Sunday, October 21, 2012

Three years to change perception of risk?

As individuals, we are prone to making poor risk decisions, yet it is potentially within our power to predict and calculate any number of risks, including murder, earthquakes, market crashes, or identity theft. Nevertheless, it is important to keep in mind, as Bruce Schneier points out, “risk management is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel like it’s not something worth worrying about.” [1]

Let's say that we wanted to change peoples minds about something. Say for example, you wanted to convince the travelling public that it's safe to fly again, after a major terrorist attack involving aircraft hijacking. How long would it take? A long time. The evidence seems clear. Even with trillions of dollars in resources, it apparently takes three years or perhaps even five years to change peoples perception of the risk.  At least, that is what US road fatalities data suggests.

In the September 11 terrorist attacks, 2,974 people tragically lost their lives. The public was justifiably horrified, and several trillion dollars was allocated to counter-terrorism measures. In the same year, however, a staggering 42,196 people lost their lives in motor-vehicle fatalities with scarcely a comment in the media. Fear of hijacking, understandable though it may be, contributed to a drop of more than 30 percent in US domestic air travel in 2002; people chose to drive rather than fly. Meanwhile, US motor-vehicle fatalities (a number that was previously steady or falling) increased by 809 people that same year; from 42,196 fatalities in 2001 to 43,005 in 2002.  [3]

It can often be difficult to demonstrate a clear cause and effect between risks and outcomes, and this situation is no different. The above statistics however were not entirely unexpected. In December 2001, David Myers, professor of psychology at Hope College, postulated a further eight hundred road deaths due to people driving rather than flying in 2002, adding that “in just one year the terrorists may indirectly kill three times more people on our highways than died on those four fated planes.” [2]   Further indication of the lasting effect of this risk perception is that the average annual road fatalities in the five years after 2001 was 1,140 higher than the average five years before 2001 (41,848 versus 42,989). Yes, that's a total of 5,702 additional people were killed on the road in the five years following the September 11 attacks. In fact, it wasn’t until 2007, that road fatalities dropped below their 2001 levels.

It is of course, much more than the scope of this article to confirm that the drop in road fatalities was linked to rebuilding confidence in aviation. Change in perceptions about seatbelts and drink driving as well as improvements in motor vehicles have all played their part. It's striking however to look at the data graphically and it's clear that something changed significantly around 2008. Perhaps it was just the effect of the global financial crisis (GFC) - and that did cross my mind. So I had a look at the statistics regarding how many passengers actually flew each year in the United States. It turns out that the GFC did have an impact, but not enough to completely explain the road fatalities. From a low in 2002 of 670,604,493, passengers increased by roughly 5 percent per annum until 2007 but it took three years to return to the pre-2001 levels.  [4]  From 2007 onwards, it does seem likely that the GFC had some impact on both road fatalities and aviation passenger levels, but even so, it seems likely that it took most Americans up to five years to believe that flying was safer than driving - or at least, safe enough to take it up en masse.

Is this really a surprise? Anybody who has tried to convince someone that a belief held doesn’t match the facts, knows perception doesn't always align with facts. On the contrary, as John Kenneth Galbraith put it so eloquently, "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everyone gets busy on the proof."

It's not only difficult for us to change other peoples minds but it's hard for them to change their own mind. Equally significantly, it's very difficult for us as risk managers to truly absorb new information in a way that changes our behaviours. In his latest book Changing Minds: The Art And Science of Changing Our Own And Other People's Minds (Leadership for the Common Good), Howard Gardner, a cognitive scientist, describes this phenomenon succinctly:
"People underestimate how difficult it is to change minds. ... When you’re little, your mind changes pretty readily, even if nobody pushes it. We are natural mind-changing entities until we are 10 or so. But as we get older and have acquired more formal and informal knowledge, then it’s very, very hard to change our minds. ... I’m not stating that on small matters it’s difficult to change people’s minds. A coffee break at 3:00 rather than 1:00—that’s trivial. But on fundamental ideas on how the world works, about what your enterprise is about, about what your life goals are, about what it takes to survive—it’s on these topics that it’s very difficult to change people’s minds. Most people, by the time they’re adults, not only have become used to a certain way of thinking, but in a sense it’s work for them [to change] because their neural pathways become set."
So, is it official that it takes five years to change peoples perception of a risk? Not by a long shot. But it's an interesting question to ask.


[1] Schneier, B (2007), The Psychology of Risk management, 28 February 2007, available at, viewed 20 August, 2011

[2] Myers, David (2001), “Do We Fear the Right Things?”, Observer (Journal of the American Psychological Society), December, 2001

[3] Motor vehicle fatality statistics calculated by U.S. Department of Transportation, Research and Innovative Technology Administration (RITA), Bureau of Transportation Statistics (BTS), ‘Table 2-17: Motor Vehicle Safety Data’.Viewed 20 October 2012.

[4] Aviation statistics calculated by U.S. Department of Transportation, Research and Innovative Technology Administration (RITA), Bureau of Transportation Statistics (BTS), Passengers
All Carriers - All Airports. Viewed 21 October 2012.

Sunday, August 26, 2012

What is Risk Management?

I love the simplicity and inclusiveness of the ISO 31000 definition of risk ("the effect of uncertainty on objectives") and think it is probably the best of a large number of alternatives for a definition of risk.  On the other hand, the ISO 31000 definition of 'risk management' - "coordinated activities to direct and control an organization with regard to risk" leaves me more than a little underwhelmed. So, rather than just criticise it, I'd suggest the following thoughts in support of a 'better'(?) definition.

If we accept the ISO 31000 definition for risk then it follows that 'managing risk' = 'managing the effect of uncertainty on objectives"?

We could take this argument further by suggesting that if we have objectives, we would like to achieve them. If that is the case, then we could define 'risk management' as 'reducing the effect of uncertainty on objectives'.

A quantitative analyst (quant) might suggest that risk management is all about reducing volatility, but that definition is still rather vague. With their focus on volatility and pricing, quants are more focussed on reducing something abstract, than achieving objectives, so a better view of managing risk might be something like: risk management = 'increasing the certainty of achieving objectives'.

And that gets my vote for a better definition of risk management. What do you think?

Thursday, August 2, 2012

Risk Informed Decision Making

I recently spent 10 days holiday scuba diving and sailing around the Whitsunday islands with my partner and a couple of friends. Being the only one in the group with any sailing experience, I got the role of 'skipper'. It's probably not everyone's idea of a great holiday but personally I love the challenge of navigating and sailing a 40 foot catamaran that I'd never been on before, through a group of islands that I really didn't know very well.  That's partly because I enjoy learning new skills and honing old ones, but mostly because the mental challenge involved with (safely) sailing a $500,000 yacht is enormously satisfying and stimulating.

Along the way, there is plenty of time to ponder the vagaries of risk management. While sailing through Solway passage one beautiful sunny morning, I was reminded of a comment made on one of the discussion forums that I participate in.  It's popular in some circles to be something of a sceptic regarding risk management. The question raised in this forum was basically asking if risk management even works. The author in this instance was challenging the value of ISO31000 and risk management in particular. He was (rightly enough) pointing out that there is little if any, research done to show that resources applied to risk management actually return any value.  Now, I don’t believe that risk management is the panacea for all ills, and I’d definitely like to see more research done on the value of risk management. The lack of research however, doesn’t prove a case either way.

There are even a few people (a minority to be sure) who would go so far as to suggest that risk management generates little or no value, and is simply is a fad invented by management consultants.  It amused me to reflect on this view while passing through Solway Passage. Solway is a picturesque but narrow channel between Whitsunday and Hazelbrook Island. It looks benign enough, but if you try to pass through when tide and wind are opposed, the turbulence and eddies in the channel that can rotate your boat 90 degrees. Add in the shallow patches, rocks on both sides, the possibility of a whale or two transiting at the same time, and you have a situation that's far from benign.

If the risk management sceptics were correct, anyone could blithely hire a $500,000 yacht and sail it through Solway with beer in hand, and scant regard to wind or tide.  It's ludicrous however, to suggest that such an approach would be overly helpful.  It's more likely, that the passage would quickly become littered with broken boats and flotsam. 

On the other hand, a few basic risk management strategies, such as acquiring some navigational skills beforehand and planning the journey based on tides and weather, are likely to increase your chance of meeting objectives (eg: reaching a safe anchorage without damaging the boat or crew).  Certainly, I might have gotten through with just a beer in my hand, and a vague lookout for rocks. Indeed most boats would probably get through just fine, but we're talking here about the 'effect of uncertainty on objectives'. The more we reduce the uncertainty, the more likely we are to achieve objectives.

It’s useful to be sceptical and ask the hard questions regarding the value of risk management, but such those questions are best answered in academia.  Real world examples such as scuba diving or sailing through Solway Passage, demonstrate that risk management does indeed add value. Indeed, it was amusing to me during this holiday, to wonder why it is that some people still feel the need to ask if risk management adds value.  Perhaps they feel erudite or learned by asking such questions, but to me it seems about as useful as asking "why bother with management, leadership or safety?"

As for ISO31000.... Did I use ISO31000 to get through the Solway Passage? No, I didn't (I'm not THAT much of a risk nerd). I did however, follow an intuitive human process that aligns nicely with the ISO31000 risk management process. I looked at my objectives for the trip (getting safely and happily to Whitehaven Beach), took stock of the tide, charts and weather (context) to see what threats and opportunities I might face (identify risk), looked at the interaction of the various factors (risk analysis), considered the situation against my risk attitude (risk evaluation) and chose my time/place/rigging/etc. to sail (risk treatment). Along the way I communicated with the crew (at least the ones who weren’t too seasick to comment), consulted the charts and monitored the situation.  

Perhaps it doesn't matter so much which risk management process you use, so long as you use one. It just so happens however, that the ISO31000 process is consistent with the way that most of us process and manage risk. 

Sunday, June 10, 2012

Until you do it, it’s still an unknown...

No matter how well you prepare, and how much you might think you understand a risk, there is a special category of risks which are worthy of the title...

"Until you do it, it's still an unknown.

One of my personal heroes made history with just this type of risk. Joe Kittinger rode a balloon to 102,800 feet (31,300 m) then stepped out into space.
He fell for four minutes and 36 seconds, reaching a maximum speed of 614 miles per hour (988 km/h) before opening his parachute at 18,000 feet (5,500 m). Pressurization in his right glove malfunctioned during the ascent, and his right hand swelled up to twice its normal size. He set records for highest balloon ascent, highest parachute jump, longest drogue-fall (four minutes), and fastest speed by a human being through the atmosphere.  To give you an idea, just how amazing this is, he set these records on August 16th, 1960 and they are yet to be beaten.

That could be about to change however, with a "giant leap for one man" later this year. Austrian skydiver Felix Baumgartner will jump from a pressurized capsule under a balloon at 120,000 feet wearing  only a spacesuit.
Felix Baumgartner and Joe Kittinger beside the capsule that will take Baumgartner into space

Jonathan Clark, the medical director for Red Bull Stratos, the team assembled to help Baumgartner reach his lofty goal, gets credit for coining a new category of risk management, describing this amazing feat "Until you do it, it's still an unknown." As he plummets 23 miles in the highest skydive ever, Baumgartner will possibly become the first person to break the sound barrier in free fall but the uncertainties are countless:

  • What happens when Baumgartner encounters the shockwaves that will occur when he breaks the speed of sound?
  • How many things have to go right for him to succeed?
  • What's the likelihood of everything going right?
  • What are the consequences of a failure in components x, y or z?
  • Instability in freefall is one of the biggest risks for normal skydiving. Only one person in history has jumped from this height and instability plagued much of his fall until he opened his drogue shute. 

The modern parachute was invented in the late 18th century by Louis-S├ębastien Lenormand in France, who made the first recorded public jump in 1783. Since then parachuting has evolved in many ways but it’s still unclear what will happen when Baumgartner steps out of his capsule. Whatever happens, it's a groundbreaking feat - in more than 50 years no one has been able to (or been courageous enough) to free-fall from higher than 102,800 feet.

Until you do it, it’s still an unknown,”

Tuesday, June 5, 2012

Blame it on the genes..

It looks like it's official! Risk preferences are central to any model of human decision making but researchers are increasingly able to identify a link between our genetic makeup and our risk taking behaviour.

We've recognised for a long time that there are substantial differences in peoples willingness to trade off risk versus reward. Some of the variation in preferences can be explained by gender, race, culture, age, education and socioeconomic status but none of these differentiators were sufficient of themselves to explain the variation.  Research by Camelia Kuhnen and Joan Chiao of Northwestern University in the journal PLoS ONE, was able to link financial investment risk-taking to variations in certain genes that regulate chemicals in the brain.

In particular, it appears that those of use who enjoy risk taking, whether day-trading or motorcycling are likely to have specific differentes in our Dopamine Receptor D4 (DRD4) gene.  Without getting overly technical, it appears likely that 25% of the individual variation in risk taking can be explained by heritable differences.

It's early days yet of course, and risky to confuse cause with correlation but it appears that there is a definite genetic trait at play. For those of you who are really curious, you'll find more technical details in 'The 7R polymorphism in the dopamine receptor D4 gene (DRD4) is associated with financial risk taking in men' at Evolution and Human Behavior 30 (2009) 85–92.

For an easier read, New Scientist speculates that DRD4 could be responsible for the human migrated out of Africa around 50,000 years ago. Even to the point where DRD4 has moved us across the planet, thanks to a propensity for risk-taking and adventurousness. DRD4 comes in may shapes and forms whereby the 4R allele, is associated with being even-tempered, reflective and prudent. Ie. People who like to manage risk to be ALARP (as low as reasonably practicable).

Those of us more inclined to manage risk to be AHARP (as high as reasonably practicable) probably have the less common 7R and 2R versions, which by contrast have been linked to impulsive and exploratory behaviour, risk-taking and the ability to shrug off new situations. In short, the migrants with these versions were better able to deal with dangerous, fluctuating situations and more likely to survive and reproduce under those conditions.

So, before you have that risk conversation with your spouse or colleague at work, think about just how deep seated their risk attitude may in fact be.  Culture, perception, gender, education, age and many other factors are important but, in part at least, we can be pretty confident that it's hardwired.

Tuesday, May 22, 2012

Another view of a risk management framework

The previous blog entry on risk management frameworks, presented a relatively simple risk management framework but there are many ways to view risk and the interactions of the various elements involved. It’s not the intention to provide a single ‘perfect’ risk management framework – you need to work that out for yourself – but we’ll provide a couple of ideas to get you started.  

Figure 1 below (adapted from SRMBOK) presents a more complex example of a risk management framework.  In this model we break up the elements of risk management into six main categories:
Activity Areas
Practice Areas
Strategic Knowledge Areas
Operational Competency Areas
Risk Treatments

Risk Management Framework
Figure 1: Risk Management Framework example

Looking at the above example, we can see a rough outline of how different elements of risk management support each other. For example:

  • Practice Areas – the activity groups that embody distinct areas of expertise. These areas can also be the scope of the risks to be managed, or primary area in which a risk practitioner is focused (eg: Safety, Finance, Enterprise risk, etc) 
  • Strategic Knowledge Areas – the four concepts which all risk practitioners must understand in order to achieve an optimal trade-off in support of risk treatments (Ref: The Quadruple Constraints of Risk Management)
  • Operational Competency Areas – a group of closely-related skill sets in which a risk practitioner needs to be competent in at least one of (if not all) in order to support effective risk management. 
  • Risk Treatments – the strategies that we put in place to support objectives. In the graphic above, ‘assets’ are placed at the center of concentric circles. These circles represent the layered approach known as hierarchy of controls (Ref: Slides 10 and 11) whereby multiple mutually supportive treatments are more effective than a single treatment (Ref: Swiss Cheese).
  • Activity Areas – principle risk countermeasure areas through the lifecycle from pre-incident prevention (planning and preparation) to post-event response (emergency management and business continuity). As indicated in the diagram, there should be a primary focus on various elements at the appropriate phase of a risk event (pre or post) but all four elements need to be considered at all times – albeit with varying levels of focus or priority.
  • Enablers – the underpinning elements required to ensure the application of risk management processes and activities in a sustained fashion (eg: Policies, training, etc) 

Why Build Such a Complex Model?

It’s important to remember that the model illustrated in Figure 1 is just one possible way to view how risk management fits together. It's useful nonetheless, to stimulate your risk thinking in three main areas:

  • GAP ANALYSIS. What elements aren’t happening right now in our organization and what do we need to do to fill in the gaps?
  • BENCHMARKING. If we had to measure the effectiveness of our risk management, which metrics would we choose and how do they relate to each other?
  • INTEGRATION. How does this model help us integrate various functions such as treasury, IT, emergency response, design, governance, assurance, policies etc?

Tuesday, April 10, 2012

First International Conference on ISO 31000

If you're looking for a good excuse to visit Paris in the spring, I can think of few better excuses than the First International conference on the ISO 31000 Risk Management Standard.
The conference will take place there on the 21st and 22nd of May 2012.

"This international conference on ISO 31000 is addressed for the first time to the global risk management community active across all fields, sectors, industries and services related to risk management. We have gathered together an outstanding panel of international experts and practitioners from your sector to share their current perspectives on the ISO 31000 Risk Management standard”, said Alex Dali, President of G31000, the international non-for-profit NGO based in France dedicated to raise awareness on ISO 31000 standard.

With more than 30+ speakers, 4 plenary sessions and 10 parallel sessions and a focus purely on applying ISO31000, this conference is the risk management event of the year.

Plenary sessions:
  • Why ISO 31000 will become the global Risk Management standard
  • 20 years of Risk Management Standardisation - Past, Present and Future 
  • Why every RM programme should be based on ISO 31000
  • How to implement or adapt your RM programme using ISO 31000
  • G31000 – the new Platform for ISO 31000
Parallel sessions:
  • Regulatory Authorities 
  • Business Continuity
  • Software
  • Security
  • Internal Audit
  • Finance and Banking
  • Moving from COSO ERM
  • Raising awareness, worldwide 
  • Education
  • Human Factors
More information and registration details can be found at and a 10% discount is available if you use booking code: G7ACCX.

I'll be presenting there and will look forward to catching up with colleagues, and hopefully meeting a few readers of this blog at the conference.

Sunday, January 15, 2012

How to build a risk management framework

Section 4 of ISO31000 opens with the simple statement that "The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels."  The standard devotes about 5 pages to talking about what a framework requires and sums it up in the Figure 1 below.
Figure 1: Relationship between the components of the framework for managing risk (ISO31000)

We'll go even further, and say that the risk management framework is the heart of organizational risk management. It might be tempting to overlook this portion of ISO31000 or to downplay its significance and jump straight to Section 5: Process but that would be a mistake.  No matter how much you and your organization know about risk, no matter how excellent your latest risk assessment is and despite an outstanding risk treatment plan, unless an organization has a well structured and appropriate risk management framework it will not have a sustainable risk management system.

Of all the elements of ISO31000, building the risk management framework deserves primacy for this is where policy, mandate, organizational commitment and structure set the scene for ongoing successful application of risk management.  And it isn't a one-time event. Like most of risk management, it is an iterative, adaptive process and as you can see from Figure 1, the authors of ISO31000 clearly intended it to be a cyclical process.

At the very least a framework should provide you with guidance regarding how your organization manages risk and in particular provides:
A centralized and comprehensive source of risk policy, procedures and information.
A consistent taxonomy for classification and prioritization of risk.
Automated (or at least consistent) workflow for risk management.
Auditable paper trail of records, decisions made and changes.

Putting this into action however isn't a simple task but if you consider what actually needs to go into it, the following graphic and our next blog entry will offer a couple of suggestions. 

The three most important elements in actually turning risk management theory into risk management practice will inevitably be training, training and more training.  How you put together the underlying framework for your organization however, will depend on your context and existing management systems. Whatever result you end up with, It’s likely to include three common elements: Direction, Systems and Execution.  I built this framework for a large Commonwealth government department a few years ago, and part of the brief was that it had to be easy to grasp the underlying principle.

DIRECTION is set by the Executive management team and in order of priority is based on:
  • Organizational objectives vision and mission (ie. The reason for existence of the organization). 
  • A risk assessment based on those objectives
  • A risk treatment plan to support achievement of the objectives (which might also be known as a Strategic Plan, Operational Plan, etc)
SYSTEMS are the management infrastructure that provides technical and policy guidance for implementation of the organizations plans and uses four core elements:
  • Policies and Management Standards - set the high level expectations and guide decision making
  • Procedures and Guidelines - provide the step by step process flows to implement the policies as well as some general guidance about how to interpret high level policy or standards.
  • Work Instructions – provide task specific detailed instructions for each step in the process flow.
  • Forms, Templates & Tools – are the specific tools and documentation that people will use to identify, assess and document risks.
EXECUTION is the phase where the plans, policies, objectives that have been so carefully developed, are finally implemented using three phases of this process:
  • Training Needs Analysis – involves identifying what people need to know in order to implement the ‘Systems’ previously developed. 
  • Training & Implementation – involves delivering the training that your people will need so that they can begin to correctly implement the various elements that support organizational objectives.
  • Reporting, Monitoring & Review – are the final elements to close the feedback look, assess how effective the framework is and provide appropriate feedback for continuous improvement. 
You’ll find this concept illustrated in Figure 2 below. It’s a relatively simple example of a framework but is easy enough to explain to people and equally importantly is highly scalable. 
Figure 2: Illustrative Example of a Risk Management Framework
Figure 2 is a relatively simple risk management framework. There are of course, many ways to view risk and the interactions of the various elements involved. It’s not the intention of this book to provide a single ‘perfect’ risk management framework – you need to work that out for yourself- but we’ll provide a couple of ideas to get you started.

In the next blog article, we'll look at a more complex version of a risk management framework which might suit larger organizations.