Working In Uncertainty
Practical word choices for risk managers: Risk terminology for risk communication and risk workshops
by Matthew Leitch; first appeared on www.irmi.com in April 2006.
The words risk specialists in organisations use to communicate with each other are important to them for theoretical reasons, but the words they use to communicate with their non-specialist colleagues may be of greater practical importance. This article reports on some effects that are already shown by experiment, and suggests some others that need more attention.
Corporate risk managers, internal auditors, and internal control managers, as specialists, have their own special language. We frequently debate the meaning that words should have in our specialism. No official framework or standard for internal control or risk management would be complete without definitions. As so often, it is the most used words that lead to the most alternative meanings. For example, we often refer to ‘a risk’ and ‘some risk’ and yet very, very rarely acknowledge that these must refer to two different concepts, one countable, the other not countable but potentially measurable.
In places our jargon has departed from non-specialist use of the same words or phrases. For example, most leading specialist opinion now agrees that risks can have unexpectedly positive impacts as well as negative impacts, though this is controversial and different from non-specialist use of the word ‘risk’ which is overwhelmingly negative.
If we use our specialist language with non-specialists, for example in workshops or self-certification documents, the results could be disappointing to say the least. On the other hand, get it right and implementation of risk and control ideas could be considerably easier than it usually is today.
Results from experiment
A little while ago I ran an online experiment to test four alternative ways to ask people to list risks and actions. The results showed that the words used had a profound effect on the balance of negative, positive, and neutral ‘risks’ listed, and on the types of actions people suggested to deal with them.
Volunteers for the experiment, of which there were 36, visited a web page where they chose one of four scenarios: (1) planning a wedding, (2) buying a company, (3) building an extension to a house, or (4) looking for a new job. In the next stage they were asked to, either, (1) list risks, (2) list sets of risks, (3) list risk factors, or (4) list areas of uncertainty. The choice of wording was random and allocated subjects nearly equally between the four wordings. They were also asked to list actions they might take in respect of each item.
The items people wrote down were varied, but two common types of item predominated. One type was an item expressed in terms of failure to achieve something that would be an objective for the project. For example, ‘Failure to complete the build within budget.’ Actions for these items tended to be different ways of trying harder to do the thing that was at risk. The other type of item was an unknown. For example, ‘The cost of the build.’ Actions for these items tended to be different ways to find out more, either immediately or as the work proceeded.
The scenario clearly had an effect on behaviour. For some reason people tended to list possible failures in connection with weddings, jobs, and building, but when buying a company preferred to list unknowns. Probably it is the tradition of due diligence in company acquisitions that cues these items and the resulting actions.
However, there was also a strong effect from the wording of the instructions. All three instructions that mentioned ‘risk’ had the same effect, which was to trigger a high percentage of potential failure items. In contrast, the ‘areas of uncertainty’ wording triggered more unknowns.
If you want to encourage people to be less introspective and negative, and to pay more attention to missing information, then you should ask them for ‘areas of uncertainty’ and not mention the word ‘risk.’
My observation is that most risk registers resulting from workshops pay far too little attention to uncertainty and consequently many actions are things that would be done even if the world was without uncertainty. For example, people will suggest the risk ‘Failure to complete on time’ and then the action ‘Carefully plan the project.’ This is not risk management because you would plan even in a world without risk. This is just going through the motions. Another point from this research is the failure of respondents to distinguish between ‘risks’ and ‘risk factors.’ Clearly these are not the same, but asked for ‘risk factors’ people did not list risk factors i.e. things that were true, or very likely to be, and would be drivers of the risk involved.
Using risk factors is a powerful way to evaluate risks, but if people do not distinguish between the two this cannot work. The research does not show what wording to use instead, but we should be aware of this problem and give extra instructions, including examples to make clear what is intended, and look for better words.
The research is written up in full in ‘Results of an experiment in risk and uncertainty management.’
Other words that could be crucial
In your organization are people asked to ‘identify’ risks or to ‘define’ them? Almost certainly they are asked to ‘identify’ risks, and yet there is an overwhelming practical reason for saying ‘define’ instead.
A common problem with risk register items is that it is hard to tell what is included in the item. They tend to be vague, rather general, and to lack details necessary to properly assess them. Pick a sample on most corporate risk registers and think about each critically. The chances are you will conclude that nearly all of the items have this fault.
This may in part be because people think of ‘risks’ as things that already exist, have clear boundaries, already given, and therefore need only be named. This is the frame created by the instruction to ‘identify’ risks. As soon as we say ‘identify’ we have people thinking that the risks need only be named.
In contrast, if we say ‘define’ the risks this promotes a different frame, one in which risks do need to be explained and defined. And they do, don't they!
Another wording that may help to encourage good explanation of risks is to ask for ‘areas of’ risk/uncertainty. If we say ‘areas’ this again suggests a concept that has a boundary, and therefore needs some definition.
[Poorly worded risks are also a feature of well known documents on risk. For example, as part of regulation for banks the Basle II documents included a breakdown of operational risk events. One of the first items is ‘Internal Fraud’, which is then broken into two sub-items, ‘Unauthorized Activity’ and ‘Theft and Fraud.’ If part of Internal Fraud is Unauthorized Activity, then presumably the rest is authorized activity – authorized theft and fraud!]
Moving on to another topic, if you are interested in getting people to consider ‘upside risks’ as well as downside risks then you face a particular challenge. As already discussed, if you mention ‘risk’ this is interpreted as negative by most non-specialists. As an alternative some have tried asking for ‘opportunities’ instead. So far my informal observation is that this tends to trigger a lot of statements about things that are opportunities existing now, rather than ones that might arise in the future, which would be closer to the idea of an upside risk. Worse, the ‘opportunities’ that pop up immediately in workshops tend to be suggestions the participants have made in the past and which were not acted upon, usually for good reasons.
At the very least we need to add to the explanation and perhaps experiment with alternative wording, such as asking for ‘potential future opportunities.’
The evidence so far is that the words we use to get people thinking about how uncertainty should affect their actions can have a profound effect on how well they perform. This is not just a theoretical debate between specialists, but a vital practical concern that affects whether risk management programmes make headway or not.
We need more research but already it is clear that asking people to ‘identify risks’ is far from the best way to proceed.
Words © 2006 Matthew Leitch. First published April 2006.