Working In Uncertainty

Everyday Risk Management

by Matthew Leitch, 8 August 2003.


The ultimate future of risk management?

Considering how much risk and uncertainty we all face daily, the sort of risk management most often described in official documents and practiced by organisations seems rather restricted. Can this be the ultimate shape of risk management? I hope not. There's so much more it can contribute. Here is a comparison to explain the main differences between risk management as it typically is now (i.e. ‘One-method risk management’) and risk management as it could and should be (i.e. Everyday risk management):

One-method risk management Everyday Risk Management
One basic method: (1) define objectives, (2) identify relevant risks, (3) assess risks, (4) mitigate risks. Many other methods too, including ways to consider uncertainty in forming objectives, short cuts to avoid itemising risks, and risk aware planning principles.
Tends to focus on identifiable risks. Open to all forms of uncertainty.
Focused on what could go wrong. Open to all uncertainties, including things that could go better than expected.
The aim is to achieve the original objectives come what may. The aim is to open up thinking about the future and help people get improved results.
Typically a corporate activity i.e. a team effort organised by a management ‘system’. Includes team work and individual skill at dealing with uncertainty.
Tends to be an infrequent activity ndash; something you do when you have to, often to an annual timetable. Everyday for everyone.
Participants see benefits for their organisation, but not much for themselves personally. Participants motivated by benefits for themselves, but aware of the benefits to their organisation. The personal benefits are often immediate.

This table sets out polar opposites. Specific official documents and the practices of individual organisations will tend to sit somewhere between the poles.

Reasons to expand risk management

The most pressing reason for moving in the direction of everyday risk management is the need for effectiveness. Many risk management programmes today disappoint because:

  • the techniques used are not well suited to the circumstances; or

  • people continue to ignore risk even when given good methods and tools for managing it and ample encouragement.

The first problem can be addressed in part by having a wider range of techniques, ranging from highly sophisticated analytics to low tech conversational techniques. Provided appropriate methods are chosen there is a better chance of offering something that works.

To solve the motivational problem we need to understand why it happens. One fairly consistent finding from psychological research on thinking about risk is that we tend to have an overly narrow view of what could happen in the future. Ask someone to give a range for tomorrow's top temperature such that they are 90% sure the temperature will be in that range and they usually give a range that is too narrow. The same for sales forecasts, stock market prices, and so on.

At work our normal tendency to underestimate our uncertainty is increased by various mechanisms. Under pressure to appear credible we pretend to be more certain than we are or should reasonably be. Faced with a fixed target, such as a budget, we tend to assume that the target is what is going to happen and other outcomes do not have to be considered, even though our lifelong experience should tell us this is incorrect. Unwilling to be seen as ‘not a team player’ we keep quiet about downside risks in our boss's plans. Desperate to make decisions quickly in the face of overwhelming complexity and uncertainty, and often lacking the techniques that would make good decisions possible, we try to shut those complexities out of our minds to avoid paralysis by analysis.

These powerful mechanisms can easily undermine technical improvements in risk management. For example, you can ask people to consider risk and estimate a range of outcomes but if uncertainty suppression is operating, which it usually is, the ranges will be far too narrow, particularly the estimated downside.

Truly embedding risk management should mean overcoming the tendency to suppress and ignore risk, and making the organisation and everyone in it more adept at seeing and managing risk and uncertainty.

To counter uncertainty suppression we need a range of techniques. One is to offer people immediate personal benefits as well as medium to long term organisational benefits.

The role of the risk manager

As risk management evolves towards a wider perspective with more techniques the risk manager's job will change too. Risk managers will need a good understanding of more techniques. Some will involve complex mathematics and computer modelling, but the techniques in greatest demand will be deceptively simple methods for helping people think through uncertainties. Risk managers also need the ability to help people learn and apply the techniques that are most appropriate for what they do and what the organisation needs.

Risk managers will still have to do risk management themselves when their organisations don't have anyone else with the skill and time, and will still be responsible for coordinating enterprise wide risk management efforts. However, they will also need to inspire and educate others to improve their own risk management. The aim will normally be to move risk management away from dedicated risk management processes and people and integrate it back into the activities whose risks need to be managed.

It makes sense to concentrate on activities in an organisation where improvements to risk management can make the most impact, so risk managers also need to be able to identify those activities.

Risk Management's Swiss Army Knife

Any technique for dealing with uncertainty or risk is potentially something you might want to use to manage risk better. The conventional technique of identifying objectives, then risks, then assessing those risks before mitigating them is one very useful technique, but there are others.

If you stretch your imagination you can see many techniques as fitting into the conventional approach, but in practical use they involve very different patterns of thinking. There are also techniques that no amount of imagination can force into the old mould. Here are some examples:

  • Uncertainty identification used in setting objectives. Reviewing uncertainties (typically external) and planning research and monitoring that will reduce them can help in setting objectives.

  • Risk aware planning heuristics. Instead of making a plan and then risk-managing it, generate the plan according to patterns or heuristics that produce plans with inherently good risk profiles.

  • Research and monitoring decisions made without identifying specific risks. Often it is not necessary to identify specific risky outcomes to know that some more research or monitoring of information sources would be beneficial. Avoiding detailed listing of risks saves time, allowing the research to start earlier.

  • Analysis of potential opportunities. This could be by a variety of means, including the conventional one with just the risk types expanded to include upside risks.

  • Designing management systems as systems. It is sometimes inefficient to try to design a control system by designing mitigation for each control individually. It is better to work at a higher level, sculpting a system on the basis of risk factors rather than specific risks. Later, a more detailed analysis of risk coverage can lead to modifications of detail.

Many methods we need already exist. For example, even early mathematical techniques for modelling decisions under uncertainty made no distinction between upside and downside, and many used some kind of function to put a value on alternative levels of achievement.

Because most everyday risk management will be done quickly by people who don't want to use mathematics, risk management needs a range of simple, easy techniques that still perform well. For example, risk management is just starting to make an impact on marketing, but alongside the sophisticated analytics, which will be used by only a few of the very largest companies, there is a need for simpler, less costly methods to help groups and individuals think through the huge uncertainties in marketing without getting stuck.

There is a need to promote uncertainty management techniques that help people with everyday problems such as preparing for important meetings, resolving arguments, managing stress, hiring good people, and making sales. The ‘Further reading’ section below gives links to more ideas on these.

The problem with clear objectives

There is a practical problem with clear objectives. You don't always have them. Conventional risk management starts with defining objectives but this can take a lot of time and effort, and there's no guarantee of success. You may have some general agreement about the ultimate objectives of your organisation but getting down to a level where actions can be decided is much more difficult.

Although it helps risk management if the relationship between achievement levels and value is understood and the current target achievement levels have been agreed, risk management has to make a contribution under any conditions. For example, risk management should offer techniques to help set objectives under uncertainty.

Why upside risks change everything

An upside risk is something that might happen and would be better than what is expected. Including these in your risk management processes makes the processes more effective, efficient, and attractive.

It also raises a question about what risk management is really for. Suppose the original objective of a venture was to make 1m, but a lucky break part way through the venture puts you in a position where you could achieve 2m. What should you do? Carry on towards your original objective or consider a new objective? A sane person would normally review the objective.

But that also has implications for risk management. A risk management process that includes upside risks should aim to encourage those risks to happen, and maximise the effect when they do. To do the opposite would be bizarre. That means the risk management process is not trying to achieve the original objectives.

It also means we need to think again about different types of ‘objective’ and how they are used in risk management. Having a list of specific things we want to achieve in a period of time, such as ‘debtors reduced by 15%’, ‘sales of 1m’, is not enough on its own. We need to understand how to value other levels of achievement. Is there a point beyond which further achievement is not valuable? Is there a point below which the impact gets very bad very quickly? Are there discontinuities in the relationship between level of achievement and value? Is the relationship linear? This sort of understanding is also useful for managing downside risks.


Look carefully and you can see the slow evolution of risk management's scope and techniques towards bigger and better. For example, the new draft COSO framework is longer than the original, and acknowledges more alternative techniques, though it is still not a balanced process between upside and downside risks. Surveys show that most risk managers now believe that risk management should concern itself with unexpectedly favourable outcomes as well as unexpectedly unfavourable ones. More publications are appearing to advocate more embedded forms of risk management.

But there is still a long way to go. Few realise the full implications of managing upside risks and tackling the human side of uncertainty suppression has hardly begun.

Further reading

  • Some guides to everyday risk management include ‘The basics’, an introduction to managing risk in your everyday life and ‘How to talk openly about uncertainty at work’, which also discusses uncertainty suppression in more detail. ‘Embracing Uncertainty’ by Phil Clampitt, Robert DeKoch, and Lee Williams is summarised in some detail on their website, which also features related papers.

  • One management system that tends to contribute to uncertainty suppression rather than reducing it is budgetary control. ‘Risk management and Beyond Budgeting’ is a paper on this. To learn more about the Beyond Budgeting model visit

  • Even though it is restricted to risk registers, ‘Risk modeling alternatives for risk registers’ illustrates the astounding variety of ideas on risk management.

  • The US Customs Service has a programme specifically aimed at a very specific application of risk thinking to one of the top priorities of the Service: catching smugglers. A web-learning site explains the approach to employees.

Words © 2003 Matthew Leitch. First published 8 August 2003.