Matthew Leitch, educator, consultant, researcher
SERVICES
OTHER MATERIAL
Working In Uncertainty
The Risk Listing school
Contents |
There are many approaches to 'risk management', and you can read more about this in "A taxonomy of approaches to risk management." Within the approaches that involve thinking of possibilities (e.g. possible outcomes for a project) there are two very well known approaches:
the management science approach, (a.k.a. management under uncertainty) often based on mathematical probability calculations with an explicit mental model; and
the Risk Listing approach, based on risk registers.
The management science approach is just the formalisation of the logic that most of us understand and apply when making decisions, plans, designs, and so on. It is the most important, most widely used, most trusted, and the logical, rational approach. It leads to risk being managed as a by-product of good management in the real world, as it should be. In contrast, the Risk Listing approach is a relative newcomer, with no logic behind it, that encourages 'risk management' as a separate activity. (See 'When is it OK to use a risk register?' for more information on the fundamental flaws in Risk Listing and the very limited situations where it can be used without too many problems.)
Unfortunately, Risk Listing has become dominant in some important areas in some countries. Specifically, in English speaking countries it has become common in projects (especially done for governments), in corporate governance, in internal auditing, and in low level health and safety management. As you read this you may already have a nagging feeling that your idea of what risk management is corresponds to Risk Listing. Please relax and be assured that Risk Listing is not the only view and that you don't need a Phd in statistics to understand and use the alternatives. You already have a grasp of the alternatives, but may need to start clarifying them and recognizing them as risk management in a way that you haven't before. You can be a responsible manager, director, or auditor without having a risk register.
This article explains how to recognize Risk Listing when you see it, speculates about why it has managed to survive despite its many drawbacks, and suggests ways to be free of it.
How to recognize Risk Listing
The most reliable way to recognize Risk Listing is by its 'process'. This includes, at its core, a sequence of steps called something like:
risk identification; then
risk assessment; then
risk treatment.
The idea is that you first think of some 'risks', make a list of them, assess them, and then decide what to do to 'treat' them. Subsequently, you continue to manage the 'risks' by repeating this cycle. This means that the risk treatments you will consider are all actions that are responding to one or more of the risks. This excludes many important decisions where 'risks' are not the only or even the main considerations.
The Risk Listing process does not put these steps within the context of some other management activity, such as a wider decision-making process. The three steps listed above are the core of Risk Listing. If you faced a choice between two project plans and decided to list risks applicable to each plan as a way of assessing them, then that would not be part of the Risk Listing process.
The Risk Listing approach is about managing risks, not risk, not uncertainty, and certainly not about managing under uncertainty. These risks are treated as if they are naturally occurring objects, out there in the real world, with their own predefined boundaries, that are mostly independent of each other. Risks have to be 'identified', like rabbits in a field, and 'managed' as if they exist quite separately from other thinking and management tasks.
Risk Listing can also be identified by its characteristic language. Phrases that typically indicate a Risk Listing approach include:
'risks' / 'list of risks' / 'risk register' / 'risk log'
'identify the risks' / 'manage the risks'
'risk owners' / 'risk responses' / 'controls'
However, I know of two sectors where the use of language is deceptive.
Insurance: In the world of insurance people often talk about insuring 'risks'. This does not necessarily mean they are using a Risk Listing approach. The 'risks' are insurance contracts or the situations in which the contracts will pay out. The insurers are probably using actuarial models to make decisions about what 'risks' to take on, individually and in total, and their actuarial models will capture thinking about the causal connections between the 'risks', such as the potential for many people to make claims at the same time (e.g. after a flood), and long term trends (e.g. in life expectancy).
Financial services generally: In this sector, talk of 'the risks' does not necessarily signal a Risk Listing approach. Some organizations have created decision models that provide probabilistic forecasts for large parts of their business (occasionally even all of it) and when they talk about 'the risks' they mean some statistics (e.g. variance, Value at Risk) calculated on each probability distribution for each variable in their model. For example, market risk concerns the value of their investment portfolio, credit risk concerns the value of payments from debtors, and so on. This is not Risk Listing! Other organizations in this sector rely entirely on Risk Listing, but still use the same language. Still other organizations use both methods, which must be confusing.
Certain techniques are indicators of a Risk Listing approach. These are as follows:
Use of a risk register: This is a list of 'risks' with no other structure, besides (usually) a bit of categorization.
Rating each risk for its probability and impact: This is supposed to be the probability of the risk happening and the impact if it does, though in practice it is almost never clear what the numbers or categories actually mean.
Use of action threshold lines, often called 'risk criteria' or the 'risk appetite': Each risk is plotted on a matrix according to its probability and impact ratings. On this matrix will be drawn some kind of line and if a risk sits on the 'too risky' side of the line then some kind of action is expected to manage it down onto the 'acceptable' side of the line. Opinions differ on what should happen if the risk is already on the 'acceptable' side, with some saying no action should be taken and others saying that action should be taken if it adds value.
Having a risk response column on the risk register: The idea is that each risk needs to be managed, and this will be done with one or more risk responses, otherwise known as controls, that are written next to each risk on the risk register. Those probability and impact ratings are redone to show how the risk is seen with those controls in place.
These techniques are indicators of a Risk Listing approach, but are not infallible indicators. Sometimes these techniques can be used in isolation even though Risk Listing is not going on. For example, if a coherent model is used for probabilistic forecasting and its variables are listed then this looks rather like a list of risks.
Another common situation is where people use Risk Listing language but within a decision-making approach. They may talk about 'the risks' associated with each course of action being considered in a decision. This is not pure Risk Listing because the main focus is on the decision, not 'the risks', and it is not consistent with leading published guides to Risk Listing. However, the approach of associating risks with courses of action in a decision is not entirely without problems. It would be better to drop the Risk Listing language completely.
How has Risk Listing survived as long as it has?
This is something of a puzzle because Risk Listing conflicts with the basic beliefs of most people.
Almost everyone thinks it makes sense to manage risk as part of management, not separately.
They know that you can think of alternative, valid lists of risks in the same situation, and that this reflects different ways of looking at things.
Similarly, they know that you can't have a risk without some uncertainty, so obviously it depends on what you know. (These last two points confirm that most people don't think risks are naturally occurring, real world objects.)
They think risk management should cover all important decisions, not just decisions on actions seen as responses to risks.
They readily identify causal links between risks on lists and so know that they are not independent of each other, as the list seems to imply.
The amount of 'risk' they will put up with depends on the incentives, so a fixed threshold line is not appropriate.
Clearly, the reason for Risk Listing's survival is not because its basic assumptions are shared by those who use it.
It is not because Risk Listing is simple and easy either. Making a list of risks and filling in all the other fields of a risk register takes a lot of work. It's not just that there's a lot to write. The real problem is that it is impossible to create a clean, orderly analysis in which the common Risk Listing techniques work to give good decisions. In practice, text in risk registers is vague and confused. The 'risk responses' often are not specific actions at all and often do not relate strongly to the risks. Estimating impacts is virtually impossible in any but the simplest cases of small problems with direct financial implications that can be treated as separate, and no other consequences of interest.
In contrast, focusing on decisions and probabilistic forecasting models leads to simple models that can be created in a fraction of the time and then evolved as things change.
So, simplicity and ease are not the reason for Risk Listing's survival either, because in practice it is messy and difficult to do.
Perhaps the real reason for the survival of Risk Listing is that it seems simple when described, provided you don't think deeply about its logic and practicalities, or demand scientific evidence of its performance. In our language we do sometimes talk about 'the risks' or 'a risk'. Linguistically, Risk Listing feels familiar and that's reassuring. The activities described for Risk Listing are familiar activities that would make sense if risks were real world objects and the mind, if not forewarned, just accepts them as familiar and seemingly logical.
(For a more detailed analysis of possible reasons for Risk Listing persisting see "Why does anyone think Risk Listing is a good idea?"
Just about anyone can be caught off guard and find themselves accepting Risk Listing as sensible, especially if they hear it from an authoritative source, or are surrounded by people who talk about Risk Listing ideas and methods. If your role means that you are not involved in the practical detail it may be easier still to feel comfortable with the superficial simplicity of Risk Listing and not dig deep enough to realise that this is just a linguistic illusion. Unfortunately, some people in this group are also influential, including:
senior executives and board members who don't expect to do the Risk Listing themselves;
consultants who are just starting out, or who do not have risk management as their sole specialism;
civil servants and people in technical roles in professional membership organizations who draft regulations and guidance but are not specialists in risk management;
politicians and other powerful people asked to approve regulations and guidance about risk management; and
journalists and other non-specialist authors, especially those without a management science background.
Once you've accepted Risk Listing at a superficial level it is possible to get sucked in and spend years in the grip of this way of thinking. This is more likely if you work in a field where Risk Listing has become a dominant method, and especially if it has become a commercial necessity.
For example, almost all project risk managers in the UK must work along with Risk Listing methods or seek alternative employment. It is difficult to go along with Risk Listing if you see it as deluded and ineffective, so the usual outcome is that experts develop lots of good ideas for doing Risk Listing in better ways but stay within the basic approach.
I personally started to take an interest in risk management while working for PricewaterhouseCoopers in the late 1990s. This firm, along with the other big audit firms, has done a lot to promote Risk Listing methods to regulators and to its clients. Not surprisingly, I was induced into the Risk Listing approach at that time. In the accounting system work I did the method worked, sort of, but not efficiently. Because accounting mistakes are usually thought of as independent of each other I didn't see the problems clearly at first.
Despite having misgivings from early on, I spent over a decade trying to make Risk Listing work properly, not seeing that it was fundamentally wrong. Through most of that time I was not working for PricewaterhouseCoopers and not doing project risk management. Although I was self-employed and thought I was about as free to think as a person can be, I was in fact constantly meeting and talking to people working within Risk Listing, and was frequently reading or contributing to documents about Risk Listing. It took me over a decade to realise that Risk Listing can't be fixed. Once I realised that, risk management became clearer and easier, and I made more progress in the next 10 months than I had in the previous 10 years.
I hope that the work I am now doing, and the materials on my website and in future books, will allow others to see and avoid Risk Listing.
Freedom from Risk Listing
The first step in avoiding, or escaping from, Risk Listing is to recognize it. I hope the indicators explained earlier in this article will make that easy.
The next step is to understand that, no matter how authoritative Risk Listing guidance seems to be, and no matter how often people you meet talk Risk Listing language, the bigger picture is quite the opposite. Risk-listing is an unscientific newcomer, and it's is not used for important stuff, like nuclear safety and really large investments on capital markets. (See 'Relevant authoritative guidance' for more details.) Not only that, but most people who practice Risk Listing do not hold the basic beliefs on which it is based. (For more on that, see the survey reports here.)
With this in mind, have the confidence to reword writing that uses Risk Listing language into something more sensible. My article on "How to write about 'risk management'" explains how to do this and gives several examples of the improvement that is possible.
Finally, if you are working in an organization that seems to lock you into a Risk Listing approach, start to introduce technical reform in simple steps, without revolutionary language. Just suggest sensible procedures, forms, and models that gradually move things from Risk Listing to something consistent with management science. Just by doing something useful and easy that improves management under uncertainty you reduce the pressure for risk registers, leaving them even less loved than they were before, and all the more vulnerable to being dropped. You should not expect impassioned objections on the grounds of fundamental beliefs, though you may get resistance from people with a commercial interest in sticking with particular methods and software tools. Do not talk about fundamental or radical changes. Do not talk about cultural change or changing basic beliefs. The reality is that most people don't have fundamental problems with techniques inspired by management science and they don't agree with the principles of Risk Listing - they just haven't thought about them.
Here are some general technical suggestions:
Don't put more effort into existing risk lists: Clarifying the language, improving the rating system, using Monte Carlo simulation to combine the risks on the list (with correlations), and improving the look of graphical summaries are all efforts taking you further down the wrong path. Give up on this, and you'll feel better.
Improve existing forecasting models: A probabilistic forecasting model (or collection of them) does everything a risk register is supposed to do, only better. Turn best-estimate forecasts into probabilistic estimates i.e. giving ranges (also known as prediction intervals) or probability distributions to show the uncertainty. (It is perfectly acceptable for those distributions to be based on nothing more than the views of people involved, though some relevant historical data will usually help.) Forecast more than just cash and time. Forecast other consequences of interest, like deaths and injuries, reputational changes, market position - whatever people really care about. It's not essential for the forecasts to be entirely quantified. Include actions explicitly in the model(s) so that people can test the effect of different actions. Streamline your model so that alternative combinations of actions can be tried out quickly, in a meeting perhaps.
Identify decisions people want to take and support them: The decisions might be important one-offs, or types of decision that are taken quite often. Look beyond the decisions that are already supported by existing forecasting models, and think widely about how you can help. There are many useful things you could do. For example, you could collate historical experience and present it helpfully, or get people to provide independent estimates of crucial variables and summarise them, or design a format for summarising the various effects of alternative courses of action. As long as you are helping people deal with their limited knowledge and consequent uncertainty, it counts as risk management.
Cross reference risk lists to where risk is really managed: In practice very few decisions that affect risk are made with the help of risk lists or even in meetings to discuss risk lists. Most of the real action is elsewhere, in planning meetings, decision-making conversations, and in the day-to-day decisions of individual managers. For most risks on most risk lists the amount of information and thought shown on the register is tiny compared to what is actually used in the core management activities where risk is really dealt with. To highlight this, and get closer to where the real risk management is done, use the 'controls' column to cross reference the items in the risk register to the core management activities where risk is really managed. (This is the only exception to the guideline of not improving the risk register.)
Finally
Building up the strength of risk management methods other than Risk Listing is a responsible thing to do. Ultimately, this will allow you to avoid Risk Listing altogether. Ditching Risk Listing is not ditching risk management. It is just ditching one approach. In project management, in corporate governance, in internal audit, and in low level health and safety, this is what should happen as better, easier, more natural approaches give people to confidence to go without Risk Listing.
If you are working in one of these areas and have some role in risk management then, if you are sensible, there is no reason why your career should suffer as a result of understanding why Risk Listing is a fundamentally flawed approach. On the contrary, it should help you redirect your efforts towards actions that people value more and resent less.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England