You're reading...


Pedant’s Corner (1)

In principle I’m a great fan of standards for risk management.  Given the problems we have, there is a very attractive idea that conceptually lucid, clearly written standards can help us find the way forward.

In reality the large range of standards (ISO 31000, BS 31100, superseded A/NZ documents, etc) and quasi standards (PRAM, MoR/P3M3, Orange Book, … ad nauseam) has failed to hit the spot.

One reason for this is lack of agreement on the purpose of the standards.  Some think they are just there to communicate accepted wisdom to the great unwashed (senior managers, and the like).  But this site takes it as axiomatic that there is no accepted wisdom, or at least, that what’s accepted is unwise, so the standards should have a higher purpose.  Developing and recording a logical and rigorous general approach to risk management will set up the framework we need to progress.  The great unwashed can come later.  (It’s interesting the extent to which new ideas are dismissed as wrong on the basis that risk managers do not feel themselves up to the task of communicating them to top executives.)

With the opportunity to review ISO 31000 coming up, there will be a series of posts on standards on this site, mainly based on notes I made during a really enthusiastic phase a few years ago, before I got fed up with spending £100 on each new one.

The standards documents have quite a good structure.  The risk management processes evolve from a risk management framework.  Both of these can be regarded as recommended practices.

These evolve in turn from a set of principles and the principles are supported by a set of definitions for which there is another document, ISO 73.

So the best place to start the review is the definitions.  If these are not correct we are doomed to waste time working with them and what’s more we are likely to get it wrong.  In my opinion we will never make progress with risk management until we have a sensible set of definitions.  So this is where we’ll start – hence the title of this post.

And where better to start than risk, the effect of uncertainty on objectives.  We don’t need to mention objectives yet, that will come up when we look at risk management for a specific organisation.  What’s more risk is not of itself  ‘the effect’; that comes later too.  So risk = uncertainty.  That’s about right, but not very helpful. Perhaps what we need is to recognise explicitly that we are uncertain about the future.  How about risk = uncertainty = ‘the possibility of more than one future’?

The first note to the risk definition ‘clarifies’ that ‘the effect is a deviation from  the expected’.  What does ‘expected’ mean?  As a maths type I might expect it to be the probability weighted mean.  At a stroke we have introduced probabilities and we are up and running.  But I don’t think that’s what’s intended by the authors. The deviation can be positive or negative.  This causes long discussions about the relevance of upside to risk.  With my definition this is all avoided.  There’s no expected and therefore no positive or negative.  Of course, some of the possible futures are better than others.

This brings us to risk management, coordinated activities to direct or control an organisation with regard to risk.  This definition works fine with either definition of risk, but has begged an important question.  Is it actually good practice to seek to have a coordinated set of activities to direct and control?  Perhaps this sows the seeds of failure to embed, and the creation of the despised risk management silo activities that struggle to add value.  At this stage perhaps we should take a more cautious approach; ‘the steps taken within an organisation to recognise risk, and promote the realisation of preferred possible futures over less preferred.’

With this perspective, it’s much easier to design an integrated approach, recognising what is done about risk within each management process, building on an existing more natural activity.

This also raises the question of the need for the risk and risk management terms at all.  Matthew Leitch has developed his Working with Uncertainty concept by showing how unhelpful the r-word is and emphasising the usefulness of building on what you are naturally doing.  I’ll stick with it for the time being with the intention of revisiting this when we have something to popularise.

The next valuable concept is risk attitude, the organisation’s approach to assess and eventually pursue, retain, take or turn away from risk.  This brings us to the extensive discussion on this site of organisational risk taking.  Assessing risk involves risk identification, risk analysis and risk evaluation.  Here the plot thickens.  First, risk identification is the process of finding, recognising and describing risks.  See what’s happened there?  We’ve moved from risk as an abstract concept to specific risks, things that affect specific objectives of specific organisations.

This type of risk is a completely undefined term, but the standards are littered with them.  What’s happened is that we have tacitly slipped into the most widely-accepted practice for characterising risk: making a list of risks.  The standards pretend they are not specifying risk registers, but the way they are written makes it very hard for that not to be the outcome.

Secondly, risk evaluation is the process of comparing the results of risk analysis with risk criteria to determine whether the risk is acceptable or tolerable.  This is a terrible idea to kick off with.  As outlined before on this site, we take risk because we think we will get a commensurate return (as specified by our risk attitude).  Acceptability/tolerability is not irrelevant, as our experience with safety risk management – where it was pinched from – shows.  But to use it as the starting point is wrong-headed.  It is one of the factors which takes us into the risk appetite morass.

It gets worse when we read the risk criteria definition: terms of reference against which the significance of a risk is evaluated.  Where to start?  To equate terms of reference (not a bad phrase for an evaluation) with criteria is an abuse of language: one is much stricter than the other.  What’s more why should criteria apply to a single risk?  The notes to the definition contain more nonsense, but let’s not delay, we’ll just kill it now!

I think we can drop risk identification too, at least for the time being, and also risk assessment as the umbrella term.  This leaves us with risk attitude, risk analysis (which will include the characterisation of risk) and risk evaluation (in the light of the risk attitude).  Finally we will have to fix the faults in the decision process set out on the standards by making sure we have a range of options for action to decide between when we are doing our risk analysis.

This is all relatively straightforward.  The big challenge is to say something about risk characterisation if we think a list of ‘risks’ is not the best idea.  We shall return to this another day.  Let’s finish with a summary of the improved definitions so far:

  • risk – the possibility of more than one future
  • risk management – the steps taken within an organisation to recognise risk, and promote the realisation of preferred possible futures over less preferred
  • risk attitude – the organisation’s approach to pursuing, retaining, taking or turning away from risk
  • risk analysis – process to characterise risk and determine its level (a term we shall talk about at length as well)
  • risk evaluation – process of comparing the options for action in the light of the results of the risk analysis and the organisation’s risk attitude
  • risk decisions – deciding between the options in the light of the risk evaluation

First note that the last two should be integrated into the normal business of the organisation – they should not actually have the risk prefix which, again, will tend to drive risk as an add-on.

Secondly, note how much simpler and clearer it now is (in my, obviously very humble, opinion).  Let’s compare where we are with what I recommended at the end of the discussion of risk appetite.  This split risk management into three broad activities:

risk monitoring – which we have not yet covered

risk decisions – as above, driven by risk analysis and risk evaluation

risk governance – which we have touched on only as regards risk attitude.

We’ll come to governance in the next post.

Print Friendly