MATERIALS BY TYPE
Working In Uncertainty
Why does anyone think Risk Listing is a good idea?
Perhaps the first point to make is that there are people who think Risk Listing is a good idea. Most work in niches where Risk Listing appears to be the dominant approach to 'risk management', to such an extent that it can seem as if no other way is even recognized, and that there is no hope of a change in future. The main niches are internal and external audit, company regulation and governance regulation generally, low end safety management, and project risk management. The countries most affected appear to be the UK and Australia. Outside these niches the situation is quite different but there is still the problem and puzzle of how these niches of Risk Listing can have come into being and lasted for some two decades.
I've written an article describing Risk Listing and its issues but, to recap, Risk Listing is an approach to managing risk that involves making a list of things called 'risks' and then 'managing' the 'risks' on that list. It is recognizable by its characteristic process, whose core steps are risk identification, risk assessment, and risk treatment (or words that the same effect), by its language of 'risks', and by its use of risk registers, probability-impact grids, and (often) risk appetite lines.
Risk Listing is wrong in principle and poor in practice, mainly because it has to be done as a separate activity, apart from core management activities where the important decisions are made. Risk Listing is not taught in schools and almost never in universities, whereas the more established and respectable methods of tackling our uncertainty – those typical of management science – are taught from primary school onwards and have huge importance in our society.
And yet Risk Listing continues and is still energetically promoted and aggressively defended by some. There are auditors who look for it, regulators who require it, buyers who insist on it, and consultants who recommend it. There are people who are unaware that any alternative approach to managing risk exists.
This article offers some hypotheses about why Risk Listing niches became established and still exist today. It also speculates about possible changes in future.
Factors predisposing individuals
Risk Listing works for some tasks
Risk Listing methods don't work too badly in tasks that involve fixing isolated vulnerabilities to error and cheating. For example, they work quite well for improving book-keeping processes, purchasing insurance, and making minor improvements to safety. A person who does that kind of job will find Risk Listing methods are usually adequate (though far from ideal) and, consequently, is more likely to think Risk Listing makes sense.
Risk Listing fits the job role of auditors, consultants, and other outsiders
In summary, Risk Listing does not integrate into core management activities but, instead, stands apart as a separate process. Consequently, it makes more sense to people whose role usually means that they are separate and not integrated into core management activities.
Risk Listing focuses on decisions about actions perceived as responses to 'risks', such as buying some insurance, fitting a fire door, or deciding to require a second signatory. Consequently, it does not get involved in decisions where there are other important factors besides cost and 'risk' mitigation. It tends to be an activity that comes along after the main decisions have been made and suggests amendments to details.
Some people have job roles that match this pattern. Their task is usually to look at decisions that have already been made and suggest relatively minor improvements. For example, external financial auditors look at how book-keeping is done and try to be helpful by making recommendations for improvement. Internal auditors also review how work is done (the result of past decisions about the design of the work) and recommend improvements. A consultant or safety risk manager doing a 'safety audit' is effectively looking at what has already been put in place and looking for improvements that can be made without too much fundamental rethinking. A company insurance manager who expands into loss control will go searching for existing weaknesses that have allowed or could allow accidents or other problems that lead to insurable losses.
People in these job roles will tend to think that Risk Listing makes more sense. Risk Listing fits their role. It is harder for them to see that people in other job roles find Risk Listing unnatural. Not only is it hard for them to understand that perspective, but they are often not around after their advice has been given to see what happens next and feel the disappointment.
The importance of this factor has been amplified by the influential, credible roles of many of the outsiders in this position (see below).
Risk Listing matches the job role of newly appointed risk managers
When a person is appointed as the first 'risk manager' in an organization the first thing they will usually need to do is retrospectively tackle decisions that have been made badly in the past. This means looking at the situation now and recommending some post hoc fixes that are not too fundamental to be acted on. For example, the first safety manager for a business will go out and look for danger in the workplace that is there because people did not consider safety properly when they laid out the premises, chose equipment, designed procedures, etc. That new safety manager will then recommend improvements to lay out, equipment, procedures, and so on.
Risk Listing fits this type of review quite well, so for a newcomer to risk management it seems at first to be suitable.
When the risk manager wants to influence future decisions so that safety, among other things, gets considered properly from now on, Risk Listing is not suitable. Not everyone realizes this.
Risk Listing looks like an audit tool
Yet another reason external financial auditors (like those working for the Big Four) are more likely to warm to Risk Listing is that it looks like an audit tool. They like nothing better than a list of things to tick off. In their normal work it does not matter that risk-lists are very nearly useless as design tools or in supporting business decisions.
Before these auditors used lists of 'risks' they had lists of internal control objectives against which they listed controls. Shifting this to a list of 'risks' was just a matter of slight re-wording. For example, instead of 'All invoices promptly posted' they started to write something like 'Invoices not promptly posted'.
Risk Listing looks a bit like a budgetary control system
Another reason that Risk Listing may appeal to people with a background in accounting and audit is its similarities with a budgetary control system and the more general strategy of control by numerical targets. Within a system of control based on budgets or similar numerical targets, employees are pushed to reduce the difference between their budgets/targets and actual numbers. Within this approach the consequences of actions are considered only for their impact on reaching the targets and this can lead to some bad decisions.
Risk Listing typically requires decisions to be made by comparing perceived risk levels with 'criteria', which are often thought of as limits or targets. In effect, Risk Listing decisions resemble budgetary control decisions.
A person who strongly believes in the logic and effectiveness of budgetary control systems and similar control-by-fixed-targets systems will be more likely to accept Risk Listing.
The superficial resemblance of 'risk' lists to financial analyses may help to explain the common mistake of thinking that the total risk level for a list of 'risks' on a risk register is just the sum of the individual risk levels. The list looks superficially like some kind of financial analysis and people expect it to add up.
When bosses don't listen Risk Listing workshops seem useful at first
When people are having a bad time at work because their bosses are not taking their problems and worries seriously, the first risk workshop they experience that just lets them voice anything they want is often welcomed. They will think the experience was a good one and will want to do it again. This is probably why people often welcome Risk Listing workshops, at first.
Later they find that their bosses ignore risk register material too and learn that Risk Listing workshops are boring and time consuming, without being useful.
Alternatives often seem overly mathematical
Another factor helping to support Risk Listing may be the tendency for management science methods to progress towards ever more sophisticated mathematics, which many people would rather avoid. Published examples of leading practice with management science methods tend to be particularly complicated and frequently not well explained.
People in organizations who don't like advanced mathematics naturally do not want it to be a widely sought after skill and they outnumber the mathematicians who do. Those who avoid mathematics are more susceptible to the argument that Risk Listing is 'simple' and 'qualitative'. (In reality, Risk Listing involves quantification, though done badly, and has so many logical flaws that it can never be properly understood.)
Its language and techniques are superficially familiar
The language and techniques of Risk Listing are consistent with the idea that 'risks' are pre-existing physical objects, something like potatoes being harvested and then going through a sorting machine. Although few people believe 'risks' are such objects the language is superficially sensible because we are used to talking about things that are pre-existing physical objects. For example, superficially it sounds sensible to 'identify risks', 'categorise risks', and appoint 'risk owners'. The techniques of Risk Listing make much more sense if you think of 'risks' as pre-existing physical objects.
In reality this is a classic category mistake. A 'risk' is an idea, like a concept. It is a set of possible future states of the world defined by the analyst. 'Risks' do not exist until someone defines them (though of course bad things can still happen even if we haven't thought about them). The properties of 'risks' are, in part, the result of choices by the analyst.
People who see a lot of promotional material about Risk Listing but never actually do it themselves are most likely to be taken in by the pseudo-logic of Risk Listing. To them Risk Listing sounds simple and logical. People involved in company regulation will usually fall into this category. The reality is that Risk Listing is complicated, messy, bureaucratic, and rarely useful.
Credible, influential promoters
Some groups whose job role pre-disposes them to think that Risk Listing makes sense are also highly credible and influential. These include internal and external auditors and some consultants. The 'Big Four' external audit firms have been particularly influential. As outsiders and accountants they focus on doing work in a role that fits Risk Listing quite well and are predisposed to accept it. The firms are influential and so are their many thousands of alumni, spread through companies, government, and company regulators.
Dominance of niches
The big picture is that Risk Listing is not very important. Most people don't do it, most of the time. When it is done it is largely ignored. However, in certain niches it is perceived as the dominant, 'traditional' approach and this helps to sustain its use and promotion. When everyone around you is talking in Risk Listing terms it is difficult not to do the same.
Within a niche it is common to get the impression that most people agree that Risk Listing in a good idea. My surveys (e.g. ) have shown that people tend to overestimate this level of agreement. While most people, even in dominated niches, have at least some negative thoughts about Risk Listing, they imagine that others do not.
The impression of agreement is probably created by more than one mechanism:
Procurement practices, contracts, and laws governing procurement
It's almost certainly true that most people who currently practice Risk Listing didn't choose it for themselves. Someone else thought it would be a good idea to impose it on them. Most major projects today done for the public sector in the UK require contractors to operate Risk Listing. If the contractor wants the work then Risk Listing must be done. Furthermore, Risk Listing has found its way into standard contracts for the construction industry (NEC3), which has taken Risk Listing beyond the public sector.
While people might have shrugged off mere guidance from the Project Management Institute (PMI), a customer with a lot of money is much harder to resist, and seemingly trivial bureaucratic requirements are not worth arguing over.
Imposition is an extremely powerful mechanism by which the views of people predisposed towards Risk Listing (e.g. consultants, auditors) and those not well equipped to filter out bad advice (e.g. politicians, procurement specialists) are forced on people who actually have to carry out the Risk Listing and might otherwise have resisted it. The trick is complete when project managers forget why they really do Risk Listing and start to think they do it because they like it.
Regulation of governance and accounting
Risk Listing has also spread by imposition into listed companies (especially in the financial sector), charities, and the public sector. For example:
In these examples it is clear that ideas coming from accountants and auditors have been imposed as required practice on everyone and all activities, including those where Risk Listing does not work at all. There is a cascade of imposition where one set of requirements or guidelines is taken up by others, who impose it on others, ultimately ending with workers being told to fill in forms and attend meetings.
Some of the most determined promoters of Risk Listing literature that I know do not follow the Risk Listing approach themselves but think they do. They wrongly credit the positive results they have experienced to Risk Listing. If they had followed the Risk Listing guidance they like, instead of creatively interpreting it, then they would not have had such a positive experience.
For example, Risk Listing, as described in such influential documents as ISO31000:2009 (the international standard for Risk Listing), does not apply to decisions other than those about actions seen as responses to 'risks'. If you have a major decision between two courses of action and there are many considerations, some involving uncertainty, then Risk Listing does not require thinking of 'risks' in connection with each alternative course of action before choosing one. However, some people do this kind of risk analysis for major decisions and credit it to Risk Listing.
Also, the classic Risk Listing process produces rather dull and unsatisfactory risk workshops. However, some people have learned to add other items to the agenda to make them more interesting. Others have learned to keep the list of 'risks' very short (just seven for example) so that conversations are less controlled by the Risk Listing process and develop more like natural conversations on risk related topics.
Energetic promotion and aggressive defence
There are businesses that sell software to hold risk registers, along with training and consulting to help you do so. There are consultants whose livelihood depends on continued sales of expertise in Risk Listing. There are authors who have written hundreds of pages about how to do Risk Listing and how great it is. There are civil servants and rule makers who have imposed Risk Listing on companies and other organizations.
All these people have a choice between moving on to better things or defending their existing positions. Although most would benefit from moving on to more effective and popular methods, software, and regulations it is natural to worry that credibility and competitive position will be lost by doing so. Surely there will be other software companies, consultants, authors, and bureaucrats who are already better positioned in other styles of risk management? People who think they have a strong position in Risk Listing tend to stay put and defend their position.
In addition, I have noticed that some risk managers whose work is based on Risk Listing spend a lot of time battling to get their work done in the face of constant resistance and apathy. To get people to comply with the tedious and useless procedures of Risk Listing they have to work very hard to promote and defend it. These risk managers get good at it and find it hard to stop.
Unfair debating tactics
With livelihoods and reputations to defend, some promoters of Risk Listing have relied heavily on unfair debating tactics. I have come across all the following tactics repeatedly over the past several years:
You may be thinking that I am exaggerating the silliness of the ploys but sadly I am not. All the above are standard fare and detract from the careful analysis of logic and empirical evidence that should be taking place in the meetings concerned.
What might have influenced you?
Several of the reasons given above can be seen as factors that might predispose a person to think that Risk Listing is a good idea. How many of these apply to you?
If you find that several of these apply to you, especially if you are an auditor or consultant, imagine for a moment how different your perspective might be if you were, say, a senior technical manager in an electronics company, with a background in electronic design and development. You would have a designer's perspective, constantly facing multi-criteria decisions under uncertainty, almost always involved in the main decision-making meetings. You would also be comfortable with various types of model and some mathematics. The factors influencing your views about how to manage risk would be radically different.
Prospects for improvement
Overall, Risk Listing has had little influence on the world, other than by delaying improvements to management methods that might have had a great positive effect. Even in organizations where it has been used it is largely ignored from one day to the next. However, this is no comfort if you are directly involved in Risk Listing and would rather not be. If you are working in a niche dominated by Risk Listing, what hope is there of overcoming the many factors and forces helping to keep it in place?
Nobody knows what the future holds on this question, but we can imagine two starkly different scenarios for the next decade or so:
I know which scenario I'm working for.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Please share: Tweet
Words © 2014 Matthew Leitch