Working In Uncertainty
The Risk Listing school
There are many approaches to 'risk management', and you can read more about this in "A taxonomy of approaches to risk management." Within the approaches that involve thinking of possibilities (e.g. possible outcomes for a project) there are two very well known approaches:
The management science approach is just the formalisation of the logic that most of us understand and apply when making decisions, plans, designs, and so on. It is the most important, most widely used, most trusted, and the logical, rational approach. It leads to risk being managed as a by-product of good management in the real world, as it should be. In contrast, the Risk Listing approach is a relative newcomer, with no logic behind it, that encourages 'risk management' as a separate activity. (See 'When is it OK to use a risk register?' for more information on the fundamental flaws in Risk Listing and the very limited situations where it can be used without too many problems.)
Unfortunately, Risk Listing has become dominant in some important areas in some countries. Specifically, in English speaking countries it has become common in projects (especially done for governments), in corporate governance, in internal auditing, and in low level health and safety management. As you read this you may already have a nagging feeling that your idea of what risk management is corresponds to Risk Listing. Please relax and be assured that Risk Listing is not the only view and that you don't need a Phd in statistics to understand and use the alternatives. You already have a grasp of the alternatives, but may need to start clarifying them and recognizing them as risk management in a way that you haven't before. You can be a responsible manager, director, or auditor without having a risk register.
This article explains how to recognize Risk Listing when you see it, speculates about why it has managed to survive despite its many drawbacks, and suggests ways to be free of it.
How to recognize Risk Listing
The most reliable way to recognize Risk Listing is by its 'process'. This includes, at its core, a sequence of steps called something like:
The idea is that you first think of some 'risks', make a list of them, assess them, and then decide what to do to 'treat' them. Subsequently, you continue to manage the 'risks' by repeating this cycle. This means that the risk treatments you will consider are all actions that are responding to one or more of the risks. This excludes many important decisions where 'risks' are not the only or even the main considerations.
The Risk Listing process does not put these steps within the context of some other management activity, such as a wider decision-making process. The three steps listed above are the core of Risk Listing. If you faced a choice between two project plans and decided to list risks applicable to each plan as a way of assessing them, then that would not be part of the Risk Listing process.
The Risk Listing approach is about managing risks, not risk, not uncertainty, and certainly not about managing under uncertainty. These risks are treated as if they are naturally occurring objects, out there in the real world, with their own predefined boundaries, that are mostly independent of each other. Risks have to be 'identified', like rabbits in a field, and 'managed' as if they exist quite separately from other thinking and management tasks.
Risk Listing can also be identified by its characteristic language. Phrases that typically indicate a Risk Listing approach include:
However, I know of two sectors where the use of language is deceptive.
Certain techniques are indicators of a Risk Listing approach. These are as follows:
These techniques are indicators of a Risk Listing approach, but are not infallible indicators. Sometimes these techniques can be used in isolation even though Risk Listing is not going on. For example, if a coherent model is used for probabilistic forecasting and its variables are listed then this looks rather like a list of risks.
Another common situation is where people use Risk Listing language but within a decision-making approach. They may talk about 'the risks' associated with each course of action being considered in a decision. This is not pure Risk Listing because the main focus is on the decision, not 'the risks', and it is not consistent with leading published guides to Risk Listing. However, the approach of associating risks with courses of action in a decision is not entirely without problems. It would be better to drop the Risk Listing language completely.
How has Risk Listing survived as long as it has?
This is something of a puzzle because Risk Listing conflicts with the basic beliefs of most people.
Clearly, the reason for Risk Listing's survival is not because its basic assumptions are shared by those who use it.
It is not because Risk Listing is simple and easy either. Making a list of risks and filling in all the other fields of a risk register takes a lot of work. It's not just that there's a lot to write. The real problem is that it is impossible to create a clean, orderly analysis in which the common Risk Listing techniques work to give good decisions. In practice, text in risk registers is vague and confused. The 'risk responses' often are not specific actions at all and often do not relate strongly to the risks. Estimating impacts is virtually impossible in any but the simplest cases of small problems with direct financial implications that can be treated as separate, and no other consequences of interest.
In contrast, focusing on decisions and probabilistic forecasting models leads to simple models that can be created in a fraction of the time and then evolved as things change.
So, simplicity and ease are not the reason for Risk Listing's survival either, because in practice it is messy and difficult to do.
Perhaps the real reason for the survival of Risk Listing is that it seems simple when described, provided you don't think deeply about its logic and practicalities, or demand scientific evidence of its performance. In our language we do sometimes talk about 'the risks' or 'a risk'. Linguistically, Risk Listing feels familiar and that's reassuring. The activities described for Risk Listing are familiar activities that would make sense if risks were real world objects and the mind, if not forewarned, just accepts them as familiar and seemingly logical.
(For a more detailed analysis of possible reasons for Risk Listing persisting see "Why does anyone think Risk Listing is a good idea?"
Just about anyone can be caught off guard and find themselves accepting Risk Listing as sensible, especially if they hear it from an authoritative source, or are surrounded by people who talk about Risk Listing ideas and methods. If your role means that you are not involved in the practical detail it may be easier still to feel comfortable with the superficial simplicity of Risk Listing and not dig deep enough to realise that this is just a linguistic illusion. Unfortunately, some people in this group are also influential, including:
Once you've accepted Risk Listing at a superficial level it is possible to get sucked in and spend years in the grip of this way of thinking. This is more likely if you work in a field where Risk Listing has become a dominant method, and especially if it has become a commercial necessity.
For example, almost all project risk managers in the UK must work along with Risk Listing methods or seek alternative employment. It is difficult to go along with Risk Listing if you see it as deluded and ineffective, so the usual outcome is that experts develop lots of good ideas for doing Risk Listing in better ways but stay within the basic approach.
I personally started to take an interest in risk management while working for PricewaterhouseCoopers in the late 1990s. This firm, along with the other big audit firms, has done a lot to promote Risk Listing methods to regulators and to its clients. Not surprisingly, I was induced into the Risk Listing approach at that time. In the accounting system work I did the method worked, sort of, but not efficiently. Because accounting mistakes are usually thought of as independent of each other I didn't see the problems clearly at first.
Despite having misgivings from early on, I spent over a decade trying to make Risk Listing work properly, not seeing that it was fundamentally wrong. Through most of that time I was not working for PricewaterhouseCoopers and not doing project risk management. Although I was self-employed and thought I was about as free to think as a person can be, I was in fact constantly meeting and talking to people working within Risk Listing, and was frequently reading or contributing to documents about Risk Listing. It took me over a decade to realise that Risk Listing can't be fixed. Once I realised that, risk management became clearer and easier, and I made more progress in the next 10 months than I had in the previous 10 years.
I hope that the work I am now doing, and the materials on my website and in future books, will allow others to see and avoid Risk Listing.
Freedom from Risk Listing
The first step in avoiding, or escaping from, Risk Listing is to recognize it. I hope the indicators explained earlier in this article will make that easy.
The next step is to understand that, no matter how authoritative Risk Listing guidance seems to be, and no matter how often people you meet talk Risk Listing language, the bigger picture is quite the opposite. Risk-listing is an unscientific newcomer, and it's is not used for important stuff, like nuclear safety and really large investments on capital markets. (See 'Relevant authoritative guidance' for more details.) Not only that, but most people who practice Risk Listing do not hold the basic beliefs on which it is based. (For more on that, see the survey reports here.)
With this in mind, have the confidence to reword writing that uses Risk Listing language into something more sensible. My article on "How to write about 'risk management'" explains how to do this and gives several examples of the improvement that is possible.
Finally, if you are working in an organization that seems to lock you into a Risk Listing approach, start to introduce technical reform in simple steps, without revolutionary language. Just suggest sensible procedures, forms, and models that gradually move things from Risk Listing to something consistent with management science. Just by doing something useful and easy that improves management under uncertainty you reduce the pressure for risk registers, leaving them even less loved than they were before, and all the more vulnerable to being dropped. You should not expect impassioned objections on the grounds of fundamental beliefs, though you may get resistance from people with a commercial interest in sticking with particular methods and software tools. Do not talk about fundamental or radical changes. Do not talk about cultural change or changing basic beliefs. The reality is that most people don't have fundamental problems with techniques inspired by management science and they don't agree with the principles of Risk Listing - they just haven't thought about them.
Here are some general technical suggestions:
Building up the strength of risk management methods other than Risk Listing is a responsible thing to do. Ultimately, this will allow you to avoid Risk Listing altogether. Ditching Risk Listing is not ditching risk management. It is just ditching one approach. In project management, in corporate governance, in internal audit, and in low level health and safety, this is what should happen as better, easier, more natural approaches give people to confidence to go without Risk Listing.
If you are working in one of these areas and have some role in risk management then, if you are sensible, there is no reason why your career should suffer as a result of understanding why Risk Listing is a fundamentally flawed approach. On the contrary, it should help you redirect your efforts towards actions that people value more and resent less.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.
Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.
Words © 2012, 2014 Matthew Leitch