Working In Uncertainty

Why does anyone think Risk Listing is a good idea?

Contents

Perhaps the first point to make is that there are people who think Risk Listing is a good idea. Most work in niches where Risk Listing appears to be the dominant approach to 'risk management', to such an extent that it can seem as if no other way is even recognized, and that there is no hope of a change in future. The main niches are internal and external audit, company regulation and governance regulation generally, low end safety management, and project risk management. The countries most affected appear to be the UK and Australia. Outside these niches the situation is quite different but there is still the problem and puzzle of how these niches of Risk Listing can have come into being and lasted for some two decades.

I've written an article describing Risk Listing and its issues[1] but, to recap, Risk Listing is an approach to managing risk that involves making a list of things called 'risks' and then 'managing' the 'risks' on that list. It is recognizable by its characteristic process, whose core steps are risk identification, risk assessment, and risk treatment (or words that the same effect), by its language of 'risks', and by its use of risk registers, probability-impact grids, and (often) risk appetite lines.

Risk Listing is wrong in principle and poor in practice, mainly because it has to be done as a separate activity, apart from core management activities where the important decisions are made. Risk Listing is not taught in schools and almost never in universities, whereas the more established and respectable methods of tackling our uncertainty – those typical of management science – are taught from primary school onwards and have huge importance in our society.

And yet Risk Listing continues and is still energetically promoted and aggressively defended by some. There are auditors who look for it, regulators who require it, buyers who insist on it, and consultants who recommend it. There are people who are unaware that any alternative approach to managing risk exists.

Why?

This article offers some hypotheses about why Risk Listing niches became established and still exist today. It also speculates about possible changes in future.

Hypotheses

Factors predisposing individuals

Risk Listing works for some tasks

Risk Listing methods don't work too badly in tasks that involve fixing isolated vulnerabilities to error and cheating[2]. For example, they work quite well for improving book-keeping processes, purchasing insurance, and making minor improvements to safety. A person who does that kind of job will find Risk Listing methods are usually adequate (though far from ideal) and, consequently, is more likely to think Risk Listing makes sense.

Risk Listing fits the job role of auditors, consultants, and other outsiders

In summary, Risk Listing does not integrate into core management activities but, instead, stands apart as a separate process. Consequently, it makes more sense to people whose role usually means that they are separate and not integrated into core management activities.

Risk Listing focuses on decisions about actions perceived as responses to 'risks', such as buying some insurance, fitting a fire door, or deciding to require a second signatory. Consequently, it does not get involved in decisions where there are other important factors besides cost and 'risk' mitigation. It tends to be an activity that comes along after the main decisions have been made and suggests amendments to details.

Some people have job roles that match this pattern. Their task is usually to look at decisions that have already been made and suggest relatively minor improvements. For example, external financial auditors look at how book-keeping is done and try to be helpful by making recommendations for improvement. Internal auditors also review how work is done (the result of past decisions about the design of the work) and recommend improvements. A consultant or safety risk manager doing a 'safety audit' is effectively looking at what has already been put in place and looking for improvements that can be made without too much fundamental rethinking. A company insurance manager who expands into loss control will go searching for existing weaknesses that have allowed or could allow accidents or other problems that lead to insurable losses.

People in these job roles will tend to think that Risk Listing makes more sense. Risk Listing fits their role. It is harder for them to see that people in other job roles find Risk Listing unnatural. Not only is it hard for them to understand that perspective, but they are often not around after their advice has been given to see what happens next and feel the disappointment.

The importance of this factor has been amplified by the influential, credible roles of many of the outsiders in this position (see below).

Risk Listing matches the job role of newly appointed risk managers

When a person is appointed as the first 'risk manager' in an organization the first thing they will usually need to do is retrospectively tackle decisions that have been made badly in the past. This means looking at the situation now and recommending some post hoc fixes that are not too fundamental to be acted on. For example, the first safety manager for a business will go out and look for danger in the workplace that is there because people did not consider safety properly when they laid out the premises, chose equipment, designed procedures, etc. That new safety manager will then recommend improvements to lay out, equipment, procedures, and so on.

Risk Listing fits this type of review quite well, so for a newcomer to risk management it seems at first to be suitable.

When the risk manager wants to influence future decisions so that safety, among other things, gets considered properly from now on, Risk Listing is not suitable. Not everyone realizes this.

Risk Listing looks like an audit tool

Yet another reason external financial auditors (like those working for the Big Four) are more likely to warm to Risk Listing is that it looks like an audit tool. They like nothing better than a list of things to tick off. In their normal work it does not matter that risk-lists are very nearly useless as design tools or in supporting business decisions.

Before these auditors used lists of 'risks' they had lists of internal control objectives against which they listed controls. Shifting this to a list of 'risks' was just a matter of slight re-wording. For example, instead of 'All invoices promptly posted' they started to write something like 'Invoices not promptly posted'.

Risk Listing looks a bit like a budgetary control system

Another reason that Risk Listing may appeal to people with a background in accounting and audit is its similarities with a budgetary control system and the more general strategy of control by numerical targets. Within a system of control based on budgets or similar numerical targets, employees are pushed to reduce the difference between their budgets/targets and actual numbers. Within this approach the consequences of actions are considered only for their impact on reaching the targets and this can lead to some bad decisions.

Risk Listing typically requires decisions to be made by comparing perceived risk levels with 'criteria', which are often thought of as limits or targets. In effect, Risk Listing decisions resemble budgetary control decisions.

A person who strongly believes in the logic and effectiveness of budgetary control systems and similar control-by-fixed-targets systems will be more likely to accept Risk Listing.

The superficial resemblance of 'risk' lists to financial analyses may help to explain the common mistake of thinking that the total risk level for a list of 'risks' on a risk register is just the sum of the individual risk levels. The list looks superficially like some kind of financial analysis and people expect it to add up.

When bosses don't listen Risk Listing workshops seem useful at first

When people are having a bad time at work because their bosses are not taking their problems and worries seriously, the first risk workshop they experience that just lets them voice anything they want is often welcomed. They will think the experience was a good one and will want to do it again. This is probably why people often welcome Risk Listing workshops, at first.

Later they find that their bosses ignore risk register material too and learn that Risk Listing workshops are boring and time consuming, without being useful.

Alternatives often seem overly mathematical

Another factor helping to support Risk Listing may be the tendency for management science methods to progress towards ever more sophisticated mathematics, which many people would rather avoid. Published examples of leading practice with management science methods tend to be particularly complicated and frequently not well explained.

People in organizations who don't like advanced mathematics naturally do not want it to be a widely sought after skill and they outnumber the mathematicians who do. Those who avoid mathematics are more susceptible to the argument that Risk Listing is 'simple' and 'qualitative'. (In reality, Risk Listing involves quantification, though done badly, and has so many logical flaws that it can never be properly understood.)

Credible appearance

Its language and techniques are superficially familiar

The language and techniques of Risk Listing are consistent with the idea that 'risks' are pre-existing physical objects, something like potatoes being harvested and then going through a sorting machine. Although few people believe 'risks' are such objects the language is superficially sensible because we are used to talking about things that are pre-existing physical objects. For example, superficially it sounds sensible to 'identify risks', 'categorise risks', and appoint 'risk owners'. The techniques of Risk Listing make much more sense if you think of 'risks' as pre-existing physical objects.

In reality this is a classic category mistake. A 'risk' is an idea, like a concept. It is a set of possible future states of the world defined by the analyst. 'Risks' do not exist until someone defines them (though of course bad things can still happen even if we haven't thought about them). The properties of 'risks' are, in part, the result of choices by the analyst.

People who see a lot of promotional material about Risk Listing but never actually do it themselves are most likely to be taken in by the pseudo-logic of Risk Listing. To them Risk Listing sounds simple and logical. People involved in company regulation will usually fall into this category. The reality is that Risk Listing is complicated, messy, bureaucratic, and rarely useful.

Credible, influential promoters

Some groups whose job role pre-disposes them to think that Risk Listing makes sense are also highly credible and influential. These include internal and external auditors and some consultants. The 'Big Four' external audit firms have been particularly influential. As outsiders and accountants they focus on doing work in a role that fits Risk Listing quite well and are predisposed to accept it. The firms are influential and so are their many thousands of alumni, spread through companies, government, and company regulators.

Dominance of niches

The big picture is that Risk Listing is not very important. Most people don't do it, most of the time. When it is done it is largely ignored. However, in certain niches it is perceived as the dominant, 'traditional' approach and this helps to sustain its use and promotion. When everyone around you is talking in Risk Listing terms it is difficult not to do the same.

Apparent agreement

Within a niche it is common to get the impression that most people agree that Risk Listing in a good idea. My surveys (e.g. [3]) have shown that people tend to overestimate this level of agreement. While most people, even in dominated niches, have at least some negative thoughts about Risk Listing, they imagine that others do not.

The impression of agreement is probably created by more than one mechanism:

  • Publications are not representative of general opinion: Influential publications in Risk Listing niches influence what people think is the general or leading view. However, my surveys (e.g. [3]) show that these publications are not representative of general views. Most people have at least some negative views on Risk Listing but the leading publications in Risk Listing niches do not reflect this.

  • Writers copy each other: Imagining that existing publications in Risk Listing niches represent generally held views, authors of new publications simply copy or paraphrase existing publications. Not only does this promote Risk Listing further, but the high level of agreement between publications makes them seem all the more credible.

  • Risk Listing originates repeatedly: It's hard to be sure, but I strongly suspect that Risk Listing and methods like it have been independently invented more than once in different fields. It is even possible that the characteristic methods of Risk Listing tend to arise out of the same category mistake and other methods tend to fall away because they are less compatible with the idea that 'risks' are pre-existing physical objects. The discovery that other people have had the same idea can be quite exciting and makes Risk Listing seem more credible.

  • Consensus finding: It is also possible that when people have then tried to find common ground (as in standard-writing committees) something about those conversations leads people to talk about 'risks' and to focus on the techniques that are compatible with this category mistake.

  • Promoters speak more and dissenters often keep quiet: In gatherings to talk about risk management in Risk Listing niches it tends to be the risk-listers who speak and others tend to keep quiet, imagining that they hold minority views that will not be well received by the audience. I use my survey results to change this pattern.

Imposition

Procurement practices, contracts, and laws governing procurement

It's almost certainly true that most people who currently practice Risk Listing didn't choose it for themselves. Someone else thought it would be a good idea to impose it on them. Most major projects today done for the public sector in the UK require contractors to operate Risk Listing. If the contractor wants the work then Risk Listing must be done. Furthermore, Risk Listing has found its way into standard contracts for the construction industry (NEC3), which has taken Risk Listing beyond the public sector.

While people might have shrugged off mere guidance from the Project Management Institute (PMI), a customer with a lot of money is much harder to resist, and seemingly trivial bureaucratic requirements are not worth arguing over.

Imposition is an extremely powerful mechanism by which the views of people predisposed towards Risk Listing (e.g. consultants, auditors) and those not well equipped to filter out bad advice (e.g. politicians, procurement specialists) are forced on people who actually have to carry out the Risk Listing and might otherwise have resisted it. The trick is complete when project managers forget why they really do Risk Listing and start to think they do it because they like it.

Regulation of governance and accounting

Risk Listing has also spread by imposition into listed companies (especially in the financial sector), charities, and the public sector. For example:

  • Charities in the UK have to comply with a Statement of Recommended Practice (SORP) on accounting and reporting[4]. It requires the annual trustees' report to include a statement 'confirming that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems or procedures have been established to manage those risks.' The Charity Commission's guidance on risk management reinforces this by being classic Risk Listing[5].

  • Some larger companies in the UK have to comply with a Statutory Instrument from 2013 (no. 1970)[6] that requires them to publish a 'Strategic Report' that includes 'a description of the principal risks and uncertainties facing the company'. This is only the latest rule to require the same list. Draft guidance from the FRC on how to do this is classic Risk Listing and more detailed about how to do it than the existing Turnbull guidance.

  • UK public sector bodies don't escape either. HM Treasury has published a handbook for governance[7] and requires annual statements about it. The handbook approaches risk from a purely Risk Listing perspective and imposes Risk Listing. This is backed up by the guidance in the Orange Book[8].

In these examples it is clear that ideas coming from accountants and auditors have been imposed as required practice on everyone and all activities, including those where Risk Listing does not work at all. There is a cascade of imposition where one set of requirements or guidelines is taken up by others, who impose it on others, ultimately ending with workers being told to fill in forms and attend meetings.

Creative interpretation

Some of the most determined promoters of Risk Listing literature that I know do not follow the Risk Listing approach themselves but think they do. They wrongly credit the positive results they have experienced to Risk Listing. If they had followed the Risk Listing guidance they like, instead of creatively interpreting it, then they would not have had such a positive experience.

For example, Risk Listing, as described in such influential documents as ISO31000:2009 (the international standard for Risk Listing), does not apply to decisions other than those about actions seen as responses to 'risks'. If you have a major decision between two courses of action and there are many considerations, some involving uncertainty, then Risk Listing does not require thinking of 'risks' in connection with each alternative course of action before choosing one. However, some people do this kind of risk analysis for major decisions and credit it to Risk Listing.

Also, the classic Risk Listing process produces rather dull and unsatisfactory risk workshops. However, some people have learned to add other items to the agenda to make them more interesting. Others have learned to keep the list of 'risks' very short (just seven for example) so that conversations are less controlled by the Risk Listing process and develop more like natural conversations on risk related topics.

Vested interests

Energetic promotion and aggressive defence

There are businesses that sell software to hold risk registers, along with training and consulting to help you do so. There are consultants whose livelihood depends on continued sales of expertise in Risk Listing. There are authors who have written hundreds of pages about how to do Risk Listing and how great it is. There are civil servants and rule makers who have imposed Risk Listing on companies and other organizations.

All these people have a choice between moving on to better things or defending their existing positions. Although most would benefit from moving on to more effective and popular methods, software, and regulations it is natural to worry that credibility and competitive position will be lost by doing so. Surely there will be other software companies, consultants, authors, and bureaucrats who are already better positioned in other styles of risk management? People who think they have a strong position in Risk Listing tend to stay put and defend their position.

In addition, I have noticed that some risk managers whose work is based on Risk Listing spend a lot of time battling to get their work done in the face of constant resistance and apathy. To get people to comply with the tedious and useless procedures of Risk Listing they have to work very hard to promote and defend it. These risk managers get good at it and find it hard to stop.

Unfair debating tactics

With livelihoods and reputations to defend, some promoters of Risk Listing have relied heavily on unfair debating tactics. I have come across all the following tactics repeatedly over the past several years:

  • Defining risk management in Risk Listing terms: The most basic ploy is to call Risk Listing 'risk management' and act as if Risk Listing is risk management by definition and there is no alternative. This makes it difficult for people to reject 'risk management' without seeming to reject responsible management. Call it Risk Listing and it is easier to reject the method and ask for something better.

  • Reliance on social proof: This involves pointing out publications, influential people, and an imaginary majority in a niche that agree with and support Risk Listing. The implication is that all these cannot be wrong. Another way this is used is to resist suggested changes away from Risk Listing by saying that other people will be unhappy and disagree, so the changes should not be made, or should be smaller, or introduced much more slowly.

  • Relying on tradition: This is an extension of the social proof ploy in that it involves saying that Risk Listing has been popular for a long time and is now 'traditional', and implying that any alternative must be new and untried. The reality is that Risk Listing is the newcomer and management science methods have been around for far longer.

  • Exploiting fear of mathematics: The tactic is to present alternatives to Risk Listing as complicated and overly mathematical. It is easy to find examples of alternatives that are complicated and more mathematical than most people would like, but there are plenty of other examples that are simple. It is also common to portray Risk Listing as 'qualitative' even though it is all about quantitities (though crudely represented), to say that alternatives require a lot of data, and to ignore the fact that sophisticated alternatives not only involve more work and skill but also provide much better results. It is even common to suggest that anyone who knows some maths is a nerd with no friends and no understanding of real business.

  • Unfair comparisons: One common claim is that Risk Listing is 'better than nothing', which is debateable. Another is that alternatives are 'not perfect', which is obvious. Clearly, the proper comparator is neither doing nothing nor perfection. We should be trying to use the best approach and Risk Listing is not it.

  • Consistency: This ploy is used within a group such as a standard-writing body to stop it changing from a Risk Listing position. It can be done in various ways. One is to point to a past decision then argue that a move away from Risk Listing would be contrary to that past decision. Another variant is to point to a past public statement, such as a publication, and suggest that contradicting it would be bad for credibility, or confusing to readers, or both.

You may be thinking that I am exaggerating the silliness of the ploys but sadly I am not. All the above are standard fare and detract from the careful analysis of logic and empirical evidence that should be taking place in the meetings concerned.

What might have influenced you?

Several of the reasons given above can be seen as factors that might predispose a person to think that Risk Listing is a good idea. How many of these apply to you?

  • Your job involves a lot of tasks where Risk Listing works fairly well because it is addressing isolated problems.

  • Your job usually puts you in a role where your task is to suggest improvements to things (systems, plans, procedures, products, premises, etc) that have already been put in place by someone else. For example, are you an auditor of some kind or a consultant who does reviews and gives advice?

  • You don't actually have to do Risk Listing.

  • You have been appointed to a new risk management role.

  • You don't feel comfortable with mathematics.

  • You are working in one of the following niches dominated by Risk Listing: audit, book-keeping, low-end safety, company regulation, UK and Australian public sector, projects.

  • Your bosses tend not to take problems and worries seriously.

  • Risk Listing has been strongly promoted to you or imposed on you.

If you find that several of these apply to you, especially if you are an auditor or consultant, imagine for a moment how different your perspective might be if you were, say, a senior technical manager in an electronics company, with a background in electronic design and development. You would have a designer's perspective, constantly facing multi-criteria decisions under uncertainty, almost always involved in the main decision-making meetings. You would also be comfortable with various types of model and some mathematics. The factors influencing your views about how to manage risk would be radically different.

Prospects for improvement

Overall, Risk Listing has had little influence on the world, other than by delaying improvements to management methods that might have had a great positive effect. Even in organizations where it has been used it is largely ignored from one day to the next. However, this is no comfort if you are directly involved in Risk Listing and would rather not be. If you are working in a niche dominated by Risk Listing, what hope is there of overcoming the many factors and forces helping to keep it in place?

Nobody knows what the future holds on this question, but we can imagine two starkly different scenarios for the next decade or so:

  • Risk Listing grows further: The pessimistic scenario is that Risk Listing simply continues to roll on as it does now, perhaps even extending its influence over governance regulation even further. In the last several years people have been aware that something about existing risk management approaches has not worked and have been wondering if 'culture' is the element that has been ignored. It is possible that efforts to make progress by looking at 'culture' and 'risk appetite' will continue to go nowhere while distracting attention from more tangible and effective improvements to integrated management of risk. If that happens Risk Listing could just fill the gap, spreading into more and more guidance documents, regulations, and laws. This in turn would consolidate Risk Listing in the niches of internal and external audit.

  • Risk Listing collapses: The most optimistic scenario is that, within just the next couple of years, Risk Listing collapses dramatically. This could happen because, at the moment, Risk Listing is like the emperor with no clothes on. A lot of people are pretending they think it's a good approach because they think other people believe that. Various things could happen that reveal that in fact most people do not like Risk Listing, leading to a rapid change in general perceptions. The current focus on 'culture' might transform into a healthy focus on distributed changes to the way management is done that improve its performance under uncertainty. It might be that governance regulators find a way to reverse their direction without losing face, probably by allowing a wider range of risk management practices and then gently switching their preference, pointing out that they were always advocating integration into management. Meanwhile rapid change in project risk management could also come about if the government of one influential country decided it was fed up with failed projects and decided to require proper risk management instead of risk registers. That could spread through the public sector and draw in its suppliers too. The Big Four and other consultancies, seeing which way the wind is blowing, might then switch their approach, focusing on the value they can add through their new found expertise in other ways to manage risk.

I know which scenario I'm working for.

Further reading

  1. The Risk Listing school

  2. When is it OK to use a risk register?

  3. Results of a survey on 'risk management'

  4. Charity Commission for England and Wales (2005). Accounting And Reporting By Charities: Statement Of Recommended Practice.

  5. Charity Commission for England and Wales (2010). Charities and Risk Management.

  6. The Companies Act 2006 (Strategic Report and Directors’ Report) Regulations 2013. SI 1970.

  7. HM Treasury (2013). Managing public money.

  8. HM Treasury (2004). The Orange Book: Management of Risk - Principles and Concepts.






Made in England

 

Words © 2014 Matthew Leitch