Sunday, August 26, 2012

What is Risk Management?



I love the simplicity and inclusiveness of the ISO 31000 definition of risk ("the effect of uncertainty on objectives") and think it is probably the best of a large number of alternatives for a definition of risk.  On the other hand, the ISO 31000 definition of 'risk management' - "coordinated activities to direct and control an organization with regard to risk" leaves me more than a little underwhelmed. So, rather than just criticise it, I'd suggest the following thoughts in support of a 'better'(?) definition.

If we accept the ISO 31000 definition for risk then it follows that 'managing risk' = 'managing the effect of uncertainty on objectives"?

We could take this argument further by suggesting that if we have objectives, we would like to achieve them. If that is the case, then we could define 'risk management' as 'reducing the effect of uncertainty on objectives'.

A quantitative analyst (quant) might suggest that risk management is all about reducing volatility, but that definition is still rather vague. With their focus on volatility and pricing, quants are more focussed on reducing something abstract, than achieving objectives, so a better view of managing risk might be something like: risk management = 'increasing the certainty of achieving objectives'.

And that gets my vote for a better definition of risk management. What do you think?







Thursday, August 2, 2012

Risk Informed Decision Making


I recently spent 10 days holiday scuba diving and sailing around the Whitsunday islands with my partner and a couple of friends. Being the only one in the group with any sailing experience, I got the role of 'skipper'. It's probably not everyone's idea of a great holiday but personally I love the challenge of navigating and sailing a 40 foot catamaran that I'd never been on before, through a group of islands that I really didn't know very well.  That's partly because I enjoy learning new skills and honing old ones, but mostly because the mental challenge involved with (safely) sailing a $500,000 yacht is enormously satisfying and stimulating.

Along the way, there is plenty of time to ponder the vagaries of risk management. While sailing through Solway passage one beautiful sunny morning, I was reminded of a comment made on one of the discussion forums that I participate in.  It's popular in some circles to be something of a sceptic regarding risk management. The question raised in this forum was basically asking if risk management even works. The author in this instance was challenging the value of ISO31000 and risk management in particular. He was (rightly enough) pointing out that there is little if any, research done to show that resources applied to risk management actually return any value.  Now, I don’t believe that risk management is the panacea for all ills, and I’d definitely like to see more research done on the value of risk management. The lack of research however, doesn’t prove a case either way.

There are even a few people (a minority to be sure) who would go so far as to suggest that risk management generates little or no value, and is simply is a fad invented by management consultants.  It amused me to reflect on this view while passing through Solway Passage. Solway is a picturesque but narrow channel between Whitsunday and Hazelbrook Island. It looks benign enough, but if you try to pass through when tide and wind are opposed, the turbulence and eddies in the channel that can rotate your boat 90 degrees. Add in the shallow patches, rocks on both sides, the possibility of a whale or two transiting at the same time, and you have a situation that's far from benign.

If the risk management sceptics were correct, anyone could blithely hire a $500,000 yacht and sail it through Solway with beer in hand, and scant regard to wind or tide.  It's ludicrous however, to suggest that such an approach would be overly helpful.  It's more likely, that the passage would quickly become littered with broken boats and flotsam. 

On the other hand, a few basic risk management strategies, such as acquiring some navigational skills beforehand and planning the journey based on tides and weather, are likely to increase your chance of meeting objectives (eg: reaching a safe anchorage without damaging the boat or crew).  Certainly, I might have gotten through with just a beer in my hand, and a vague lookout for rocks. Indeed most boats would probably get through just fine, but we're talking here about the 'effect of uncertainty on objectives'. The more we reduce the uncertainty, the more likely we are to achieve objectives.

It’s useful to be sceptical and ask the hard questions regarding the value of risk management, but such those questions are best answered in academia.  Real world examples such as scuba diving or sailing through Solway Passage, demonstrate that risk management does indeed add value. Indeed, it was amusing to me during this holiday, to wonder why it is that some people still feel the need to ask if risk management adds value.  Perhaps they feel erudite or learned by asking such questions, but to me it seems about as useful as asking "why bother with management, leadership or safety?"

As for ISO31000.... Did I use ISO31000 to get through the Solway Passage? No, I didn't (I'm not THAT much of a risk nerd). I did however, follow an intuitive human process that aligns nicely with the ISO31000 risk management process. I looked at my objectives for the trip (getting safely and happily to Whitehaven Beach), took stock of the tide, charts and weather (context) to see what threats and opportunities I might face (identify risk), looked at the interaction of the various factors (risk analysis), considered the situation against my risk attitude (risk evaluation) and chose my time/place/rigging/etc. to sail (risk treatment). Along the way I communicated with the crew (at least the ones who weren’t too seasick to comment), consulted the charts and monitored the situation.  

Perhaps it doesn't matter so much which risk management process you use, so long as you use one. It just so happens however, that the ISO31000 process is consistent with the way that most of us process and manage risk.