A very useful model for thinking about risk taking has been created by David Hillson and Ruth Murray-Webster. In contrast to the IRM guidance it is rigorous and well thought through. The model consists of an influence diagram in which the nodes and influences have been well-defined. Thus the model makes an interesting and valuable contribution to the risk appetite debate. However in the end I have concluded that it is of limited relevance for organisations aiming to manage the nature and extent of risk they take on.
This review is based on a paper available on Ruth’s website and also a talk she gave to the IRM North West regional group. David and Ruth have been working on risk attitude for some time and the suspicion exists that risk appetite might have been slightly shoehorned in. However they have now published a book on risk appetite and we need to review it here quite urgently to see if this accusation is well founded.
Accordingly risk appetite and risk attitude lie at the centre of the model which is accordingly known as the RARA model. Both are regarded as internal factors, so they cannot be directly observed unlike, for example, risk actions and, importantly, risk thresholds (aka risk tolerance).
Risk thresholds, quantified measures that represent upper and lower limits of acceptable tolerance around objectives, express the risk appetite, are influenced by risk attitude and are constrained to lie within the risk capacity (another observable/measurable). Risk appetite, the tendency of an individual or group to take risk in a given situation, is driven by the risk propensity of individuals and the risk culture of the organisation. Risk attitude, the chosen response of an individual or group to a given risky situation, is driven by the perceived risk. (Unfortunately Hillson and Murray-Webster make the usual assumption of an (objective!) inherent risk exposure, instead of accepting that there is a (subjective) risk exposure under all options currently considered. It would be good if their model were modified for this.)
Two comments spring to mind. Firstly, it seems the risk thresholds are set in terms of outcome, not risk. This is impractical: you cannot constrain outcome due both to black swans and the like and the fact that ill luck may take you outside what you would generally expect with a correctly assessed risk. (This is unlike the risk tolerance levels in safety which set an upper limit on the assessed risk of a fatality; they do not assert that a fatality will not happen.) Secondly, it is unclear how the risk attitude, as defined in terms of the chosen response, differs from the observable risk actions. I do not understand why risk attitude is regarded as unobservable, nor does this seem to be a plausible definition of risk attitude (which in my book is more to do with risk seeking or risk aversion).
But perhaps the main point about the RARA model is that it is essentially descriptive, it seems to me. Risk appetite and risk attitude are mainly driven by individual and cultural factors. I would argue that individual risk preferences are irrelevant to a normative approach. And if risk culture is the sole driver of risk appetite, why separate the two?
One thing that is missing from the RARA model is the influence of risk culture on the effectiveness of risk actions. What is also missing is an idea of how the organisational perception of risk is a result of the thought processes of the individuals who contribute. This is what Hillson and Murray-Webster call the ‘triple strand’ of conscious, subconscious and affective factors. Their suggestion that perceived risk is a combination of real risk and the triple strand is peculiar: if you know the real risk, why pretend it’s something different?
This is very interesting as it touches on the insufficiently recognised truth of risk analysis (and hence risk management) that risk estimates are fundamentally subjective. Whereas there is a philosophically rigorous procedure to determine the subjective probability of individuals, this is not the case for societies or organisations. (See D V Lindley on Uncertainty.) Perhaps Hillson and Murray-Webster are working toward a solution, but from a practical point of view this seems not to be an enormous problem. In practice risk workshops can work towards an agreed view of the risk fairly easily. It may not be accurate (whatever that means) but it is a consensual result.
It makes sense to work toward a revised and simplified version of the RARA model.
As a post-script (as Clouds of Vagueness will come back to this later) I don’t agree with the Hillson and Murray-Webster definition of culture as shared beliefs, values and knowledge of a group about risk. For example, it excludes anything which isn’t shared (a good indicator of a poor culture), but more importantly it does not seem to address behaviours. A key element of risk culture is how managers behave and inculcate other peoples’. David and Ruth would argue that behaviour drives culture (the ABC model where A is attitude, but it seems to me that you cannot descibe culture without describing behaviour (or attitude for that matter).
I look forward to being persuaded otherwise when I read their book.