Working In Uncertainty
Everyday Risk Management
by Matthew Leitch, 8 August 2003.
The ultimate future of risk management?
Considering how much risk and uncertainty we all face daily, the sort of risk management most often described in official documents and practiced by organisations seems rather restricted. Can this be the ultimate shape of risk management? I hope not. There's so much more it can contribute. Here is a comparison to explain the main differences between risk management as it typically is now (i.e. ‘One-method risk management’) and risk management as it could and should be (i.e. Everyday risk management):
This table sets out polar opposites. Specific official documents and the practices of individual organisations will tend to sit somewhere between the poles.
Reasons to expand risk management
The most pressing reason for moving in the direction of everyday risk management is the need for effectiveness. Many risk management programmes today disappoint because:
The first problem can be addressed in part by having a wider range of techniques, ranging from highly sophisticated analytics to low tech conversational techniques. Provided appropriate methods are chosen there is a better chance of offering something that works.
To solve the motivational problem we need to understand why it happens. One fairly consistent finding from psychological research on thinking about risk is that we tend to have an overly narrow view of what could happen in the future. Ask someone to give a range for tomorrow's top temperature such that they are 90% sure the temperature will be in that range and they usually give a range that is too narrow. The same for sales forecasts, stock market prices, and so on.
At work our normal tendency to underestimate our uncertainty is increased by various mechanisms. Under pressure to appear credible we pretend to be more certain than we are or should reasonably be. Faced with a fixed target, such as a budget, we tend to assume that the target is what is going to happen and other outcomes do not have to be considered, even though our lifelong experience should tell us this is incorrect. Unwilling to be seen as ‘not a team player’ we keep quiet about downside risks in our boss's plans. Desperate to make decisions quickly in the face of overwhelming complexity and uncertainty, and often lacking the techniques that would make good decisions possible, we try to shut those complexities out of our minds to avoid paralysis by analysis.
These powerful mechanisms can easily undermine technical improvements in risk management. For example, you can ask people to consider risk and estimate a range of outcomes but if uncertainty suppression is operating, which it usually is, the ranges will be far too narrow, particularly the estimated downside.
Truly embedding risk management should mean overcoming the tendency to suppress and ignore risk, and making the organisation and everyone in it more adept at seeing and managing risk and uncertainty.
To counter uncertainty suppression we need a range of techniques. One is to offer people immediate personal benefits as well as medium to long term organisational benefits.
The role of the risk manager
As risk management evolves towards a wider perspective with more techniques the risk manager's job will change too. Risk managers will need a good understanding of more techniques. Some will involve complex mathematics and computer modelling, but the techniques in greatest demand will be deceptively simple methods for helping people think through uncertainties. Risk managers also need the ability to help people learn and apply the techniques that are most appropriate for what they do and what the organisation needs.
Risk managers will still have to do risk management themselves when their organisations don't have anyone else with the skill and time, and will still be responsible for coordinating enterprise wide risk management efforts. However, they will also need to inspire and educate others to improve their own risk management. The aim will normally be to move risk management away from dedicated risk management processes and people and integrate it back into the activities whose risks need to be managed.
It makes sense to concentrate on activities in an organisation where improvements to risk management can make the most impact, so risk managers also need to be able to identify those activities.
Risk Management's Swiss Army Knife
Any technique for dealing with uncertainty or risk is potentially something you might want to use to manage risk better. The conventional technique of identifying objectives, then risks, then assessing those risks before mitigating them is one very useful technique, but there are others.
If you stretch your imagination you can see many techniques as fitting into the conventional approach, but in practical use they involve very different patterns of thinking. There are also techniques that no amount of imagination can force into the old mould. Here are some examples:
Many methods we need already exist. For example, even early mathematical techniques for modelling decisions under uncertainty made no distinction between upside and downside, and many used some kind of function to put a value on alternative levels of achievement.
Because most everyday risk management will be done quickly by people who don't want to use mathematics, risk management needs a range of simple, easy techniques that still perform well. For example, risk management is just starting to make an impact on marketing, but alongside the sophisticated analytics, which will be used by only a few of the very largest companies, there is a need for simpler, less costly methods to help groups and individuals think through the huge uncertainties in marketing without getting stuck.
There is a need to promote uncertainty management techniques that help people with everyday problems such as preparing for important meetings, resolving arguments, managing stress, hiring good people, and making sales. The ‘Further reading’ section below gives links to more ideas on these.
The problem with clear objectives
There is a practical problem with clear objectives. You don't always have them. Conventional risk management starts with defining objectives but this can take a lot of time and effort, and there's no guarantee of success. You may have some general agreement about the ultimate objectives of your organisation but getting down to a level where actions can be decided is much more difficult.
Although it helps risk management if the relationship between achievement levels and value is understood and the current target achievement levels have been agreed, risk management has to make a contribution under any conditions. For example, risk management should offer techniques to help set objectives under uncertainty.
Why upside risks change everything
An upside risk is something that might happen and would be better than what is expected. Including these in your risk management processes makes the processes more effective, efficient, and attractive.
It also raises a question about what risk management is really for. Suppose the original objective of a venture was to make £1m, but a lucky break part way through the venture puts you in a position where you could achieve £2m. What should you do? Carry on towards your original objective or consider a new objective? A sane person would normally review the objective.
But that also has implications for risk management. A risk management process that includes upside risks should aim to encourage those risks to happen, and maximise the effect when they do. To do the opposite would be bizarre. That means the risk management process is not trying to achieve the original objectives.
It also means we need to think again about different types of ‘objective’ and how they are used in risk management. Having a list of specific things we want to achieve in a period of time, such as ‘debtors reduced by 15%’, ‘sales of £1m’, is not enough on its own. We need to understand how to value other levels of achievement. Is there a point beyond which further achievement is not valuable? Is there a point below which the impact gets very bad very quickly? Are there discontinuities in the relationship between level of achievement and value? Is the relationship linear? This sort of understanding is also useful for managing downside risks.
Look carefully and you can see the slow evolution of risk management's scope and techniques towards bigger and better. For example, the new draft COSO framework is longer than the original, and acknowledges more alternative techniques, though it is still not a balanced process between upside and downside risks. Surveys show that most risk managers now believe that risk management should concern itself with unexpectedly favourable outcomes as well as unexpectedly unfavourable ones. More publications are appearing to advocate more embedded forms of risk management.
But there is still a long way to go. Few realise the full implications of managing upside risks and tackling the human side of uncertainty suppression has hardly begun.
Words © 2003 Matthew Leitch. First published 8 August 2003.