been running for a number of years. You might be forgiven for thinking that a $120-million program would be well documented, and that my job would be relatively straightforward. My first clue that this was not the case was when I reviewed the documentation and discovered that the project was currently in Year 12 of a 10-year project and had at least three more years to run. The second clue that things were not well was that I was invited to facilitate a risk management workshop with just a few days' notice.

Surprisingly for a project which had been running so long, there was a complete lack of concurrence by workshop participants regarding even basic things, such as the risk ratings that had been previously assessed for the project. Quite simply, the risk registers comprising some 300 risks were unworkable, not only in quantity, but in the quality of their descriptions. The project risks had been described using terms such as "procurement," "shortage of skilled labor," and "cost overruns." These terms reflected some very real risks, but you simply can't address a risk like cost overruns unless one knows what might cause it and the "so what?" factor. Thus, I went back the next day to the client to negotiate a change of scope to completely revise the risk register before running the rest of the planned workshops.

For the want of a shared understanding
The challenge faced by the project stakeholders in trying to agree on risk ratings and risk treatments was akin to someone trying to assess and manage the risks associated with the "war on terror". Everyone has their own concept about what terrorism means, so asking a group of 10 people to rate it, or treat it, is likely to result in 10 different ratings and even more treatments. To achieve a degree of consistency one must, at the very least, be specific about what type of terrorism one is concerned about before one can hope to assess, much less mitigate it. Consider the terrorism risks in the following examples:

  • Religious fundamentalists seeking to inflict maximum loss of life to gain international publicity and leverage for their cause with no fear of sacrificing their own lives.
  • Environmental activists in inflatable boats seeking maximum media attention through minor acts of sabotage with minimum personal risk and no loss of life.
  • Local right-wing thugs seeking to incite fear by committing assaults and arson on properties owned by immigrants.
  • Sarin attacks in the subway by religious sects with unstated objectives.

As you can see from the above examples, the so-called risk of terrorism can actually be multiple different risks with correspondingly different likelihoods and consequences.

The actual CASE methodology
So how do we actually record a risk in a way that everyone can reach some sort of agreement on its severity or relative priority? The most consistent way I know is to use a method that I call the CASE risk identification tool. CASE comes from the following four characteristics discussed in analyzing a risk:

  • Consequence: What is the likely impact of this risk?
  • Asset: What asset(s) are actually at risk?
  • Source: What are the hazards or threat actors that might lead to the risk manifesting?
  • Event: What particular type of incident is being considered?

Why do you need these four items to define a risk statement? Let's look for example, at the risk of compromise to sensitive information. It's difficult to analyze and rate this risk if we only have the event and the asset listed. Consider the following examples and how you might rate theses risks to your organization:

  • industrial espionage by competitors
  • theft by criminals seeking to sell it back to you
  • theft of a briefcase from a car by petty criminals
  • staff inadvertently releasing sensitive information to the corporate website.

The consequences of each of these would vary quite considerably and so too would the likelihood of the risk occurring.  This in turn would affect the risk rating and the risk treatments that you would use to address them. Consider however just how much easier it is to assess the risks if they were written to include CASE:

  • Financial loss (Consequence) due to espionage (Event) by competitors (Source) resulting in reduced profits (Asset).
  • Failure to protect information (Asset) in transit from theft (Event) by opportunistic criminal activity (Source) resulting in adverse impact on reputation (Consequence).
  • Compromise of sensitive information (Asset) due to untrained staff (Source) bypassing controls and inadvertently posting files to corporate website (Event) resulting in competitive disadvantage, reputation damage or financial loss (Consequence).

Is it complicated?
At first glance, it may appear challenging to use CASE to define risk, but it can be done in a sentence or two. The easiest way I know to build a list of risks in a systematic way is to put the into an Excel spreadsheet and use drop-down menus to limit the options. For example, you might want to limit the potential consequences to some key categories:

  • People
  • Information
  • Property
  • Financial
  • Reputation
  • Capability 

The light yellow cells are the data entry areas and blue cells are used to select risk ratings (eg: from a risk matrix). Putting this spreadsheet up on a data projector makes running a risk workshop to compile risks, very fast and transparent.   I've also used this approach in Excel to automatically generate an initial written risk statement.

If there's interest, I can put this Excel document up on a website to download but if you'd like to know how to do this yourself, just create the above cells in Excel and put =E2&" loss due to "&B2&" by "&C2&" leading to compromise of "&D2&"." into Cell 'I2' you will see the following risk statement generated: "Financial loss due to Espionage by Competitors leading to compromise of Information."  You would probably want to tidy this statement up a bit in the final report but it's one way to speed things up.

Need some more examples of other types of risk?

  • Financial loss (Consequence) associated with collapse of international property development portfolio (Asset) due to foreign currency fluctuations (Event) as a result of global financial crisis (Source).
  • Loss of life (Consequence) of personnel (Assets) due to improvised explosive device attack (Event) by terrorists (Source).
  • Loss of income (Consequence) due to non-availability of personnel (Asset) as a result of injuries flowing from under-reporting of hazards (Event) caused by lack of training in hazard reporting procedures (Source).

Opportunity realization
The same structure can be used to describe positive risks:

  • The business case analysis shows a potential net present value of $1.2 million financial benefit (Consequence) if we tender (Event) the facilities management contract (Asset) in the open market (Source) this year.
  • Market research indicates that opening a branch office (Event) in the European market (Source) has potential to increase profits (Asset) next year by 25 percent (Consequence).
  • The internet (Source) marketing campaign (Event) is expected to deliver a 30-percent (Consequence) return on equity (Asset) within two years.
The above examples present information in a way that helps facilitate meaningful discussion by creating a shared understanding of what is actually being discussed.

Another great use for CASE
Another great use for CASE is to evaluate someone else's risk assessment by testing the quality of risks identified against the CASE criteria. You'll be able to spot and point out any flawed risk descriptions or shoddy analysis at a speed that will be the envy of your colleagues.

And as for the IT project I mentioned earlier? The proposed "quick risk review" took slightly longer than expected. Before running any more risk review workshops I sat down with a couple of stakeholders to rewrite the risks into about 50 succinct descriptions. Once that was done, the subsequent workshops easily and quickly achieved consensus on risk ratings. The updated treatment plan that resulted from those workshops helped get the project back on track by refocusing on key initiatives and allocating resources where they were needed most. Had we not re-written the risks in CASE format, it is likely that the workshops would have been taken over with debate on the meaning and rating of each risk; with little benefit to the project.

Friday, April 15, 2011

The Four Dimensions of Risk

On a long enough timeline, the life expectancy of everyone drops to zero.” 
Chuck Palahniuk (Fight Club)

In a previous article, we talked about the four things that we trade-off when managing risk.  In this article we will look at the qualities which we can use to quantify risk. Although we typically measure risk in terms of likelihood and consequence, these are not the only dimensions that we need to consider. Life in the real world is rarely that simple. Without limiting our assessment to a timescale, likelihood and consequence are of little help.

The likelihood of an earthquake in Japan or a massive drop in the Dow Jones Industrial Average is basically 99.9999% unless we include time constraints. Let’s face it, sometime in the next 1,000 years or so, such events are virtually inevitable. The virtual certainty of an earthquake in Japan however, fits neatly into the category of “true but not helpful”.   What we really want to know is the likelihood and consequence of a particular event happening, during a particular timeframe, if we undertake the activity in question 'n' times. To get a better insight into this we could consider the ‘quadruple dimensions of risk’ to be:

  • Consequence – what impact could occur 
  • Likelihood – what is the probability of the impact occurring 
  • Time – what is the timeframe over which the risk could occur 
  • Incidence – how often do we undertake the activity 

These four parameters change everything.  Hence the better question to ask is:

  • What is the probability (LIKELIHOOD) 
  • of a level 7 or greater earthquake affecting our people (CONSEQUENCE)  
  • in Japan during the next four years (TIME) 
  • if they make four trips per year of one month per trip (INCIDENCE).

Another more pertinent risk question might be phrased as follows:  “What is the chance (LIKELIHOOD) of dying (CONSEQUENCE) in a car accident during my lifetime (TIME) if I make 10 motor vehicle journeys per week (INCIDENCE)?
Four Dimensions of Risk

In the above diagram, the level of risk could be considered to be the volume of the pyramid. If we increase any one of these four elements, the overall level of risk increases. Although adding complexity that is unwarranted in many risk assessments, consideration of their magnitude is very significant to the results we generate. For example, although we can calculate the average risk for any given member of society dying in a car crash, it is still highly variable if someone drives twice a year versus twice a day.  Equally, a teenager is statistically much more likely to die behind the wheel in the next twenty years, than an octogenarian who has only two more years of life expectancy.

As a final thought, even if you are unable to consider all these variables, you need to be explicit regarding timeframe.  Including a statement such as: “This risk assessment considers the likelihood of identified risks occurring during the following twelve months.” in the Scope section will add clarity to your analysis.

Thursday, April 14, 2011

What's wrong with our Risk Management Policies?

"Without clearly defined objectives ... there is arguably no business case to justify resources in support of risk management activities."

It should be no surprise that a clear, well written risk management policy is an essential part of any risk management framework. It establishes the foundation and mandate for implementing risk management within an organization.   Ideally, it should be a succinct document reflecting the context of the organization and written in a style which can be easily understood and applied.

If you cover just 9 simple points you'll end up with a great Risk Management Policy. I guarantee it. Consider this if you will, the dummies guide to risk management policies (or for any management policy for that matter):

  1. Policy – what is the course, principle action or commitment adopted by the organization?
  2. Philosophy – what are the attitudes and beliefs that will guide decision making and behaviors?
  3. Objectives – what are the objectives and rationale of the policy? What does it hope to achieve?
  4. Business Planning – how does risk management link to other business processes and corporate objectives?
  5. Application – how will it be applied? What framework or approach will the organization adopt? (Eg: ISO31000, COSO, internal corporate standards, etc). To what extent does the policy apply?
  6. Performance – how will the organization measure achievement of the objectives outlined in the Policy (Eg: Internal audit, external audit, insurance premiums, etc)
  7. Acceptance Criteria – what is the organizations risk attitude or risk tolerance? The policy should offer guidance on what may be regarded as acceptable risk. 
  8. Documentation – how and when will the risk management activities and processes be documented?
  9. Responsibilities – who is responsible and what are they responsible for? 

This might sound like a lot of information to cover, but I'll go out on a limb and say that all this can be fitted into a one-page document. Remember, we're not writing a 50 page national healthcare policy, nor are we going to commit the sin of confusing policy with procedure - Policies and Procedures are two very different beasts. If you want to put both in one document, that's up to you but I suggest you consider the implications of doing so. If you still want to train-smash them together, I recommend that you at least make it clear to the readers which part of the document is the 'why', and which part is the 'how'.

If you follow my advice however, you'll end up with a one page policy document. Any more than that and you've probably included text which more rightly belongs in procedures, strategies, plans or the like.  Just to prove it can be done, here is an example of a one page risk management policy.
risk management policy
The policy should also provide guidance to other questions that impact on risk management performance. For example, the following items might not be addressed within the policy but it should provide guidance as to how or where these elements are addressed:
  • Monitoring and Review - what are the requirements for monitoring and reviewing organizational risk management performance?
  • Resources - What level of support and expertise is available to assist those responsible for managing risks?
While all of the above elements are important in their own right, and collectively build interlocking pieces of the policy, it is likely that the most important elements to an organization will be (a) the objectives, (b) responsibilities, and (c) documenting the appetite for risk and approach to risk management within the organization.  A good risk management policy also provides a framework for carrying out more detailed risk management programs at project or divisional level.

Defining organizational objectives is another critical part of the risk management process. In building a high performing organization, it’s essential that members of the organization have some fundamental information. In this context that includes a basic understanding of the organization’s decision making processes, the criteria, and level of risk which is acceptable.

Having clearly defined risk management objectives is also crucial as they provide the raison d’être for the policy and risk management practices within the organization.  Without clearly defined objectives for an organizational initiative, there is arguably no business case to justify resources in support of risk management activities.  Last but not least, the risk management policy needs to be incorporated into the organization’s broader management system and to be signed off by the Board or Chief Executive Officer.


A few people have asked me for copies of the policy in MS Word format so I've posted it in Word format as a download at You'll also find a template for a supporting procedure there and an article about procedures here on my blog.

Wednesday, April 13, 2011

The Quadruple Constraints of Risk Management

As managers, leaders and risk professionals we make trade-offs every day to manage our risk exposures and achieve acceptable levels of risk and agreed quality standards.  Most of us for example, willingly accept the risk of being involved in a car accident in exchange for the benefits of living in a modern society. We also accept that fitting locks to our doors reduces the money we have to spend on other items, and that the inconvenience of having to lock the door takes a little of our time. In exchange for those trade-offs, we can reasonably expect to find our possessions waiting for us at home at the end of each day. Equally, the money we put aside for saving is money we can’t spend right now but we do it because it gives us peace of mind that we’ll be able to support ourselves in our retirement.

Boiled down to it’s simplest, there are four things that we trade-off against each other to achieve a level of risk which we are comfortable with.  Collectively these four elements can be considered the ‘quadruple constraints’[1] of risk management:  
quadruple constraints of risk management
The Quadruple Constraints of Risk Management
  • Risk – the risk that we want to achieve or that matches our appetite
  • Quality – how effectively we apply resources to manage risk
  • Resources – how much time, money, effort we apply to managing risk
  • Exposure – the amount of risk we would be exposed to if we did nothing
Any change in one will result in a corresponding increase or decrease in one or more of the other elements as illustrated in the following diagram. The ideal target range for risk is ALARP (As Low As Reasonably Practicable) and the previous pyramid diagram, if viewed from above, might look something like this:
Risk Equilibrium - in search of the optimal trade-off

In theory, each of these elements could be adjusted dynamically in response to external influences but in practice, the world changes faster than we can accommodate. Accordingly, our goal is to optimize both resources and quality in a way that modifies exposure to leave us with an approximate level of acceptable risk.  Applying more resources and/or improving quality will usually reduce risk, even if the risk exposure stays the same. Before applying those changes however, you need to understand:

  • what level of risk (benefit or loss) you are prepared to accept
  • what level of risk exposure is necessary to achieve your desired risk
We can adjust our risk by increasing or decreasing resources (eg: more security guards at the gate or more analysts monitoring the stock portfolio) but achieving total protection for any given asset might require more resources than the value of that asset. Reducing risk to zero although theoretically possible is likely to require either: a) virtually infinite resources or b) a reduction of risk exposure to the point where an activity is effectively abandoned – thereby leaving little opportunity to achieve the project goals. Similarly, realizing opportunities (positive risk) requires increased risk exposure which may also result in increased downside risk.  Equally, if you increase the risk exposure (eg: by conducting more business travel or taking on larger positions in your derivatives portfolio) then the risk will increase accordingly unless some change is made to quality or resources.  

Quality gets a mention here as it is an often overlooked elements. If you allocate a sum of money to risk reduction, the quality of implementing that budget will ultimately determine the change in risk.  For example, if you spend the budget installing  CCTV to reduce theft in your supermarket, the residual risk will depend on the quality of the system.  ‘Quality’ issues such as which direction the cameras are pointing,  how easy the system is to use, etc will have a greater impact than how much you spend on the system.  Equally, you can often reduce risk (or increase benefits) by simply making administrative changes such as roster changes or introducing logbooks.  The relationship between quality and resources is like the story of the two lumberjacks who challenge each other to see who can cut the most trees in a single day. At the end of the day, older lumberjack won by a huge margin although the younger man had worked much harder. "How could you have cut down more trees than I did?" complained the younger one. "Every hour you sat down while I kept right on cutting. I don't understand!" The older lumberjack replied:"When I sat down, I was sharpening my axe, Why didn't you stop to sharpen yours" "I didn't have time," the younger man said, "I was too busy cutting!

Simply throwing more resources at risk management without considering the trade-offs inherent in these quadruple constraints is unlikely to achieve your objectives, nor win you any friends. 

[i] Talbot, Julian & Jakeman, Miles (2009), Security Risk Management Body of Knowledge, John Wiley & Sons, New York, USA

Monday, April 11, 2011

As Low as Reasonably Practicable (ALARP)

ALARP is one of the fundamental principles of risk management. We neither need nor want to manage risk to the point where we eliminate it, because doing so is simply not a good use of resources.  The ALARP concept is illustrated below and is the point where risk is negligible, or at least at a level where it can be managed by routine procedures.
Cost / Benefit of Risk Mitigations
The majority of risks we face are already at this ALARP level and we accept them relatively unconsciously. For most of us in our everyday lives, the risk of being pick-pocketed is so low, that we don’t feel the need to carry cash in separate pockets or hidden moneybelts. We similarly manage slightly higher risks, such as crossing the road, by routine procedures that we were taught as children.
ALARP as low as reasonably practicable
ALARP – Trade-off between resources and risk
Another view of the ALARP principle can be seen in the illustration above where the balance point or trade-off between risk mitigations and risk exposures, produces a point of equilibrium. ALARP is the level of risk that is tolerable and cannot be reduced further without expenditure of costs disproportionate to the benefit gained or where the solution is impractical to implement.

Of course, ALARP only tells half the story.... Whenever we manage risk, we also want to optimize the benefits or positive outcomes. It might therefore be time to update ALARP to AHLARP (As High/Low As Reasonably Practicable). More on this at AHLARP where we look at what it means to manage the positive outcomes (benefits) to be HIGH, while minimizing the negative outcomes (losses). What do you think? Is AHLARP, the better concept? How do we get to AHLARP? Ie. How do we benchmark and measure the benefits of risk management?

Thursday, April 7, 2011

The Risk Management Continuum

I’d been in the room for about five minutes and I’d already heard Brian (not his real name) tell me at least three times in a variety of different ways that “this is a load of bullshit”, “I’m only talking to you because management said I have to” and “I’ve got real work to do!

"Not off to a good start" I thought to myself. Brian was a mid-level manager at a high-security, high-risk, bio-hazard facility where I’d been asked to conduct a safety risk analysis.  Brian’s attitude wasn’t typical of the people at this location  - we were there to follow up on the findings of a coronial inquest – but it’s an attitude I’ve heard all too often in my career.  It wasn’t that Brian was unmoved by the death of his co-worker and he understood the ‘why’ of risk management, but he was a typical overworked manager who simply hadn’t been shown much in the way of ‘appropriate’ risk management. Spend enough time in risk management and you’ll hear a million variations of “I’m busy enough as it is and this stuff is too time-consuming to use in my day-to-day work anyway”.  Even I will admit to having this attitude to risk management many years ago after having ill-conceived and impractical safety training rammed down my throat - until I discovered the risk management continuum.

Brian's comments about risk management being too complicated were less a failure of risk management than a failure of imagination. In the end I managed to bring Brian around to being a fan of risk management (or at least to showing a little interest) which later translated into a few business changes in his department. Paraphrasing our discussion somewhat, these are the key points that we discussed:

  • There are any number of risk management processes, formats, standards and guidelines to choose from.  
  • The trick is to use the appropriate size tool commensurate with the job.  
  • You don’t need to do a series of workshops and a 100-page report to manage the risk of hanging a picture on an office wall.  Neither do you want to write your organizations five-year risk treatment plan on the back of an envelope.

It’s all about picking the right size tool for the job.  Trying to apply every section of ISO31000 to risk managing a staff training day is like trying to crack a walnut with a 20-tonne hydraulic press. Sure you could do it, but you’ll spend a lot of time at it and you’re not likely to get an edible result.  Over the years that I've been doing this, I’ve collected a grab bag of tools, which when put into context give us a hierarchy of tools or what I call 'the risk management continuum'.
risk management
The Risk Management Continuum

These tools range from the very simple to very complex and take correspondingly different expertise, resources and time to do.   At it’s simplest; you can do a risk assessment on crossing the road in a matter of seconds while an enterprise risk plan may take a team of people several months to complete.
Before introducing the tools illustrated above, it's worth emphasizing that these are only examples of tools that you might choose to use.  Even if you like the concepts there is no reason why you need to keep the names, but they could be a good place to start:

  • Take 2
  • Stepback 5x5
  • The Team Leader’s 10 Questions
  • Job Risk Analysis (JRA)
  • The Team Leader’s 10 Questions
  • Project Risk Assessment and Treatment Plan
  • Formal Risk Assessment
  • Complex Risk Assessment
The book will spend many pages looking at the more involved risk tools on the continuum but here is a quick summary of the various tools.

Take 2 
‘Take 2’ is simply an easy to remember name for the process of taking 2 minutes (metaphorically or literally) to consider the risks associated with an activity.  It's an ideal tool for a quick risk assessment before moving a filing cabinet or plugging in new equipment for example.   An individual might use it before pressing ‘Send’ on an email to your boss or a client and spend two minutes considering the risks or opportunities (eg: Could this be a Career Limiting Move, Is this a good email to share with a colleague).  Equally, in a group activity someone might suggest, “hang on, let’s Take 2” before collectively moving a desk.  The process of taking 2 might in the latter example get the group thinking about moving some boxes out of the way or allocating someone to hold a door.

Stepback 5x5
Step back 5 paces (metaphorically or physically) and spend 5 minutes considering, discussing and documenting risks and risk treatments.  A simple example would be two tradesman drilling a hole to hang a whiteboard.   A 5x5 might raise questions like:
  • Are there live wires, gas or water pipes behind this wall?
  • Will the plaster wall support the weight of this electric whiteboard?
  • If we put it on this wall, is it likely to be in the way of people passing through?
  • Do we have enough people to hold it up while we fasten it to the wall?
A Stepback 5x5 is something that might be documented informally in a notepad and then shared at a toolbox meeting but it isn’t just applicable to tradesmen. It’s equally useful for strategic management where for example, a Board of Directors are making a decision or even documenting the agreed decision.  The discussion around a quick Stepback 5x5 to consider the bigger picture might reveal a host of issues.

The Team Leader’s 10 Questions
The ’10 questions’  are simply a checklist of questions designed to assess the level of risk and the relative risk of an activity.
  1. Is this activity/project necessary to achieve organizational objectives? 
  2. Has an adequate risk analysis been done and have the measures that have been identified to reduce the risk actually been implemented?
  3. Are adequate contingency plans in place if things go wrong? 
  4. Have briefings and training been done including for when things go wrong? 
  5. Are those involved in leading this activity experienced and qualified?
  6. Are our people involved qualified and trained to participate in this activity?
  7. Are our tools and equipment in good working order, well maintained and ready?
  8. Has there been adequate build up of skills among the team prior to this activity? 
  9. Do I have checks in place to monitor and review the activity after it has launched and to amend if necessary? 
  10. Am I, as the team leader or manager, satisfied we are prepared to do this activity/operation?
If the answer to any of the questions is NO – you and your team need to do more work before you press the go button!

Job Risk Analysis (JRA)
A JRA is a documented but abbreviated risk assessment most suited for tasks that are done repeatedly. At it’s simplest it’s a one page list of discreet process steps, with notes describing the potential risks and a list of mitigation strategies.   You will also come across the same process described as a Job Hazard Analysis (JHA) or Job Safety Analysis (JSA) however there is no fundamental difference between a JRA, JHA or JSA.

Project Risk Assessment and Treatment Plan
According to the Project Management Body of Knowledge (PMBOK) a project is “a temporary endeavor undertaken to create a unique product, service or result”.  Temporary is one of the key words in this definition and accordingly this type of risk assessment and risk treatment plan is designed to address risks for an endeavor with a clearly bounded scope and duration.  As such, the size and nature of a project risk plan is entirely dependent on the nature of the project.   It’s worth noting that the cost or duration of the project is not the determining factor.  

Formal Risk Assessment
A formal risk plan involves as the name suggests, a comprehensive documented risk assessment leading to an endorsed risk treatment plan.    In this respect it is little different from a project risk plan or even a Job Risk Analysis.  I’ve separated it out here between a Project Risk Assessment and Complex Risk Assessment because a) it's the type of risk assessment that most managers will do in their working life and b) although relatively sophisticated, it often has a defined scope.  Eg: OHS Plan, Divisional risk plan, security plan, etc.

Complex Risk Assessment and Plan 
At this level, we’re starting to get into a whole new level of complexity.  This is the domain of enterprise risk management or project risks of the scale of building a space shuttle.  The risk management process remains the same, but before even attempting this, you absolutely must have the following elements in place:
  • An organizational risk management framework
  • An adequate budget to complete the process
  • Management support at the highest levels
So there you have it... The Risk Management Continuum - a tool for every job.

Wednesday, April 6, 2011

Why we make risk decisions based mostly on emotion

Despite our best intentions, education, intelligence and analytical ability, there is plenty of evidence to support the assertion that we make our risk management decisions in the emotional part of our brain. Sad but true – we’re not the logical beings that we might like to think we are when it comes to risk management. Studies have shown in fact that stroke victims who have damaged the part of the brain that controls emotions are often incapable of making decisions. Even when provided with obvious rational data to make a decision, they often are unable to simply settle on one option.

And yes, we are perfectly capable of analysis and logic – we just don’t use it as often as we think we do. The neo-cortex in our mammalian brain can reason and make more nuanced trade-offs about long term risks but it's also much slower than our other systems.  We actually have two systems for managing risk:
  1. a primitive intuitive system in our Limbic brain (mostly centred in the amygdala) which deals with fight or flight type risks
  2. a more advanced analytic system in the neocortex which is pretty good at abstract concepts 
Our limbic system in particular, is very fast, relatively autonomous and for very good survival reasons, able to hijack our thought processes for fight or flight responses. Unfortunately it doesn’t care in the slightest about abstract concepts like cancer or climate change and given it's primacy in our decision making, it's a real challenge for our neocortex to over-ride the amygdala.

Not yet convinced? Head around to the back door of a hospital one day and have a chat with the Doctors and Nurses standing outside smoking.  Ask them if they understand the long term risks of smoking…  Then ask them what they are doing about it. The immediate pleasurable sensation that smoking releases is appealing directly to the limbic system which is busy self-medicating for depression. Feeling bad is a very visceral and immediate risk. Lung cancer is a very real but entirely abstract risk and you can tell which system is in control - at least for the smokers among us.

Equally this snowmobile racer at the 2011 Winter X Games has a fair idea of the risks associated with racing snowmobiles, but it's fun!  The limbic brain is balancing up the risks and it feels good, so the potential risks of broken bones, paraplegia or death although real, are abstract concepts that our emotional brain struggles to fully evaluate.

We are definitely getting better at making more informed risk management decisions (witness the number of people quitting smoking) but next time you’re in a meeting and you see someone making what sounds to you like a completely inexplicable decision or an ill-informed risk management choice, perhaps ask yourself, "which part of their brain is making that decision?"

On a more positive note, almost invariably when I’ve been called in to do a risk assessment for an organization, I’ve found that the majority of recommended risk treatments are already underway in that organization. Managers, or at least good managers, have an intuitive sense of what the risks are and what needs to be done and usually, even if they haven’t articulated or fully understood the risks, they’ve started projects or activities that are addressing them.

Need an example?  When the US Government put National Guards outside airports and took tweezers away from the flying public it was ostensibly to reduce the risk of terrorism and many people even believed that.  In reality it was a knee-jerk reaction. Security guards taking tweezers from the flying public does nothing to reduce the risk of hijack, while putting national guards out the front only increases the casualty count if there is a car bomb in the carpark .  Step back for a moment and you'll see just how emotionally driven these risk treatments were.  But also consider that without (most) decision makers consciously realizing it, they were in fact addressing the much greater and more immediate (real) risk, namely financial collapse if the travelling public lost confidence in their air transport system.

This was a clear example of an emotional risk decision which turned out to be the right one, and the good news is, that we do very often make excellent risk decisions by relying on our gut.  Sadly though, we also have a long, long list of abysmal risk decisions made by our gut – or perhaps I should say more correctly, not abysmal decisions but rather, vested decisions.  The next time you see a politician or leader make what looks like a bad decision, think again.  Sometimes it is the amygdala getting into the act, and sometimes it’s just that the risk they are managing is their personal career risk - not the organizational or societal risk they profess to be addressing.

That last point is worth reflecting on and we’ll come back to it later when we talk about how you can influence managers to make better risk decisions. You need to understand their personal incentives, risks and biases at least as well as you understand the collective organizational risks.

Monday, April 4, 2011

Risk Semantics - aka Terms and definitions

I define nothing. Not beauty, not patriotism. I take each thing as it is, without prior rules about what it should be.” 
Bob Dylan

It might be tempting to skip this section of ISO31000 or to go straight to the sections that you are interested in, especially after that quote from Bob. That would be tempting... But even if you’re already experienced with risk management, the definitions are key in terms of the thinking behind ISO31000.  I won’t repeat them throughout this book as I’m assuming you also have ISO31000 handy beside you, however I’ll expand on some key terms in the relevant sections.

Throughout this book, I’ll stick to the terms and definitions as outlined in ISO31000 risk management standard.  The following terms however deserve a little more commentary as they are key to organizational risk postures and philosophy.  For the sake of simplicity, I've chosen to use the terms threat/hazard/adverse to refer to negative risk and opportunity/benefit/desired to refer to positive risk.  According to ISO31000, risk refers to both positive and negative potential outcomes.

Before I go on, it’s worth talking about the different uses of the word risk. It’s tempting to consider risk as being purely negative. That is after all, how it’s defined in most dictionaries and used in general language.  The criticism that comes from many quarters is that only risk professionals use the word 'risk' to refer to both positive and negative outcomes.  This is a fair comment but the naysayers overlook two key issues:
  1. The standard and this book are both written for risk professionals; and,
  2. There is no risk that does not have both positive and negative outcomes.

Risk Management

Refers to the processes and systems used to manage risk (both positive or negative).

Opportunity Realization

Refers to positive risk or achievement of desired outcomes.

Threat Mitigation or Hazard Management

These terms have both been used to refer to mitigation of undesirable outcomes.  Broadly speaking, one could say that threat is more likely to refer to human sourced risks (eg: security risks) while hazard is more often used to refer to non-human initiated risks (eg: safety and health, engineering risks, hazardous materials etc).   ISO31000 does not specifically define the terms for threat or hazard but the New Oxford American Dictionary defines them as follows:
  • Threat: a person or thing likely to cause damage or danger  (Eg: hurricane damage poses a major threat to many coastal communities)
  • Hazard: a potential source of danger (Eg: a fire hazard or a health hazard)
Source is also another word which is often used interchangeably with threat or hazard. In this text however, the term source is used sparingly and when used, is defined as follows.  Source:
  • a precursor to a hazard and often to a human element (eg: the source of the health hazard was inadequate management and leadership).

Likelihood, Probability and Frequency

ISO31000 talks about likelihood as the “chance of something happening".  Although this is a wonderfully succinct definition it's worth exploring a little further.  From the risk management perspective, likelihood can be viewed in a number of ways, including probability, frequency, chance, prospect, possibility, likeliness, odds, feasibility, promise and many more.

Of these, it is perhaps useful to break them up into three main ways of expressing or assessing likelihood, which I’ll call chance, probability and frequency. For our purposes of this book I'll define as follows:
  • Chance: a qualitative assessment of likelihood.
  • Probability: a statistical or actuarial assessment of likelihood.
  • Frequency: the rate at which something occurs or is repeated over a given sample. Strictly speaking frequency is another way to express probability however as you’ll see from the examples, it is generally a superior way for most people to interpret statistical data. 

Where this book refers to ‘likelihood’ it means any or all of the above in a generic sense. You’ll find examples of this illustrated in the risk matrix in the table below.

Risk Attitude

Before you are able to effectively apply ISO31000 you will need to understand organizational risk attitude and culture as an essential step. Attitude is a great catch-all term however it is worth describing what it means in practice.

It’s also sometimes referred to as risk preference, appetite, tolerance or capacity and can be summed up as the amount of risk an organization or individual seeks to accept in pursuit of value.  An organization (or individual) can be risk averse, risk neutral, risk tolerant or risk seeking, and the amount of risk a person or entity is likely to tolerate will vary due to a wide range of factors, including organizational culture, expected benefits, perceived losses, awareness of the actual risks, past experience and the level of knowledge about mitigation strategies.  The organizations resilience, beliefs and values or emotional state of senior leaders can all effect risk attitudes.

Saturday, April 2, 2011

Uncertain times...

“In this world there is nothing certain but death and taxes.” 
Benjamin Franklin

Certainty, or at least the illusion of it, has become a consumer product. Insurance companies, investment advisors, the medical profession and politicians appeal to our desire for certainty and market it to us unceasingly.  Our desire for certainty is part of our emotional and cultural inheritance yet despite the marketing hype, certainty remains as elusive as ever. Risk management isn’t the easiest thing to do well in our daily lives, and if your job involves managing risk for a large organization or for national policy decisions, it can look even harder. The good news is that risk management needn't be that complicated.  Researchers are handing us ever more information about all facets of risk management and now we even have an international standard which provides us with an apples-for-apples framework in which to apply all this great research and technology.

If you think about it in simple terms, danger stalks throughout our lives.  Other than the adrenaline junkies among us, most people would find it a lot easier to enjoy life if there weren't so many things trying to kill or maim us. Slips, trips, falls, terrorists, snakes, peanut allergies and falling space debris conspire to do us harm. It can seem like there are so many more ways to fail than ways to succeed. As an IRA statement commented when talking about a failed assassination attempt “…remember we only have to be lucky once. You will have to be lucky always”.

Shadowed by peril as we are, you would think that we'd be pretty good by now at differentiating between high and low risks. But you’d be mistaken. We agonize over pandemics and mad cow disease which kill less than 1,000 people per year around the world.  At the same time we fill our shopping carts with processed foods and tobacco products while in America alone, heart disease kills 700,000 and smoking kills 400,000 every year.

After eons of cultural, scientific and biological evolution we are yet to acquire a good understanding of this concept known as risk.  Yet evolution has programmed us with a variety of habits and patterns that cause us to fear some risks out of all proportion.  Our pre-historic brain evolved to face fight or flight risk scenarios which still drive our risk decisions in our modern world.  Our biggest risks today are relatively abstract and ‘fight or flight’ wasn’t equipped to deal with managing long term risks of heart disease, motor accidents, cancer or global warming.

Every year in the OECD, motor vehicle accidents kill roughly 390 times more people than terrorism. Even in 2001, road fatalities in the US were equal to those from a September 11 attack every 26 days. Our policy makers would do well to consider the difference in magnitude when allocating resources to prevent these two avoidable causes of mortality.   Easier said than done of course.  Sensible calculation of real-world risks is a multidimensional challenge that sometimes seems entirely beyond even the smartest of us. One day we may perhaps manage risks exceptionally well, but for now it is certainly something we can learn to do better. You need only visit the emergency department of any hospital to see first hand the results of this decision-making process going awry.  Habits such as smoking, poor diet and complacency lead almost inevitably to the cancer, heart disease and the motor vehicle accidents that make up the bulk of admissions. At the same time, you only need to look outside the doors of that hospital to see the number of doctors and nurses who still smoke.  They know all too well, the long-term dangers but our ancient brain only sees the short-term benefits.

The goal of this book is to build on the lessons and experiences gained in over 25 years of risk management to show you in plain English how to manage risk the ISO31000 way and to do it fast.  The fast bit isn't as important as getting things right but I'm trying to write the book I wish that I'd had 20 years ago - a single source primer in all things risk. A ridiculous ambition of course, given the size of the field and the simple fact that by the time any book hits the streets it's out of date.  Still, you have to start with a goal in mind so my goal is to summarize what's out there in a way that you can apply it to help you make risk management a faster and easier process.

Think of risk management much like quality management, financial management or project management. From humble starts, such things become part of the tapestry of management theory and modern business. They might not get so much hype and attention as they once did but neither are they going away.  The generic approach in ISO31000  provides guidelines on implementing a multitude of various tools in a coherent and credible manner - no matter who or where you are.  The trick is now to keep rolling out that menu of options, techniques and ideas as to how to actually go about implementing it.