Matthew Leitch, educator, consultant, researcher
SERVICES
OTHER MATERIAL
Working In Uncertainty
An overview of risk/uncertainty management
Contents |
‘Risk management’ is a broad topic, with many ideas, views, and controversies. You can understand it better with an overview of the range of thinking involved – the broader the better because you don't want to miss important areas completely, simply because you started with a narrow view and did not realize what was missing.
Scope
For most people, risk management is whatever we do to manage risk. This simple idea implies a surprisingly wide scope and, over the years, the recognized scope of risk management has indeed expanded. Let's look at some examples to see how that works.
To begin with, there are events that we see as dangers or potential losses and that prompt us to take precautions. For example, a cyclist might wear a helmet because of the danger of falling off and being hit on the head, a ship has lifeboats in case of the ship sinking, and a company will buy insurance to cover losses that might be caused by a fire that damages its property. The prompt in all these cases is awareness of something bad that might happen, probably outside our control, and unpredictably.
Another type of unwanted potential outcome is disappointment from something just not turning out as well as we wanted, planned, or expected. This is not really a loss, but it is a disappointingly small gain. For example, a company might monitor its trading performance closely because of concern that its profit will not meet expectations, you might choose a particular make of car because it is regarded as reliable and you don't want to be disappointed and inconvenienced by breakdowns, and a student might put in extra effort prompted by worry about failing a difficult examination.
Those bad things that might happen – whether losses or disappointments – may be the result of mistakes others make, or even the result of our own mistakes. Everyone makes them.
There are also situations where it is hard to think clearly about what might happen. These are perhaps unfamiliar, complex, fast moving situations. Bad outcomes from such situations are a possibility even if we cannot describe them, so this situation too can prompt us to act differently, and that is also risk management.
Then there are situations where we can envisage alternative outcomes but it is impossible or impractical to separate out just those unpredictable possibilities that are negative. Perhaps we are not sure if they would be positive or negative for us. They might be both at the same time, but in different ways. Perhaps their value to us might vary over a wide range. Perhaps it depends on what you compare the result to, with higher expectations making disappointment more likely. In these situations our risk management actions can be prompted by uncertainty about outcomes, even those that might be positive.
Modern risk management encompasses happy surprises as well as nasty ones, and this is surprising for many people. Apart from the difficulty of separating out just the negative possibilities, there is another very good reason why risk management has expanded to cover all that is unpredictable: it is hard to take well-balanced decisions unless you consider all outcomes at once. If you focus only on the negative then you will sometimes take poor decisions as a result.
So, in summary, the best definition I can offer is this:
Risk management comprises actions prompted by our awareness of the limitations of our ability to predict and control outcomes of interest.
This is an extremely important definition. It leaves some grey areas but is still useful and we can easily see the difference between acting with a lot of risk management and acting without. The opposite of risk management is making plans to get to one destination by one path on the assumption that the future will unfold in one way. (The next section includes an illustration of the difference using an example.)
Some aspects of the scope of risk management are controversial:
There are controversies around the exact meaning of the words ‘risk’ and ‘uncertainty’ but these can be subtle and hard to follow. The underlying reason that managing ‘risk’ is valuable is that we have only limited knowledge and control, and it is better to recognize and respond to this than to act as if we know or can control the future completely. Unfortunately, there seems to be no English word that perfectly captures this state of limited knowledge and control, so there is no end in sight to the controversies over words.
The phrase ‘risk management’ is controversial in another way. Most people prefer to think of risk management as a discipline or aspiration rather than define it by one particular method, but there are some people who identify risk management with just one method. This is one of the most difficult of current controversies. Many different methods have been used to manage risk/uncertainty but some people think that all the ones that have any value can be boiled down to a process in which we make a list of things called ‘risks’ and then decide what to do about each of these risks. Sadly, there are some well-known publications based on this view and they leave no room for other methods and perspectives.
When risk is managed
Thinking and doing
Another key point is that the actions that are prompted by this awareness of our limitations include (1) the thinking that leads us to take particular actions and (2) the actions themselves. For example, after thinking about what might happen and how we would be affected we might decide on actions such as buying insurance, taking a preventive medicine, and checking expenditure against plans each week. The thinking can be done in a variety of ways and is the focus of the rest of this overview.
Identifying risk management
In organizations today the thinking that leads to risk management actions is sometimes done in meetings dedicated to risk. It is obvious that this is risk management. However, most thinking that helps to manage risk is an integral part of management, decisions, and design work and is not conveniently labelled ‘risk management’. It is so common, so natural, and so varied that we hardly realize we are managing risk. At times it is not clear what counts as risk management and what does not, since managing risk is just a part of many thinking activities at work.
However, despite the occasional difficulty in recognizing particular practices that manage risk, we can easily see the difference between alternative approaches. For example:
| Little risk management | Plenty of risk management |
|---|---|
|
A company decides to launch a new confectionery product. It establishes targets for the new product and a detailed plan is made showing who will do what to develop, package, market, produce, and sell the product. Every detail is carefully planned out, based on detailed predictions of what will happen. Predicted sales and profit are calculated precisely. Work then begins, according to the plan, to develop ideas about what the product will be. |
A company decides to explore the possibility of launching a new confectionery product. It generates a number of ideas for products based on wide-ranging research and some creative thinking. It tests those ideas with focus groups, mocks up the products and possible packaging ideas, and begins to develop an initial forecasting model to predict the likely ranges of results from alternative products, if developed further and launched. At each stage it narrows down its product ideas and does some more research, eventually arriving at a product that it thinks is worth developing fully and launching. Detailed plans are made, but these have flexibility and learning built into them, recognizing that there are many unknowns and factors outside the company's control. The plan features various stages of test marketing, feedback gathering methods, and ideas for building a secure but efficient supply chain. At all stages progress is carefully monitored and plans and priorities are revised. |
In this example, we can easily see that the approach with plenty of risk management shows a realistic recognition of the level of predictability and control that is typical when launching a new product. In contrast, the approach with little risk management is just one path to one destination based on just one view of what the future will bring. It is a lot of detailed planning based on some predictions that are really guesses treated as facts. In reality, a company working without risk management in this way would probably struggle to agree to go ahead, and getting agreement might well involve powerful advocacy and pressure that brushes objective, sensible management to one side. If such a project went ahead at all it would most likely create one stressful situation after another, with a very high chance of ending in expensive disappointment.
Even if we don't usually notice that we are managing risk during everyday activities we would certainly notice if everyone in our organization suddenly stopped doing it. The consequences would be disastrous almost immediately.
The activities within which risk management occurs
Planning is one of the most obvious management activities where risk management is a key ingredient. For example, strategic planning, annual planning, budgeting, project planning, and programme planning.
Another management activity with a big role for risk management is design of the organization and its processes, systems, and so on.
In addition to the many decisions that are part of planning and design, management involves many other decisions, such as hiring decisions, choices of locations, choices of partners, and financing choices.
Then there are other decisions that appear outside management, such as lending decisions, decisions on portfolios of securities, and decisions on how to care for vulnerable children.
There are design activities that we don't usually think of as part of management, such as engineering design, architecture, product design, and graphic design.
Finally, there are activities involving diagnosis, investigation, and learning how systems work. These are not such obvious activities where risk management is relevant but the uncertainty is considerable and it matters. Investigating a crime and subsequently prosecuting it through a court case is an extended exercise in managing uncertainty. Similarly, diagnosing a patient's diseases typically involves an element of uncertainty that prompts the need for various tests and other means of collecting further evidence.
Summary
In summary, risk is managed in separate risk management exercises, but also within everyday management, decision, and design activities. We do it nearly all the time, but not always as well or as consistently as we would like. Much of my work and this website is about helping you become more aware of limited knowledge and control, more aware of the risk management you do, and so become better at managing risk.
How risk is managed
This overview focuses on the thinking that leads to actions that manage risk, rather than the actions. (This is a typical approach in guidance on risk management.) Even with this narrowing of focus, risk is managed in an extraordinary variety of ways. Many publications about risk management describe a narrow subset of these alternatives, giving a misleading impression. The overview you are reading now is based on what people around the world are actually doing and all the approaches are reasonable in at least some situations.
This variety is partly because there are several thinking activities in which risk is managed, including planning, design, other decision-making, and investigation, as explained above. It is also partly because there are so many alternative concepts and alternative ways to do the same things. We can get some sense of this variety by considering some basic distinctions between approaches, as follows.
Individual and cooperative
Much risk is managed because of the skills and initiative of individuals who make wise choices. For example, risk is managed when we decide to wait and see, not put all our eggs in one basket, keep our options open, calculate with odds, or simply ask questions to understand something better. These pervasive, everyday behaviours must surely have a huge impact. Just imagine life without them.
In addition, when we work as part of a team or large organization, we may manage risk by carrying out corporate processes and policies, and by using the organization's technology. Redesigning the way work is done, especially intellectual work, is a hugely important way to improve an organization's risk management. Other risk management is done by adding separate, additional processes such as workshops and special modelling exercises.
As part of core activities and separately
Most thinking about how to manage risk takes places as part of ordinary management activities (e.g. planning, evaluation, other decision-making) or other deliberations (e.g. design, investigation). We don't often stop what we're doing and ‘do some risk management’, usually because risk is only one factor to consider.
However, there are some situations where a dedicated ‘risk management’ effort is made. Typically this is to identify where we have not done a good job of managing risk in past decisions and other activities, or to provide a second opinion through an independent analysis focused on risk. In these efforts it is normal to have separate meetings and documents dedicated to ‘risk management.’
With and without explicit thinking about possible futures
Some techniques involve itemizing or otherwise characterizing what could happen in future. For example, think of decision trees or decision models that simulate future possibilities so that they can be considered within planning or design exercises. When someone says ‘There's a risk that ...’ they are thinking about possible futures.
Other techniques do not involve this kind of thinking about possible futures. Instead, we simply choose to do something that contributes to managing risk because it is our skill or policy, such as measuring progress, preferring phased deliveries, and not putting all our money on one bet. These choices could perhaps be justified by thinking about future possibilities, and that may once have been done in the past, but now we just make our choices guided by policies or skill.
With or without quantification and automation
Most of the things we do in life can be done without mathematics, but rarely with the same efficiency or effectiveness. For example, we could have motor cars, but their performance would be low and their cost would be high. We could build bridges, but not the huge bridges we are used to seeing today. The benefits of mathematics have increased dramatically in past decades as computers have been used to automate calculations that used to be slow and costly.
In managing risk there are situations where mathematics allows for greater precision and ease (thanks to automation) but there are also situations where the effort of setting up the maths initially is not worthwhile and we can progress better with simple rules of thumb and other techniques.
Variations in ability and results
Not everyone is equally successful or competent at managing risk, and this applies to individuals and organizations. The extent of these differences has not been systematically and scientifically studied yet. However, examples of managing risk poorly appear in newspapers every day. Often, it is mistakes made by important people at an early stage that ultimately lead to failure and disappointment, perhaps years later after a great struggle. One of the reasons we mismanage risk is our natural human tendency to think too narrowly about what might happen in the future and to imagine that we have more control of events than in fact is the case. We feel more powerful than we are. However, there are many other contributing factors.
My studies of preferences for alternative courses of action in hypothetical situations at work show that people differ greatly in their understanding of the risk in these situations. Our collective wisdom is usually impressive, with most people giving their strongest support to actions that are open, honest, and risk aware. However, in every situation there are people who would support dangerous courses of action. There are also individuals who unwittingly support dangerous courses of action in many situations and I would be reluctant to put them in charge of anything important. This is related to experience, among other things, as you would expect.
Risk management by organizations is strongly influenced by the skills of the individuals who work there, especially people in positions of power. However, policies, procedures, and technology are also important. Some organizations follow procedures that, far from improving their management of risk, actually encourage people to make poor decisions that ignore risk.
At both individual and organizational levels there appears to be great scope for improvement, and most people are only too happy to do things they think are wise and helpful.
The potential for improvement
The actual potential for improvement typically or in any particular organization or situation is not really understood. Scientific research has yet to be carried out. However, I would like to offer some reasons for thinking that the potential is good.
Human thinking is affected by a number of biases, especially when social factors come into play. While these can lead to a wide range of mistakes and errors of judgement, typical tendencies are to think the future will be better than it really turns out, and to be more confident of our predictions than we should be. We think we know more and have more control than we really do. Consequently, we tend to underestimate the value of risk management and do less than is ideal.
Another reason for doing too little risk management is the mental work involved in thinking through more possibilities than usual. This problem can be reduced by using better techniques and not all good risk management involves thinking through more possibilities. Some techniques quickly save time. In addition, modern computer software can be used to automate some of the work, and many people are unaware of this huge, recent change.
Yet another cause of poor risk management is the widespread use of management methods that don't manage risk well. These tend to sound logical but make far too many assumptions. Often, the only thing keeping people using these methods is the mistaken idea that other people like them and want to continue.
While it is true that there are many risk management actions and many ways to think them through, similar patterns emerge in many domains. In other words, there is a core of transferable knowledge that will help you in any organization. For example, if you learn about how to manage incremental delivery of software then you will be better able to manage incremental delivery of other types of project. Similarly, if you learn about managing risk/uncertainty across a large-scale billing process then this will help you manage a process to administer school examinations, pay insurance claims, or manufacture medicines. Obviously, each context has its special complexities, but knowing the patterns of techniques, in principle, that are important across all high-volume processes requiring high reliability is a great advantage.
In summary, there are reasons to think that too little risk management is a common mistake but that learning to improve is not a slow and never-ending task. Some genuine quick wins are possible.
This website
Requirements for improving risk management often focus on corporate processes and organisational structures, probably because these are easy to describe and check, but surely individual skill and action is at least as important.
On this website there is material about:
general background ideas and terminology;
individual skills and performance in managing risk; and
corporate efforts to improve management of risk in various ways, particularly by redesigning the way work is done.
Another overview that you might find useful is ‘The risk management we prefer’. It summarises key findings from my many surveys on which approaches most people like.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England