Working In Uncertainty
An overview of risk/uncertainty management
‘Risk management’ is a broad topic, with many ideas, views, and controversies. You can understand it better with an overview of the range of thinking involved – the broader the better because you don't want to miss important areas completely, simply because you started with a narrow view and did not realize what was missing.
For most people, risk management is whatever we do to manage risk. This simple idea implies a surprisingly wide scope and, over the years, the recognized scope of risk management has indeed expanded. Let's look at some examples to see how that works.
To begin with, there are events that we see as dangers or potential losses and that prompt us to take precautions. For example, a cyclist might wear a helmet because of the danger of falling off and being hit on the head, a ship has lifeboats in case of the ship sinking, and a company will buy insurance to cover losses that might be caused by a fire that damages its property. The prompt in all these cases is awareness of something bad that might happen, probably outside our control, and unpredictably.
Another type of unwanted potential outcome is disappointment from something just not turning out as well as we wanted, planned, or expected. This is not really a loss, but it is a disappointingly small gain. For example, a company might monitor its trading performance closely because of concern that its profit will not meet expectations, you might choose a particular make of car because it is regarded as reliable and you don't want to be disappointed and inconvenienced by breakdowns, and a student might put in extra effort prompted by worry about failing a difficult examination.
Those bad things that might happen – whether losses or disappointments – may be the result of mistakes others make, or even the result of our own mistakes. Everyone makes them.
There are also situations where it is hard to think clearly about what might happen. These are perhaps unfamiliar, complex, fast moving situations. Bad outcomes from such situations are a possibility even if we cannot describe them, so this situation too can prompt us to act differently, and that is also risk management.
Then there are situations where we can envisage alternative outcomes but it is impossible or impractical to separate out just those unpredictable possibilities that are negative. Perhaps we are not sure if they would be positive or negative for us. They might be both at the same time, but in different ways. Perhaps their value to us might vary over a wide range. Perhaps it depends on what you compare the result to, with higher expectations making disappointment more likely. In these situations our risk management actions can be prompted by uncertainty about outcomes, even those that might be positive.
Modern risk management encompasses happy surprises as well as nasty ones, and this is surprising for many people. Apart from the difficulty of separating out just the negative possibilities, there is another very good reason why risk management has expanded to cover all that is unpredictable: it is hard to take well-balanced decisions unless you consider all outcomes at once. If you focus only on the negative then you will sometimes take poor decisions as a result.
So, in summary, the best definition I can offer is this:
Risk management comprises actions prompted by our awareness of the limitations of our ability to predict and control outcomes of interest.
This is an extremely important definition. It leaves some grey areas but is still useful and we can easily see the difference between acting with a lot of risk management and acting without. The opposite of risk management is making plans to get to one destination by one path on the assumption that the future will unfold in one way. (The next section includes an illustration of the difference using an example.)
Some aspects of the scope of risk management are controversial:
When risk is managed
Thinking and doing
Another key point is that the actions that are prompted by this awareness of our limitations include (1) the thinking that leads us to take particular actions and (2) the actions themselves. For example, after thinking about what might happen and how we would be affected we might decide on actions such as buying insurance, taking a preventive medicine, and checking expenditure against plans each week. The thinking can be done in a variety of ways and is the focus of the rest of this overview.
Identifying risk management
In organizations today the thinking that leads to risk management actions is sometimes done in meetings dedicated to risk. It is obvious that this is risk management. However, most thinking that helps to manage risk is an integral part of management, decisions, and design work and is not conveniently labelled ‘risk management’. It is so common, so natural, and so varied that we hardly realize we are managing risk. At times it is not clear what counts as risk management and what does not, since managing risk is just a part of many thinking activities at work.
However, despite the occasional difficulty in recognizing particular practices that manage risk, we can easily see the difference between alternative approaches. For example:
In this example, we can easily see that the approach with plenty of risk management shows a realistic recognition of the level of predictability and control that is typical when launching a new product. In contrast, the approach with little risk management is just one path to one destination based on just one view of what the future will bring. It is a lot of detailed planning based on some predictions that are really guesses treated as facts. In reality, a company working without risk management in this way would probably struggle to agree to go ahead, and getting agreement might well involve powerful advocacy and pressure that brushes objective, sensible management to one side. If such a project went ahead at all it would most likely create one stressful situation after another, with a very high chance of ending in expensive disappointment.
Even if we don't usually notice that we are managing risk during everyday activities we would certainly notice if everyone in our organization suddenly stopped doing it. The consequences would be disastrous almost immediately.
The activities within which risk management occurs
Planning is one of the most obvious management activities where risk management is a key ingredient. For example, strategic planning, annual planning, budgeting, project planning, and programme planning.
Another management activity with a big role for risk management is design of the organization and its processes, systems, and so on.
In addition to the many decisions that are part of planning and design, management involves many other decisions, such as hiring decisions, choices of locations, choices of partners, and financing choices.
Then there are other decisions that appear outside management, such as lending decisions, decisions on portfolios of securities, and decisions on how to care for vulnerable children.
There are design activities that we don't usually think of as part of management, such as engineering design, architecture, product design, and graphic design.
Finally, there are activities involving diagnosis, investigation, and learning how systems work. These are not such obvious activities where risk management is relevant but the uncertainty is considerable and it matters. Investigating a crime and subsequently prosecuting it through a court case is an extended exercise in managing uncertainty. Similarly, diagnosing a patient's diseases typically involves an element of uncertainty that prompts the need for various tests and other means of collecting further evidence.
In summary, risk is managed in separate risk management exercises, but also within everyday management, decision, and design activities. We do it nearly all the time, but not always as well or as consistently as we would like. Much of my work and this website is about helping you become more aware of limited knowledge and control, more aware of the risk management you do, and so become better at managing risk.
How risk is managed
This overview focuses on the thinking that leads to actions that manage risk, rather than the actions. (This is a typical approach in guidance on risk management.) Even with this narrowing of focus, risk is managed in an extraordinary variety of ways. Many publications about risk management describe a narrow subset of these alternatives, giving a misleading impression. The overview you are reading now is based on what people around the world are actually doing and all the approaches are reasonable in at least some situations.
This variety is partly because there are several thinking activities in which risk is managed, including planning, design, other decision-making, and investigation, as explained above. It is also partly because there are so many alternative concepts and alternative ways to do the same things. We can get some sense of this variety by considering some basic distinctions between approaches, as follows.
Individual and cooperative
Much risk is managed because of the skills and initiative of individuals who make wise choices. For example, risk is managed when we decide to wait and see, not put all our eggs in one basket, keep our options open, calculate with odds, or simply ask questions to understand something better. These pervasive, everyday behaviours must surely have a huge impact. Just imagine life without them.
In addition, when we work as part of a team or large organization, we may manage risk by carrying out corporate processes and policies, and by using the organization's technology. Redesigning the way work is done, especially intellectual work, is a hugely important way to improve an organization's risk management. Other risk management is done by adding separate, additional processes such as workshops and special modelling exercises.
As part of core activities and separately
Most thinking about how to manage risk takes places as part of ordinary management activities (e.g. planning, evaluation, other decision-making) or other deliberations (e.g. design, investigation). We don't often stop what we're doing and ‘do some risk management’, usually because risk is only one factor to consider.
However, there are some situations where a dedicated ‘risk management’ effort is made. Typically this is to identify where we have not done a good job of managing risk in past decisions and other activities, or to provide a second opinion through an independent analysis focused on risk. In these efforts it is normal to have separate meetings and documents dedicated to ‘risk management.’
With and without explicit thinking about possible futures
Some techniques involve itemizing or otherwise characterizing what could happen in future. For example, think of decision trees or decision models that simulate future possibilities so that they can be considered within planning or design exercises. When someone says ‘There's a risk that ...’ they are thinking about possible futures.
Other techniques do not involve this kind of thinking about possible futures. Instead, we simply choose to do something that contributes to managing risk because it is our skill or policy, such as measuring progress, preferring phased deliveries, and not putting all our money on one bet. These choices could perhaps be justified by thinking about future possibilities, and that may once have been done in the past, but now we just make our choices guided by policies or skill.
With or without quantification and automation
Most of the things we do in life can be done without mathematics, but rarely with the same efficiency or effectiveness. For example, we could have motor cars, but their performance would be low and their cost would be high. We could build bridges, but not the huge bridges we are used to seeing today. The benefits of mathematics have increased dramatically in past decades as computers have been used to automate calculations that used to be slow and costly.
In managing risk there are situations where mathematics allows for greater precision and ease (thanks to automation) but there are also situations where the effort of setting up the maths initially is not worthwhile and we can progress better with simple rules of thumb and other techniques.
Variations in ability and results
Not everyone is equally successful or competent at managing risk, and this applies to individuals and organizations. The extent of these differences has not been systematically and scientifically studied yet. However, examples of managing risk poorly appear in newspapers every day. Often, it is mistakes made by important people at an early stage that ultimately lead to failure and disappointment, perhaps years later after a great struggle. One of the reasons we mismanage risk is our natural human tendency to think too narrowly about what might happen in the future and to imagine that we have more control of events than in fact is the case. We feel more powerful than we are. However, there are many other contributing factors.
My studies of preferences for alternative courses of action in hypothetical situations at work show that people differ greatly in their understanding of the risk in these situations. Our collective wisdom is usually impressive, with most people giving their strongest support to actions that are open, honest, and risk aware. However, in every situation there are people who would support dangerous courses of action. There are also individuals who unwittingly support dangerous courses of action in many situations and I would be reluctant to put them in charge of anything important. This is related to experience, among other things, as you would expect.
Risk management by organizations is strongly influenced by the skills of the individuals who work there, especially people in positions of power. However, policies, procedures, and technology are also important. Some organizations follow procedures that, far from improving their management of risk, actually encourage people to make poor decisions that ignore risk.
At both individual and organizational levels there appears to be great scope for improvement, and most people are only too happy to do things they think are wise and helpful.
The potential for improvement
The actual potential for improvement typically or in any particular organization or situation is not really understood. Scientific research has yet to be carried out. However, I would like to offer some reasons for thinking that the potential is good.
In summary, there are reasons to think that too little risk management is a common mistake but that learning to improve is not a slow and never-ending task. Some genuine quick wins are possible.
Requirements for improving risk management often focus on corporate processes and organisational structures, probably because these are easy to describe and check, but surely individual skill and action is at least as important.
On this website there is material about:
Another overview that you might find useful is ‘The risk management we prefer’. It summarises key findings from my many surveys on which approaches most people like.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Words © 2016 Matthew Leitch.