Working In Uncertainty
How to write about 'risk management'
The various surveys I have done over the last few years seem to indicate that most people with an interest in management are, at heart, informal management or decision scientists. In other words, given the opportunity, we like to think logically in uncertainty (though most shy away from explicit mathematics). There is a strong preference for 'risk' (whatever that is) to be 'managed' (whatever that means) through core management activities like decision making and planning, not through a separate activity. Risk being managed should be a by-product of managing well.
A problem with published guidance
Unfortunately, publications about 'risk' have increasingly come to be written in a way that seems to create a new management activity, even though most authors make statements showing that they intend the opposite. Bizarrely, even writing about investing in capital markets, which is usually highly mathematical, creates the strong impression that 'risk management' is something separate from and in addition to managing investments.
Writing about managing risk through writing lists of 'risks' takes this even further, with diagrams, processes, and a lot of terminology that repeatedly sends the message that 'risks' have an existence of their own and need to be 'managed' through an activity called 'risk management'. Despite the fact that almost nobody instinctively thinks this way, there is a body of publications within the Risk Listing approach and some of them have a high profile in certain sectors and certain countries. In particular, project management and corporate governance in English speaking countries have been heavily influenced by Risk Listing ideas.
Not all of this material has been written by people who honestly think that Risk Listing is a good approach. More than one consultant has told me that they have written supportive material about risk registers because they think that's what people will buy. At least some people who have written regulations requiring risk registers have only done so because they thought that was what people liked and thought was a good idea. I must confess that I myself have written material that, in effect, promotes aspects of the Risk Listing approach. This was at the time when I thought Risk Listing could be made to work by fixing all the obvious problems with it, but now, since I am not the sole author, it is too late to withdraw those publications.
Beyond that, I suspect that many unhelpful statements in published guidance are just the result of copying phrases and statements from other documents for a sense of authority and to avoid possible controversy. The fact that many of these statements, if taken literally, contradict the honest beliefs of the author is probably not noticed in most cases. In other words, many of the faults in writing about 'risk' are unconscious.
What we need now
What is needed now is more publications that explain things in a way that is consistent with the beliefs of the authors and their readers. Specifically, we need documents that do not portray a separate activity. If you are thinking of writing such material then this article is for you. I have found that it is surprisingly difficult to write about 'risk' without creating the impression that something separate is intended. This article explains the skill of writing about 'risk management' without using phrases or ideas that are from Risk Listing or that seem to suggest separate risk management. Instead, the focus is on the (informal) management/decision science approach that most people seem to adopt instinctively, explained in simple, everyday terms, without reams of mathematics. As you go through you can see the positive difference it makes when you do this.
Understanding the problems
A good place to start is with a detailed understanding of the specific words, phrases, and concepts that cause the problems. It is time to become conscious of subtle implications and connotations, and to understand how they conflict with good sense and the views of most people interested in management.
Cues suggesting a separate activity
There are several ways that documents about 'risk management' can suggest the existence of a separate activity that manages risk. These include document titles and outlines, diagrams, and phrases.
Titles and outlines
If the title of a document is something like 'Risk Management', 'A Risk Management Standard', or 'Enterprise Risk Management' then there is a strong suggestion that it is possible to talk about 'risk management' without reference to any other part of management. Risk management sounds like a stand-alone thing, a separate discipline, process, or skill perhaps.
In contrast, document titles like 'Management under uncertainty', 'Logistics under uncertainty', and 'Project cost estimation' clearly convey the idea that there is something being done and that along the way uncertainty is being dealt with.
Similarly, the contents page of guidance documents can signal that management is the topic and uncertainty is one of the considerations, or it can paint a picture of risk management being done in isolation. Having a section called 'Integration of risk management into management' does nothing to correct the impression, because the notion of integration just reinforces the idea that there is something separate that now needs to be 'integrated' or 'embedded'.
The unfortunate impression of isolated risk management is often further reinforced by diagrams (typically a 'risk management process' of some kind) with boxes labelled with phrases that mention 'risk' almost every time. There are no boxes for activities that are not dedicated to risk management. The message, once again, is that risk management exists in a vacuum, on its own, managing 'risk' or 'risks'.
A different message is conveyed if the diagrams show a core management process (e.g. decision making, design, purchasing) with call outs or symbols showing where details of how the process is done help to deal with uncertainty throughout.
Over the last two decades in particular a host of phrases have been coined within risk related guidance. When you read a long paragraph peppered with them the effect is to make the topic seem abstract, unfamiliar, and confusing. It is the sort of text only 'risk specialists' can read. And yet, we all experience limited knowledge all the time and the same ideas, expressed in plain language and without the 'risk this', 'risk that', 'risk the other' jargon seem simple and obvious.
For the present purposes, however, the main point is that these phrases create a sense of an empire of risk, a separate discipline, calling for separate skills, separate people, and separate processes.
Problematic phrases include the following:
Cues suggesting 'risk' as a separate something
The idea of a separate activity ('risk management') is reinforced by suggestions that 'risk' is itself something separate from other thinking and effects to be considered in decision making. The main cues doing this are phrases such as the following:
Cues suggesting that 'risks' are separate things
Other phrases suggest the existence of naturally occurring things called 'risks' that are separate from other things that might occupy the thoughts of managers. This leads directly to the idea of making lists of these things. Problematic phrases include the following:
Conflict within leading guidance and regulations
The cues discussed in the previous section are so powerful that they easily overwhelm explicit statements about 'integration' and 'embedding'. Authors who strongly believe that risk management should not be a separate activity, and state this clearly in their documents, nevertheless end up writing documents that powerfully convey the opposite impression.
This effect can be illustrated within high profile documents from the 'Risk Listing' tradition. For example, ISO 31000 contains almost every cue listed above and yet also contains the following sentences:
Similarly, COSO's ERM framework is riddled with separateness cues from start to finish, creating the overwhelming impression of a separate process, and yet it contains the following sentences:
An obvious guideline is to avoid all the separateness cues mentioned above. But what on earth do you write instead?
Document titles and outlines
Preferable titles are ones that refer to core management activities. They might make explicit references to uncertainty or limited knowledge, or just hint at a role for uncertainty. If the focus is on undesirable potential outcomes then try to use a more specific term like 'danger' rather than the relatively generic 'risk'. Beware of writing documents solely about analysis of potential outcomes because these can turn into descriptions of a 'risk' process unrelated to decisions that might be taken.
Here are some illustrative suggestions:
When thinking about an outline, prefer to write sections that go through and underlying work process (e.g. decision making, design, performance evaluation, purchasing), and explain at each step how uncertainty is dealt with. This is a simple idea that makes a huge difference.
As with outlines, use diagrams to show the basic work process and then add symbols and text that highlight where and how that process is done in ways that deal with the uncertainty involved.
Leitch (2011) shows an example of a generic diagram transformed in this way.
Though it is sometimes necessary to include the word 'risk' in a document title so that readers looking for material on 'risk' don't miss it (e.g. when using an internet search engine), it is best to minimise 'risk' phrases. Here is a toolkit of useful words and phrases to use instead:
The best way to apply the guidelines above is to stick to the rules and just write what seems helpful, good advice. It's probably harder to rewrite something written without the guidelines, especially if it is within the 'Risk Listing' style.
However, to show the improvement that is possible, here are some risk-ridden sections of text transformed into advice that is more readable, logical, and practical.
The first example comes from Section 1 of A Risk Management Standard. The original text mis-uses the term 'opportunities' and promotes the idea of 'risk management' as a separate discipline with its own history and trends.
The next example comes from the executive summary of COSO's integrated framework for enterprise risk management. It is, as usual, rather abstract and confusing, and includes the misconception that higher growth and returns must necessarily involve taking more (undesirable) 'risk':
These first two illustrations are from documents trying to address uncertainty of any kind, but what if the potential events are clearly bad things that might happen? Is there any advantage in minimising the use of 'risk' in this situation? The next example is from a leaflet by the UK's Health & Safety Executive.
This alternative text is easier to understand and more practical, and danger is more attention grabbing than mere 'risk'. However, isn't a separate 'risk assessment' a legal requirement? Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires 'a risk assessment' of 'the risks to health and safety'. It really does sound like a separate exercise, until you start to think about the practical implications. The regulations also require that the 'risk assessment' be reviewed whenever there is 'reason to think it is no longer valid' and when there has been a 'significant change in the matters to which it relates'.
How can you comply with the requirements for reviewing? If there is change to your workers, the work environment, the type of work, the tools used, or any other factor that could be related to health and safety then you are supposed to review your assessment. In all these cases, you should be thinking about how the work should be done, how to arrange the workplace, etc, and you will probably want to do that anyway. You will consider alternatives. Which makes more sense, to consider health and safety while making your choices of premises, people, tools, working practices, etc or to make those choices without considering health and safety and only then do the risk assessment?
Obviously, the sensible way to do it is to respond thoughtfully to all changes, considering everything that is important, including productivity, quality, flexibility, and health & safety. In doing this you will, in effect, revise your 'risk assessment'. All you need to do is find a convenient way to revise the documentation (if you have 5 or more employees).
The same leaflet from HSE offers a 5 step process for risk assessment, as if this is something separate from other management. Here's how its steps could be re-written to make health and safety into everyday concerns for management.
In the world of finance, guidance and regulations on 'risk' have mixed Risk Listing ideas with ideas based on mathematical modelling of a more scientific nature. The next example is from the UK's Financial Services Authority, in the FSA Handbook. It shows the extent to which 'risk' jargon has penetrated the requirements for financial services companies. The 'after' version shows what I hope we might one day get instead.
Once again, this illustrates how much more straightforward 'risk management' is when written about without separateness cues. Not only is this text easier to read, but it is also easier to write because it is much easier to imagine the activities that are being described. In contrast, if you are writing about 'risk management systems' and 'risk appetite' the best your mind can do is supply a vague mist of abstractions.
As a final example, here's a paragraph from the introduction to a guide to risk management written for directors. Although the writer is saying that risk should be managed by the board of directors, his use of the separateness cues means it sounds like 'risk management' is the sort of separate activity that could be delegated and usually is.
The 'before' version makes a number of points to counter mis-conceptions that are only possible if 'risk management' is seen as a separate activity. As soon as the text is written with more appropriate phrases most of these points can be deleted.
I hope you have started to appreciate the profound difference that is made by avoiding cues suggesting some separate 'risk management' activity and, instead, using cues that send the opposite message. This is a more powerful way to give that message than making statements about 'integration'.
Committee of Sponsoring Organizations of the Treadway Commission (2004). Enterprise Risk Management - Integrated Framework. Executive Summary available online at: http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
FSA Handbook. Financial Services Authority. SYSC 14.1 available online at: http://fsahandbook.info/FSA/html/focus-on-OPRSK/SYSC/14/1
Health and Safety Executive (2012). Five Steps to Risk Assessment (revision 3). Available online at: http://www.hse.gov.uk/pubns/indg163.pdf
IoD (2012). Business Risk: A practical guide for board members. Available online at: http://www.chartisinsurance.com/chartis/internet/uk/eni/Final%20Directors%20Guide%20-%20Managing%20Business%20Risk%20June%202012_tcm2538-431999.pdf
IRM (2002). A Risk Management Standard. Originally published by AIRMIC, ALARM, and IRM. Available online at: http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf
Leitch, M. (2011). Fixing the 'risk management' process diagram. Available online at: http://www.workinginuncertainty.co.uk/rc_diag.shtml
Statutory Instrument 3242 (1999). The Management of Health and Safety at Work Regulations 1999. Available online at: http://www.legislation.gov.uk/uksi/1999/3242/regulation/3/made
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.
Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.
Words © 2012 Matthew Leitch