Matthew Leitch, educator, consultant, researcher
SERVICES
OTHER MATERIAL
Working In Uncertainty
How to write about 'risk management'
Contents |
The various surveys I have done over the last few years seem to indicate that most people with an interest in management are, at heart, informal management or decision scientists. In other words, given the opportunity, we like to think logically in uncertainty (though most shy away from explicit mathematics). There is a strong preference for 'risk' (whatever that is) to be 'managed' (whatever that means) through core management activities like decision making and planning, not through a separate activity. Risk being managed should be a by-product of managing well.
A problem with published guidance
Unfortunately, publications about 'risk' have increasingly come to be written in a way that seems to create a new management activity, even though most authors make statements showing that they intend the opposite. Bizarrely, even writing about investing in capital markets, which is usually highly mathematical, creates the strong impression that 'risk management' is something separate from and in addition to managing investments.
Writing about managing risk through writing lists of 'risks' takes this even further, with diagrams, processes, and a lot of terminology that repeatedly sends the message that 'risks' have an existence of their own and need to be 'managed' through an activity called 'risk management'. Despite the fact that almost nobody instinctively thinks this way, there is a body of publications within the Risk Listing approach and some of them have a high profile in certain sectors and certain countries. In particular, project management and corporate governance in English speaking countries have been heavily influenced by Risk Listing ideas.
Not all of this material has been written by people who honestly think that Risk Listing is a good approach. More than one consultant has told me that they have written supportive material about risk registers because they think that's what people will buy. At least some people who have written regulations requiring risk registers have only done so because they thought that was what people liked and thought was a good idea. I must confess that I myself have written material that, in effect, promotes aspects of the Risk Listing approach. This was at the time when I thought Risk Listing could be made to work by fixing all the obvious problems with it, but now, since I am not the sole author, it is too late to withdraw those publications.
Beyond that, I suspect that many unhelpful statements in published guidance are just the result of copying phrases and statements from other documents for a sense of authority and to avoid possible controversy. The fact that many of these statements, if taken literally, contradict the honest beliefs of the author is probably not noticed in most cases. In other words, many of the faults in writing about 'risk' are unconscious.
What we need now
What is needed now is more publications that explain things in a way that is consistent with the beliefs of the authors and their readers. Specifically, we need documents that do not portray a separate activity. If you are thinking of writing such material then this article is for you. I have found that it is surprisingly difficult to write about 'risk' without creating the impression that something separate is intended. This article explains the skill of writing about 'risk management' without using phrases or ideas that are from Risk Listing or that seem to suggest separate risk management. Instead, the focus is on the (informal) management/decision science approach that most people seem to adopt instinctively, explained in simple, everyday terms, without reams of mathematics. As you go through you can see the positive difference it makes when you do this.
Understanding the problems
A good place to start is with a detailed understanding of the specific words, phrases, and concepts that cause the problems. It is time to become conscious of subtle implications and connotations, and to understand how they conflict with good sense and the views of most people interested in management.
Cues suggesting a separate activity
There are several ways that documents about 'risk management' can suggest the existence of a separate activity that manages risk. These include document titles and outlines, diagrams, and phrases.
Titles and outlines
If the title of a document is something like 'Risk Management', 'A Risk Management Standard', or 'Enterprise Risk Management' then there is a strong suggestion that it is possible to talk about 'risk management' without reference to any other part of management. Risk management sounds like a stand-alone thing, a separate discipline, process, or skill perhaps.
In contrast, document titles like 'Management under uncertainty', 'Logistics under uncertainty', and 'Project cost estimation' clearly convey the idea that there is something being done and that along the way uncertainty is being dealt with.
Similarly, the contents page of guidance documents can signal that management is the topic and uncertainty is one of the considerations, or it can paint a picture of risk management being done in isolation. Having a section called 'Integration of risk management into management' does nothing to correct the impression, because the notion of integration just reinforces the idea that there is something separate that now needs to be 'integrated' or 'embedded'.
Diagrams
The unfortunate impression of isolated risk management is often further reinforced by diagrams (typically a 'risk management process' of some kind) with boxes labelled with phrases that mention 'risk' almost every time. There are no boxes for activities that are not dedicated to risk management. The message, once again, is that risk management exists in a vacuum, on its own, managing 'risk' or 'risks'.
A different message is conveyed if the diagrams show a core management process (e.g. decision making, design, purchasing) with call outs or symbols showing where details of how the process is done help to deal with uncertainty throughout.
Phrases
Over the last two decades in particular a host of phrases have been coined within risk related guidance. When you read a long paragraph peppered with them the effect is to make the topic seem abstract, unfamiliar, and confusing. It is the sort of text only 'risk specialists' can read. And yet, we all experience limited knowledge all the time and the same ideas, expressed in plain language and without the 'risk this', 'risk that', 'risk the other' jargon seem simple and obvious.
For the present purposes, however, the main point is that these phrases create a sense of an empire of risk, a separate discipline, calling for separate skills, separate people, and separate processes.
Problematic phrases include the following:
'risk management': Suggests a separate branch of management, a discipline, or a task.
'risk function' / 'risk management function': The obvious place to put that separate task.
'risk roles': The idea that people can be given roles specifically in respect of 'risk' without references to any other topic (e.g. marketing, money management, production, investment) furthers the idea that 'risk' is a separate activity.
'risk manager': The natural consequence of creating a function for 'risk management'.
'Chief Risk Officer': The 'risk manager' promoted.
'risk management process': Sounds like a process dedicated to risk management that can exist on its own.
'risk management procedure': A procedure dedicated to risk management.
'risk management system': Suggests either a computer system to support 'risk management' or a system in the wider sense with people and machines working together to do the separate risk management work.
'risk management culture': As if risk management is so separated from other aspects of work that it is possible to isolate a culture specific to it.
'risk management plan': A plan solely devoted to risk management.
'risk management objectives': Something in the risk management plan perhaps.
'risk strategy' / 'risk management strategy': A grander alternative to the humble plan.
'risk policy' / 'risk management policy': A policy in relation to risk management, that separate activity that of course needs a separate policy.
'integrate risk management' / 'embed risk risk management': Both imply that risk management is something separate that now needs to be integrated in some way.
Cues suggesting 'risk' as a separate something
The idea of a separate activity ('risk management') is reinforced by suggestions that 'risk' is itself something separate from other thinking and effects to be considered in decision making. The main cues doing this are phrases such as the following:
'risk measurement': Suggests that 'risk' is something external to our thinking, like the melting temperature of ice, or the length of a giraffe's neck.
'risk analysis': Puts 'risk' forward as something that can be analysed on its own, without reference to whatever it is that we are uncertain of, such as whether a crash will happen, or whether money will be lost on an investment.
'risk treatment' / 'risk response': These tend to put the focus on actions taken purely as responses to 'risk' or 'a risk'. This is a very small fraction of real life decisions. The more usual situation is that a decision about a course of action is to be taken and many of the possible consequences of each alternative are uncertain, with some possibilities being very negative.
'risk reporting': The idea here is that 'risk' can be reported in a dedicated report that features nothing but 'risk'.
'risk criteria': Almost nobody knows exactly what these are, but they are certainly part of the risk empire.
'risk culture': Again, 'risk' here is something so separate that is is possible to have a culture specific to it.
'risk attitude' / 'risk appetite' / 'risk tolerance': These phrases confuse most people and conjure up a lot of misconceptions. They are key players in the empire of risk. Suppose you don't fancy being in a situation where you might lose money or be injured. That's because you don't want to lose money or be injured, so you don't like even the possibility of those things happening. However, what these 'risk' phrases seem to suggest is that your real aversion is to something more abstract and special than that. You are risk averse, you spineless bore.
Cues suggesting that 'risks' are separate things
Other phrases suggest the existence of naturally occurring things called 'risks' that are separate from other things that might occupy the thoughts of managers. This leads directly to the idea of making lists of these things. Problematic phrases include the following:
'a risk' / 'the risks': Clearly imply 'risks' as countable, individual things of some kind. Quite different from 'some risk' which is not countable.
'identify risks': We 'identify' things that already exist. A much more fitting word would be 'define' in this context, but it is better to avoid thinking about 'risks' altogether.
'manage risks': This simple phrase implies so much that is unhelpful. Not only do we have 'risks' as countable entities, but we have the idea of managing them, not managing a business, a project, a charity, etc. This leads to the idea that actions can be planned specifically to 'manage' those risks, which cuts down the scope of 'risk management' to only those actions taken solely or primarily in response to 'a risk' or 'some risks'. Most of the decisions that lead to terrible and unexpected consequences do not fall into this narrow category.
'analyse the risks': Not 'analyse the situation' or 'analyse the decision' but 'analyse the risks'.
'operational risk' / 'financial risk' / anything 'risk': These are the names of 'risks' so they nudge people towards making lists. This format of risk name (i.e. 'X risk') is so easy to use that people in workshops sometimes get on a roll, running through the dictionary adding 'risk' to each word. 'Aardvark risk', 'ice cream risk', 'rowing risk', you name it.
'risk register' / 'risk log': Obviously, these are all about making lists of 'risks'.
'risk categories': These are for organizing the 'risks' you have listed.
'risk prioritisation' / 'key risk' / 'top 10 risks': Beyond the obvious implication that there is a collection of 'risks' that need to be put into some sort of order of importance, these subtly reinforce the idea that 'risks' are naturally occurring objects with their own defined boundaries, not chosen or defined by people. In fact the boundaries of 'risks' are defined by people and so if a 'risk' is defined broadly it is likely to be more important than a narrowly defined 'risk'. Consequently, 'prioritization' is rather meaningless. What goes into the 'top 10 risks' list is largely decided by how the 'risks' were defined in the first place.
'assess the risks': Simply reinforces the idea of countable 'risks'.
Conflict within leading guidance and regulations
The cues discussed in the previous section are so powerful that they easily overwhelm explicit statements about 'integration' and 'embedding'. Authors who strongly believe that risk management should not be a separate activity, and state this clearly in their documents, nevertheless end up writing documents that powerfully convey the opposite impression.
This effect can be illustrated within high profile documents from the 'Risk Listing' tradition. For example, ISO 31000 contains almost every cue listed above and yet also contains the following sentences:
"Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization." (Section 3)
"Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes." (Section 3)
"Risk management is part of decision making." (Section 3)
"This framework is not intended to prescribe a management system, but rather to assist the organization to integrate risk management into its overall management system." (Section 4.1)
"Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient." (Section 4.3.4)
"The risk management process should become part of, and not separate from, those organizational processes." (Section 4.3.4)
Similarly, COSO's ERM framework is riddled with separateness cues from start to finish, creating the overwhelming impression of a separate process, and yet it contains the following sentences:
"Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process."(In Components of Enterprise Risk Management, Executive Summary)
"Everyone in an entity has some responsibility for enterprise risk management." (In Roles and Responsibilities, Executive Summary)
"Enterprise risk management is not static, but rather a continuous or iterative interplay of actions that permeate an entity. These actions are pervasive and inherent in the way management runs the business." (In Definition, the Framework)
"Enterprise risk management is different from the perspective of some observers who view it as something added on to an entity’s activities." (In Definition, the Framework)
Doing better
An obvious guideline is to avoid all the separateness cues mentioned above. But what on earth do you write instead?
Document titles and outlines
Preferable titles are ones that refer to core management activities. They might make explicit references to uncertainty or limited knowledge, or just hint at a role for uncertainty. If the focus is on undesirable potential outcomes then try to use a more specific term like 'danger' rather than the relatively generic 'risk'. Beware of writing documents solely about analysis of potential outcomes because these can turn into descriptions of a 'risk' process unrelated to decisions that might be taken.
Here are some illustrative suggestions:
"Management under uncertainty"
"Planning with limited knowledge"
"Sense making"
"Probabilistic forecasting"
"Estimating the potential outcomes from alternative courses of action"
"Dealing with uncertainty in design activities"
"Analysing the dangers of factory work"
"Considering health and safety in management decisions"
When thinking about an outline, prefer to write sections that go through and underlying work process (e.g. decision making, design, performance evaluation, purchasing), and explain at each step how uncertainty is dealt with. This is a simple idea that makes a huge difference.
Diagrams
As with outlines, use diagrams to show the basic work process and then add symbols and text that highlight where and how that process is done in ways that deal with the uncertainty involved.
Leitch (2011) shows an example of a generic diagram transformed in this way.
Phrasing
Though it is sometimes necessary to include the word 'risk' in a document title so that readers looking for material on 'risk' don't miss it (e.g. when using an internet search engine), it is best to minimise 'risk' phrases. Here is a toolkit of useful words and phrases to use instead:
'diagnose' / 'decide' / 'design' / 'plan' / 'evaluate' / 'communicate' / 'direct': These are some of the underlying core management activities.
'in uncertainty' / 'under uncertainty' / 'with limited knowledge' / 'under limited knowledge' / 'in unpredictable circumstances': These are alternative phrases for showing that there is a focus on uncertainty/risk.
'is uncertain' / 'is unknown' / 'is possible': It is better to say that something is uncertain than to say there is an uncertainty. This is because it involves naming the thing that is uncertain.
'explore' / 'discover' / 'understand' / 'learn about': Good phrases to emphasize that learning can include discovering mechanisms as well as just getting more statistics.
'trial' / 'experiment' / 'study': Typical responses to being uncertain about something.
'probability of' / 'chance of' / 'likelihood of': Don't shy away from probability. With or without numbers, it works.
'value' / 'result' / 'outcome' / 'consequence': Useful words for stuff that happens further down a causal chain. In theory, the special thing about the concept 'risk' is that it somehow combines probability with value. However, in practice people struggle with having these two things bundled into one. Each element gets buried and people tend to do too little to define what probability and what value they are talking about. They also have difficulty with defining the way the two are combined. It is much better to keep them separate.
'cause' / 'driver' / 'factor' / 'variable': Use the most specific terms you can, instead of just saying 'risk' all the time.
'estimate' / 'forecast' / 'make a probabilistic forecast' / 'make a probabilistic estimate': Predictions about the future are inherently uncertain, but it sometimes helps to stress that a particular forecast is not being made on a best guesstimate basis.
'likely range' / 'error bands' / 'prediction interval': Another way to signal that a forecast is not being made on a best guesstimate basis.
'predictable' / 'unpredictable' / 'hard to predict' / 'chaotic': Useful words for talking about how hard something is to predict. Chaotic means, specifically, that something is hard to predict because very small differences in its current state translate into rapidly growing differences in its future trajectories.
'model' / 'mental model' / 'conceptual model' / 'decision model' / 'design model' / 'forecasting model': All useful for indicating something more organized and coherent than just a list of worries.
'linked' / 'correlated' / 'driven by' / 'dependent on' / 'conditional on': Useful phrases for indicating causal connections, even if the exact mechanism is not known.
Illustrations
The best way to apply the guidelines above is to stick to the rules and just write what seems helpful, good advice. It's probably harder to rewrite something written without the guidelines, especially if it is within the 'Risk Listing' style.
However, to show the improvement that is possible, here are some risk-ridden sections of text transformed into advice that is more readable, logical, and practical.
The first example comes from Section 1 of A Risk Management Standard. The original text mis-uses the term 'opportunities' and promotes the idea of 'risk management' as a separate discipline with its own history and trends.
| Before | After |
|---|---|
"In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognised as being concerned with both positive and negative aspects of risk. Therefore this standard considers risk from both perspectives." | "In all types of undertaking, unpredictable turns of events can be helpful as well as unhelpful. It is increasingly recognized that the way we manage needs to reflect all possibilities, not just unhelpful ones." |
The next example comes from the executive summary of COSO's integrated framework for enterprise risk management. It is, as usual, rather abstract and confusing, and includes the misconception that higher growth and returns must necessarily involve taking more (undesirable) 'risk':
| Before | After |
|---|---|
"Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives." | "When the future seems uncertain, things could turn out better or worse than expected, increasing or decreasing the value of the company. Managing in a way that deals with this uncertainty effectively increases the ability to build value. Value is maximized when management chooses strategy where the scale of investment is moderated in view of the potential for loss if results are disappointing, and the implications for stakeholders." |
These first two illustrations are from documents trying to address uncertainty of any kind, but what if the potential events are clearly bad things that might happen? Is there any advantage in minimising the use of 'risk' in this situation? The next example is from a leaflet by the UK's Health & Safety Executive.
| Before | After |
|---|---|
"A risk assessment is an important step in protecting your workers and your business, as well as complying with the law. It helps you focus on the risks that really matter in your workplace – the ones with the potential to cause real harm. In many instances, straightforward measures can readily control risks, for example ensuring spillages are cleaned up promptly so people do not slip, or cupboard drawers are kept closed to ensure people do not trip. For most, that means simple, cheap and effective measures to ensure your most valuable asset – your workforce – is protected." | "To protect your workers and your business, and to comply with the law, you need to take health and safety into account when making decisions, including decisions about policies for behaviour, the design and layout of equipment, training, and so on. You need to understand the potential accidents and other health effects and how to reduce them. Often, simple steps will minimise danger, such as ensuring spillages are cleaned up quickly so that people do not slip, or ensuring cupboards are closed so that people do not trip." |
This alternative text is easier to understand and more practical, and danger is more attention grabbing than mere 'risk'. However, isn't a separate 'risk assessment' a legal requirement? Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires 'a risk assessment' of 'the risks to health and safety'. It really does sound like a separate exercise, until you start to think about the practical implications. The regulations also require that the 'risk assessment' be reviewed whenever there is 'reason to think it is no longer valid' and when there has been a 'significant change in the matters to which it relates'.
How can you comply with the requirements for reviewing? If there is change to your workers, the work environment, the type of work, the tools used, or any other factor that could be related to health and safety then you are supposed to review your assessment. In all these cases, you should be thinking about how the work should be done, how to arrange the workplace, etc, and you will probably want to do that anyway. You will consider alternatives. Which makes more sense, to consider health and safety while making your choices of premises, people, tools, working practices, etc or to make those choices without considering health and safety and only then do the risk assessment?
Obviously, the sensible way to do it is to respond thoughtfully to all changes, considering everything that is important, including productivity, quality, flexibility, and health & safety. In doing this you will, in effect, revise your 'risk assessment'. All you need to do is find a convenient way to revise the documentation (if you have 5 or more employees).
The same leaflet from HSE offers a 5 step process for risk assessment, as if this is something separate from other management. Here's how its steps could be re-written to make health and safety into everyday concerns for management.
| Before | After |
|---|---|
"Follow the five steps in this leaflet: | "Incorporate the following three activities in the way you manage (e.g. in deciding how the workplace is arranged, how work is to be done, and who does what): |
In the world of finance, guidance and regulations on 'risk' have mixed Risk Listing ideas with ideas based on mathematical modelling of a more scientific nature. The next example is from the UK's Financial Services Authority, in the FSA Handbook. It shows the extent to which 'risk' jargon has penetrated the requirements for financial services companies. The 'after' version shows what I hope we might one day get instead.
| Before | After |
|---|---|
"SYSC 14.1 Application Operational risk (SYSC 14.1.65) As well as covering other types of risk, the rules and guidance set out in this chapter deal with a firm's approach to operational risk. In particular: (1) SYSC 14.1.18 R requires a firm to take reasonable steps to ensure that the risk management systems put in place to identify, assess, monitor and control operational risk are adequate for that purpose; (2) SYSC 14.1.19 R (2) requires a firm to document its policy for operational risk, including its risk appetite and how it identifies, assesses, monitors and controls that risk; and (3) SYSC 14.1.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems." | "SYSC 14.1 Application Unpredictable operational costs (SYSC 14.1.65) As well as covering other uncertain factors, the rules and guidance set out in this chapter deal with a firm's approach to unpredictable operational costs. In particular: (1) SYSC 14.1.18 R requires a firm to take reasonable steps to ensure that the management systems put in place adequately manage operational costs despite the many reasons why they may be hard or impossible to predict; (2) SYSC 14.1.19 R (2) requires a firm to document its policy for doing this, including how uncertain costs are to be weighed in decisions, and how it understands and analyses the possible drivers of operational costs, including those whose actual effects are uncertain; and (3) SYSC 14.1.27 R requires a firm to take reasonable steps to establish and maintain adequate procedures that allow it to monitor and assess the implementation and effectiveness of its business plan and management systems." |
Once again, this illustrates how much more straightforward 'risk management' is when written about without separateness cues. Not only is this text easier to read, but it is also easier to write because it is much easier to imagine the activities that are being described. In contrast, if you are writing about 'risk management systems' and 'risk appetite' the best your mind can do is supply a vague mist of abstractions.
As a final example, here's a paragraph from the introduction to a guide to risk management written for directors. Although the writer is saying that risk should be managed by the board of directors, his use of the separateness cues means it sounds like 'risk management' is the sort of separate activity that could be delegated and usually is.
| Before | After |
|---|---|
"It is clear from these cases – and others that emerged during the recent financial crisis – that risk management is a core task for the board of directors or supervisory board. Risk management cannot simply be delegated to specialist risk managers or even the CEO. It is simply too important. Moreover, many aspects of risk management require a strategic perspective that is beyond the remit of the typical risk management department." | "It is clear from these cases – and others that emerged during the recent financial crisis – that directors must direct in a way that deals effectively with their limited knowledge. They cannot make assumptions about what is happening or will happen in future. This cannot be delegated." |
The 'before' version makes a number of points to counter mis-conceptions that are only possible if 'risk management' is seen as a separate activity. As soon as the text is written with more appropriate phrases most of these points can be deleted.
Conclusion
I hope you have started to appreciate the profound difference that is made by avoiding cues suggesting some separate 'risk management' activity and, instead, using cues that send the opposite message. This is a more powerful way to give that message than making statements about 'integration'.
References
Committee of Sponsoring Organizations of the Treadway Commission (2004). Enterprise Risk Management - Integrated Framework. Executive Summary available online at: http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
FSA Handbook. Financial Services Authority. SYSC 14.1 available online at: http://fsahandbook.info/FSA/html/focus-on-OPRSK/SYSC/14/1
Health and Safety Executive (2012). Five Steps to Risk Assessment (revision 3). Available online at: http://www.hse.gov.uk/pubns/indg163.pdf
IoD (2012). Business Risk: A practical guide for board members. Available online at: http://www.chartisinsurance.com/chartis/internet/uk/eni/Final%20Directors%20Guide%20-%20Managing%20Business%20Risk%20June%202012_tcm2538-431999.pdf
IRM (2002). A Risk Management Standard. Originally published by AIRMIC, ALARM, and IRM. Available online at: http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf
Leitch, M. (2011). Fixing the 'risk management' process diagram. Available online at: http://www.workinginuncertainty.co.uk/rc_diag.shtml
Statutory Instrument 3242 (1999). The Management of Health and Safety at Work Regulations 1999. Available online at: http://www.legislation.gov.uk/uksi/1999/3242/regulation/3/made
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England