Welcome to a series of excerpts from our forthcoming book on how to apply the ISO31000 Risk Management standard. Whether your focus is business management, leadership, safety, health, environment, security, insurance, business continuity, strategic analysis, financial risk, treasury management, compliance or something else entirely - if you're interested in risk, this is a book for you. We hope you like it and would love to hear your feedback.
Sunday, August 26, 2012
What is Risk Management?
I love the simplicity and inclusiveness of the ISO 31000 definition of risk ("the effect of uncertainty on objectives") and think it is probably the best of a large number of alternatives for a definition of risk. On the other hand, the ISO 31000 definition of 'risk management' - "coordinated activities to direct and control an organization with regard to risk" leaves me more than a little underwhelmed. So, rather than just criticise it, I'd suggest the following thoughts in support of a 'better'(?) definition.
If we accept the ISO 31000 definition for risk then it follows that 'managing risk' = 'managing the effect of uncertainty on objectives"?
We could take this argument further by suggesting that if we have objectives, we would like to achieve them. If that is the case, then we could define 'risk management' as 'reducing the effect of uncertainty on objectives'.
A quantitative analyst (quant) might suggest that risk management is all about reducing volatility, but that definition is still rather vague. With their focus on volatility and pricing, quants are more focussed on reducing something abstract, than achieving objectives, so a better view of managing risk might be something like: risk management = 'increasing the certainty of achieving objectives'.
And that gets my vote for a better definition of risk management. What do you think?
Thursday, August 2, 2012
Risk Informed Decision Making
I
recently spent 10 days holiday scuba diving and sailing around the Whitsunday
islands with my partner and a couple of friends. Being the only one in the
group with any sailing experience, I got the role of 'skipper'. It's probably
not everyone's idea of a great holiday but personally I love the challenge of
navigating and sailing a 40 foot catamaran that I'd never been on before, through
a group of islands that I really didn't know very well. That's partly
because I enjoy learning new skills and honing old ones, but mostly because the
mental challenge involved with (safely) sailing a $500,000 yacht is enormously
satisfying and stimulating.
Along
the way, there is plenty of time to ponder the vagaries of risk management.
While sailing through Solway passage one beautiful sunny morning, I was
reminded of a comment made on one of the discussion forums that I participate
in. It's popular in some circles to be something of a sceptic regarding
risk management. The question raised in this forum was basically asking if risk
management even works. The author in this instance was challenging the value of
ISO31000 and risk management in particular. He was (rightly enough) pointing
out that there is little if any, research done to show that resources applied
to risk management actually return any value. Now, I don’t believe that
risk management is the panacea for all ills, and I’d definitely like to see
more research done on the value of risk management. The lack of research
however, doesn’t prove a case either way.
There
are even a few people (a minority to be sure) who would go so far as to suggest
that risk management generates little or no value, and is simply is a fad
invented by management consultants. It amused me to reflect on this view
while passing through Solway Passage. Solway is a picturesque but narrow channel
between Whitsunday and Hazelbrook Island. It looks benign enough, but if
you try to pass through when tide and wind are opposed, the turbulence and
eddies in the channel that can rotate your boat 90 degrees. Add in the shallow
patches, rocks on both sides, the possibility of a whale or two transiting at
the same time, and you have a situation that's far from benign.
If
the risk management sceptics were correct, anyone could blithely hire a $500,000
yacht and sail it through Solway with beer in hand, and scant regard to wind or
tide. It's ludicrous however, to suggest that such an approach would be
overly helpful. It's more likely, that the passage would quickly become
littered with broken boats and flotsam.
On
the other hand, a few basic risk management strategies, such as acquiring some
navigational skills beforehand and planning the journey based on tides and
weather, are likely to increase your chance of meeting objectives (eg: reaching
a safe anchorage without damaging the boat or crew). Certainly, I might
have gotten through with just a beer in my hand, and a vague lookout for rocks.
Indeed most boats would probably get through just fine, but we're talking here
about the 'effect of uncertainty on objectives'. The more we reduce the
uncertainty, the more likely we are to achieve objectives.
It’s
useful to be sceptical and ask the hard questions regarding the value of risk
management, but such those questions are best answered in academia. Real world examples such as scuba diving or sailing through Solway Passage, demonstrate
that risk management does indeed add value. Indeed, it was amusing
to me during this holiday, to wonder why it is that some people still feel the need
to ask if risk management adds value. Perhaps they feel erudite or learned by asking such questions, but to me it seems about as useful as asking "why bother with
management, leadership or safety?"
As
for ISO31000.... Did I use ISO31000 to get through the Solway Passage? No, I
didn't (I'm not THAT much of a risk nerd). I did however, follow an intuitive
human process that aligns nicely with the ISO31000 risk management process. I
looked at my objectives for the trip (getting safely and happily to Whitehaven
Beach), took stock of the tide, charts and weather (context) to see what
threats and opportunities I might face (identify risk), looked at the
interaction of the various factors (risk analysis), considered the situation
against my risk attitude (risk evaluation) and chose my time/place/rigging/etc.
to sail (risk treatment). Along the way I communicated with the crew (at least
the ones who weren’t too seasick to comment), consulted the charts and monitored
the situation.
Perhaps it doesn't matter so much which risk management process you use, so long as you use one. It just so happens however, that the ISO31000 process is consistent with the way that most of us process and manage risk.
Perhaps it doesn't matter so much which risk management process you use, so long as you use one. It just so happens however, that the ISO31000 process is consistent with the way that most of us process and manage risk.
Subscribe to:
Posts (Atom)