Tuesday, November 22, 2011

Emotions Drive Risk Decisions

Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is.” 
Douglas Adams, The Hitchikers Guide to the Galaxy

Despite our best intentions, education, intelligence and analytical ability, there is plenty of evidence to support the assertion that we make our risk management decisions base on emotions. Hard to believe - but true. We’re not the logical beings that we might like to think we are when it comes to risk management. Studies have shown in fact that stroke victims who have damaged the part of the brain that controls emotions are often incapable of making decisions. Even when provided with obvious rational data to make a decision, they often are unable to simply settle on one option.

And yes, we are perfectly capable of analysis and logic – we just don’t use it as often as we think we do. The neo-cortex in our mammalian brain can reason and make more nuanced trade-offs about long term risks but it's also much slower than our other systems. We actually have two systems for managing risk:

  • a primitive intuitive system in our Limbic brain (mostly centred in the amygdala) which deals with fight or flight type risks
  • a more advanced analytic system in the neocortex which is pretty good at abstract concepts 

Our limbic system in particular, is very fast, relatively autonomous and for very good survival reasons, able to hijack our thought processes for fight or flight responses. Unfortunately it doesn’t care in the slightest about abstract concepts like cancer or climate change and given it's primacy in our decision making, it's a real challenge for our neocortex to over-ride the amygdala.

Not yet convinced? Head around to the back door of a hospital one day and have a chat with the Doctors and Nurses standing outside smoking. Ask them if they understand the long term risks of smoking… Then ask them what they are doing about it. The immediate pleasurable sensation that smoking releases is appealing directly to the limbic system which is busy self-medicating for depression. Feeling bad is a very visceral and immediate risk. Lung cancer is a very real but entirely abstract risk and you can tell which system is in control - at least for the smokers among us.

Equally, the motorcycle racer has a fair idea of the risks associated with racing, but it's fun! The limbic brain is balancing up the risks and it feels good, so the potential risks of broken bones, paraplegia or death although real, are abstract concepts that our emotional brain struggles to fully evaluate.

Friday, November 18, 2011

So what what's so important that it's worth writing a whole book about?

If you have a specific issue or question that you’d like to address, please let me know but here's a short list of thoughts that are finding their way into the book.

Let's start with the three most common errors when doing a risk assessment:
  1. Inadequate risk identification.  Will the real risk please stand up! How to identify and document a risk in watertight fashion.
  2. Failure to show a link between proposed treatments, the risks and organizational objectives.  Watch out for an example of a risk register which links risks to both organizational objectives and to treatments.  If you can't show these linkages, then why should your treatments get funding?
  3. Failing to understand the context.  Don’t do it. If you don’t nail the context, you will never get agreement on the risks.  
Why failure to identify risks is the leading cause of inadequate risk assessments
Inevitably, we will fail to anticipate or identify many risks simply by the nature of uncertainty.  The main problem is typically a failure to explicitly state a risk in terms which allow stakeholders to accurately consider it and agree on effective treatments.  You can't just say 'Terrorism' is a risk or 'Climate Change' is a risk. Those aren't risks! They are words from a dictionary. Have a look at 'The CASE for risk identification' for a simple way to correctly describe a risk.

How to know whether or not you need a subject matter expert to help you and if so, how to select the right consultant for the job
This one is worth an entire book on it's own. The section on 'The Elusive Risk SME' will cover a ten step process that should help you find someone who has the skills you need when you need them.

How to build a watertight yet succinct risk management plan that will get funded
Ah, yes. One of the Holy Grails of risk management.  Designing a good risk management plan is one thing but as most people will agree getting it funded is a whole other step.   

How to spot the flaws or weaknesses in a risk report (yours or someone else's) in minutes
This is much easier than it looks.  Just ask these three questions:
  • Do all the risk statements satisfy the four requirements of the CASE Tool? (Condition, Asset, Source, Event)
  • Do all the treatment recommendations satisfy the requirements of the 4A’s? (Appropriate, Agreed, Actionable, Achievable)
  • Can you easily draw a causal link back from each risk treatment to the risk that it’s treating?
That’s all there is to it. Hit those buttons and you’ll pick up 90% of the strengths or weaknesses in a risk report – and look like a guru in the process. 

How to build an all-hazards risk management framework that deals with Black Swans
Plenty of research can help you out on this.  In particular the studies that have been done into a group of organizations which continue year after year with better than average safety records despite operating in some of the most dangerous and complex arenas the world has ever seen.   ‘High Reliability Organizations’ (HRO’s) is the common term for a category of organizations such as air traffic control systems, aircraft carriers and nuclear power stations that seem to continue on and on despite dicing with calamity on a daily basis. Karl Weick and Katherine Sutcliffe have a great book on how to incorporate the lessons from HROs into your organization called 'Managing the Unexpected'.

Enterprise risk management
Enterprise Risk Management (ERM) is more than just a question of scaling up. You can’t simply aggregate all the risks for an organization into a database and say that you have ERM sorted.  What the CEO and shareholders see and what they care about at the enterprise level are often much different to risk management issues at the operational or tactical level.  If on the other hand, you implement ISO31000's Risk Management Framework, you will be 90% of the way there. Let's not over-complicate things - Enterprise risk management is just risk management with a scope that includes the entire organization.

How to introduce a continuum of risk management tools so that everybody from the cleaner to the CEO can apply appropriate risk assessment tools
Often people complain that “risk management is too complex” and usually they are right. Not because risk management is too complex but because they are trying to use a chainsaw to prune a bonsai plant.  Get the right tool for the job and you’ll be fine.  

Adapting ISO31000 to meet the needs of everyone - whether in safety, procurement, finance, security, information technology, human resources of the Board of Directors – and do it in such a way that they will buy-in to it
Read the book! OK, just kidding (sort of).  ISO31000 has been designed to be generic. It works for everyone at all levels. In fact, that’s the real power of the standard. It’s not that it’s inherently the best of all possible risk management systems – nothing could promise to do that – but when you apply it across the board it allows you to aggregate and compare risks in a consistent fashion. I was asked after a presentation in the United States recently, what I thought of risk management in the US. I replied that I thought it was great but that  there were about 432 different flavors to choose from. At the same conference two presenters had given excellent presentations on terrorism risks to US ports. One system was done by the New York Port Authority and the other was done by the US Coast Guard using Los Angeles as the first test of the model.  They were both excellent. Sadly they were so different that it was impossible to tell which port was more at risk and hence which one needed the funding most of all. 
ISO31000 is my pick because it supports an apples for apples comparison.

Managing personal career risk – why do our leaders make such (seemingly) misguided decisions?
Why do our bosses and politicians allocate resources to some items and not others that seem to be blindingly obviously of more concern?  This question has intrigued me for years, and I think I’ve come to some sort of understanding on the contradictory nature of some of these complex questions.  The answer is – as you’d expect – not so simple.  But it’s not that complicated either - but it's the 'elephant in the room' when it comes to modern risk management.

Advanced Risk Modelling
How to crunch the numbers and come up with some reliable risk management using stats, Monte Carlo modeling and more - without having to do a PhD in statistics or spreadsheets. And yes, there are some relatively easy ways to get reliable data.  It all starts when you change the mindset from a statement of "we don't have enough data to model that" to "what data do we actually need, what do we already have and what can we inexpensively source?"

Friday, November 11, 2011

Risk Management Performance Benchmarking: Performance Benchmarking and Attribution Bias

Risk Management Performance Benchmarking: Performance Benchmarking and Attribution Bias 

One of the challenges for measuring the effectiveness of risk management (or any type of management system for that matter) is a little glitch in human perception known as attribution bias.   Attribution bias is simply our tendency to invent explanations and to attribute things to a particular cause (whether real or imagined).  These attributions serve to help us understand the world and give us reasons for a particular event.

For example, let’s say that Bill gets sacked from his job. He will attribute his sacking to...