Working In Uncertainty

The risk management we prefer

Introduction

The scope we prefer is broad

The methods we prefer for managing risk are integral

The improvement programmes we prefer

We prefer to avoid risk jargon

Summary

References

Introduction

Over several years I have carried out a series of surveys to find out what most people prefer when it comes to risk management, especially in organisations. These surveys have included questions about points of principle and questions based on hypothetical but realistic situations.

Thanks to the hundreds of people who have participated, the results of these surveys provide insights to anyone making suggestions for improvements to risk management. They show which suggestions are likely to get support from most people. Overall, the preferences most people have are sensible and understandable. Huge progress in risk management can be made by simply offering people what they prefer.

On some points what most people prefer is not what some of the best known publications on risk management have advocated in the past and, for this reason, the preferences may seem surprising to some at first. The survey data give us all confidence that some changes to existing published guidance can be made that will be widely welcomed.

The scope we prefer is broad

Risk management is not a method

Very few people think that risk management is a method. Instead we prefer to think of risk management as a discipline or perhaps an aspiration. A few people think that risk management should be defined as the method where risks are identified analysed and managed, but preference for this Risk Listing definition is rare [1]. This contrasts with some well-known publications on risk management that define risk management in Risk Listing terms.

Most of us think, wrongly, that most others define risk management in Risk Listing terms [2]. We know that prominent publications do it and assume other people agree with those publications. In reality, very few people do in fact agree with those publications and reform would be warmly welcomed by most people. Ask your colleagues what they privately think and you will probably find they agree that risk management should not be defined by one method.

Risk management should encompass all significant decisions

Asked if risk management should include within its scope all significant decisions or just significant decisions on actions that are seen as responses to risks (such as insurance, fire precautions, and immunisation) a huge majority of people choose ‘all significant decisions’ [3][4].

This means that approaches to risk management that focus on devising responses to risks are too narrow for most people. The difference is quite large with many of our most important decisions being driven by many factors, not just risk and cost.

Dealing with uncertainty well is valued in a wide range of activities

People believe that managing uncertainty more effectively would be valuable in a surprisingly wide range of activities [5], specifically dealing with uncertainty as to:

when to stop developing plans, make a decision, and start to execute them;
what is in the best interests of the relevant stakeholders;
which ideas to explore and develop further;
past events, past causes, and the current situation; and
results that might be produced by each plan under consideration.

(This is all the items tested in the survey, so there are probably more that could be uncovered.)

These items are listed above in descending order of their rating by respondents and, while all these were considered important, the item most commonly addressed by risk management — results that might be produced by each plan under consideration — was the least highly rated.

The methods we prefer for managing risk are integral

In principle, almost everyone prefers the idea of managing risk as an integral part of core management activities and other relevant intellectual activities such as design, rather than managing risk with a separate process, in separate meetings, and with separate documents [6] [7]. In other words, we think improving risk management is mostly about redesigning the way intellectual work is done.

Furthermore, asked to choose between alternative techniques for activities such as planning and evaluation most people identify the same approaches as more ‘integrated’ and the reasons for these judgements are fairly straightforward [8]. It seems that we know what we like when we see it even though we struggle to articulate what ‘integrated’ means in principle.

About twice as many respondents were willing to recommend the methods seen as more integrated by most respondents.

This study is well worth reading in detail because the alternatives tested are typical of the alternatives that people face.

The results show that it is easy to suggest classic management techniques that people prefer over Risk Listing and that the ‘integrated’ techniques people prefer create just as much audit evidence as others. So, we do not need to worry that ‘integrated’ risk management leaves no evidence and cannot provide assurance. In fact, sensibly chosen methods will leave solid evidence of the risk management most people think is better.

One crucial point from this important survey is that risk is not managed by rolling out one process. Redesigning and modifying the way intellectual work is done requires implementing a range of different techniques and processes for a range of different situations. In this way, improving risk management is more like a typical programme to improve internal control than a programme to roll out risk registers.

Ratings of probability and impact are not favoured

Within Risk Listing methods, the techique of rating each risk for its probability of occurrence and impact if it did occur (or something similar) is almost ubiquitous. These are also commonly used to scatter risks across a probability-impact diagram of some kind. Yet, despite the high familiarity and apparent simplicity of this technique, most people would prefer a more comprehensive analysis of the consequences of investments in actions seen as responses to risk [9] [10]. (Presumably this would be an even stronger preference for decisions where risk and cost are not the only considerations.)

The improvement programmes we prefer

Implement a variety of distributed changes to the way relevant activities are done

As described above, the technical methods we prefer are varied and distributed through organizations, affecting planning, design, establishing stakeholder preferences, other decision-making, investigations, and so on. Consequently, improvement programmes need to generate those ideas for improvement and get them implemented somehow.

Expect ideas to develop over time

Almost everyone recognizes that it is unrealistic to expect all ideas for improvement to be thought of in some initial analysis phase [11]. Instead, ideas for improvement are almost certain to arise over a longer period, with some arising while others are being implemented.

Focus resources on the most worthwhile improvements

In the survey, respondents picked objectives for such programmes that they thought would be helpful, from a given list [12]. The most often picked objective was to focus resources on the most worthwhile improvements. A similar theme emerged in responses to some other questions in the same survey.

Generate a strong flow of good ideas for improvements

The second most picked objective for such programmes was to generate a strong flow of good ideas for improvements [13]. Just under 80% of respondents picked this objective, which is a strong level of interest and contrasts with the typical amount of text given over to this topic in most guides and standards for risk management — which is almost none.

Can use a wide range of factors to focus resources

Although using risk to focus improvements is the most favoured factor, many other factors are acknowledged as reasonable and acceptable by most people [14]. This is quite important because many changes to the way we work are not to deal with one specific risk. More often the idea is to make changes that will deal with all risk in important situations or activities.

This is also reassuring because it shows that people are not fussy about how resources are focused, just so long as they are focused in a reasonable way and there is a strong flow of good ideas for improvements.

Use lists of about 7 prompts to give people ideas for improvement for each activity

Asked what type of written or spoken prompt would most likely give rise to the sort of changes we prefer, most people thought that fairly specific prompts would be more effective than describing one generic ‘risk management process’ and expecting people to interpret it in imaginative ways [15]. Furthermore, the ideal number of prompts on a list, for a given exercise, was about 7 (or slightly fewer).

Include training in everyday risk management skills

There is strong interest in providing training in everyday risk management skills [16]. This is perhaps surprising because, once again, this training is rarely mentioned in publications about risk management.

We prefer to avoid risk jargon

We would prefer less risk jargon

A group of dedicated and somewhat conservative risk professionals was asked if they would like the next edition of ISO 31000 to have more than the current 29 defined terms, the same number, or less (say around 10). A heavy majority preferred a reduced set of defined terms [17].

There are better alternatives to ‘risk appetite’

It is easy to think of phrases that are clearer and more self-explanatory than ‘risk appetite’, for all of several possible meanings of the phrase ‘risk appetite’. Asked to express a preference between ‘risk appetite’ and alternatives for expressing particular ideas, people overwhelmingly chose the straightforward language over ‘risk appetite’ [18]. The phrase ‘risk appetite’ did not win even a single head-to-head contest. This is despite ‘risk appetite’ being a familiar phrase for most respondents.

Summary

This has been just a brief tour of the highlights of a long and detailed programme of research that has revealed many fascinating insights into our preferences for risk management. Perhaps the key discovery is that we prefer to change the way thinking work is done in varied and distributed ways, incrementally, rather than go to dedicated workshops to talk about risk. Most other preferences flow from this.