Working In Uncertainty
Results of a survey on corporate programmes to improve 'risk management'
Introduction and summary
Many thanks to everyone who tackled this survey. Without your choices and many comments this study would have been impossible.
Most respondents thought that ideas for improved working practices to deal with uncertainty would not be devised only at the start of a programme of work. They were very much interested in directing resources at the most worthwhile improvements. The prompts most likely to give rise to improvement ideas such as those that have tested well in a previous survey (see Results of a survey on 'integrated risk management') were the more specific ones, and the most popular number of ideas to include on a prompt list for a meeting was seven.
So, it looks like if you want to get approval for a programme to look for and implement changes to ways of working that improve performance under uncertainty then you should suggest something with:
Also, do not suggest that the objective of the programme is to manage risk levels down below limits listed against 'risks' on a risk register. Only 19% of respondents thought that was a 'helpful' objective.
The survey results
The survey was completed by 73 people. Here are the main questions that were asked, with percentages of respondents choosing each available answer:
"Do you consider yourself to be a professional in any of these? (click all that apply)"
(A further 15% of respondents clicked none of the above.)
"1. In a corporate programme to improve the way risk/uncertainty is managed, in an integrated way, when will ideas for improvements arise? (Please select the most likely in practice.)"
"2. Select all those you think are acceptable ways for ideas for improvement to arise in practice."
"3. Select all those you think are reasonable ways to encourage improvements within a corporate programme."
"One way to help people have specific ideas for improvements is to make a suggestion, or a number of suggestions. These might be written or spoken."
"The following ideas for integrated risk management practices (shown in italics) are each next to two possible suggestions (A and B) that might be used to help people think of those ideas. In each case, choose the suggestion that, if used, would be most likely to lead to the idea."
"5. If a set of suggestions such as the more specific ones in the previous question were used, what would be a reasonable number to provide to a person or group (e.g. to help them in a workshop)? Please select the best number from this list:"
"6. What objectives should a corporate programme designed to promote better risk management have? (Select all those that seem helpful.)"
The implications of responses to question 1 are clear. All respondents but one thought ideas for improvement would not be discovered completely in an initial phase of design, and this clearly indicates that any method for running a programme of improvements in the area of uncertainty will need to allow for, and probably encourage, an ongoing flow of ideas. Even if it is possible to generate all ideas in an initial design phase, few people will happily attempt it.
Answers to questions 4 show that most people think specific prompts are more likely to generate the ideas for change preferred in a previous survey (see Results of a survey on 'integrated risk management') than a generic 'risk management' process prompt. Just six respondents out of 73 chose the generic risk management prompt for all three scenarios, whereas 45 respondents chose the specific prompt for all scenarios.
Answers to question 5 show that the most attractive number of prompts for a single workshop is about 7 (or slightly fewer), so most likely a larger bank of prompts would have to be used for the programme as a whole, with sub-sets being selected for particular design meetings.
The implications of answers to questions 2, 3, and 6 are much less clear. The table below shows the results again, but this time with question 2, 3, and 6 side by side, and with items listed in descending order of preference. The coloured backgrounds pick out items whose answers seem contradictory to some extent across the three questions.
Although the responses give a broad indication of preference, many respondents apparently did not answer question 2 as it was worded, and a similar range of interpretations may have affected question 3 and perhaps even question 6. Although most respondents seem to have interpreted question 2 as asking if they would consider ideas from a source, others seem to have interpreted it as asking if they would accept the practices that had led to the ideas, and others thought it was about how likely it was that ideas would arise that way, or that such ideas would be accepted for implementation.
However, even taken as broad indications of preference, the responses seem contradictory at first. The best explanation I can offer is that respondents' strongest desire is for resources to be focused on the most worthwhile improvements. (The top answer in Q6.) This, combined with a slight preference for familiarity, may explain a lot of the contradictions, as follows:
Focusing scarce resources where they can do most good was highly favoured by respondents and seems to have been the main driver of opinions. This was the programme objective most often considered helpful and the element of focus probably explains some of the apparent contradictions in responses.
If these explanations are correct then the main implication is that, whatever approach is taken for the programme as a whole, it needs to feature mechanisms that focus resources efficiently in ways that are explicitly stated. Without this an approach is unlikely to get support. In particular, I suggest the following implications:
Comments by respondents
A number of respondents made comments that explained or added to answers given. The key parts of comments were as follows:
Explanations of answers given
"Q2 [on acceptable ways for ideas to arise] - none of the methods are unreasonable in themselves but might be unreasonable in some contexts e.g. A disappointment/shock leads to a specific search for a better way of working might be a safety context."
"Q5 [on the best number of prompts] is difficult - it depends on what is found that needs to be done. I suppose 3 is realistic, but in practice you need to supply 10 so they can knock out the straw men and arrive at what they want. I'll pick the magic 7. For most of the others I picked what seemed to be the most important rather than just clicking All as most seem to be relevant."
"Q2 [on acceptable ways for ideas to arise] and Q3 [on reasonable forms of encouragement] - Among the various approaches that may be acceptable and reasonable, some may turn people on and others may turn people off, but a lot will depend on the personalities involved."
"Curiously on Q4.3 [on best prompt for research] I was quite marginal between the two options (but not so on Q4.1 [on best prompt for measurement uncertainty] and Q4.2 [on best prompt for forecasting]). I think this was to do with the likely audience for what gets developed and their expertise (and possibly interest) down either route. In Q4.1 [on best prompt for measurement uncertainty] and Q4.2 [on best prompt for forecasting] the connection to the business may need to be almost childishly simple to generate management attention! On Q6 [on helpful objectives] I am assuming (a) that the goodwill in getting leaders' improvements is worthwhile and that their desires are sensible and (b) getting risks down to a level involves at least implicit cost-benefit considerations i.e. is not arbitrary."
"At Q4 the presentation of suggestions 'A' & 'B' seemed to me at first glance to suggest that they are mutually exclusive. However, when I looked at these more closely I recognised them to be two sides of the same coin. One is the 'bare bones' text book 'risk management process' - the other seems to me to be the 'fully dressed' result of following that process, albeit perhaps subconsciously and informally rather than necessarily consciously following a prescribed process. I think the key thing is the delivery of good quality of thinking rather than whether this is ideally achieved through prescribed formal (risk) processes or perhaps more informally through subconscious competence."
"I didn't quite 'get' Q4 [on best prompts] - as both suggestions are in fact the same throughout - in that if you implement the risk management process then the other suggestion (A or B) should also be happening as part of that process."
"I have answered Q2 [on acceptable ways for ideas to arise] and Q3 [on reasonable forms of encouragement] on the basis that the points are acceptable to me and reasonable to me. Most of them strike me as extremely unlikely so presumably they are not acceptable or reasonable to some others."
"Regarding Q2 [on acceptable ways for ideas to arise], Q3 [on reasonable forms of encouragement], and Q6 [on helpful objectives], all your options are acceptable, reasonable and should be promoted, respectively. However, the capacity to do all of that commonly forces prioritisation wholely dependent on the resources available."
"There's a bit of background as to why I've responded to Q4 [on best prompts] the way I have. The 'risk management' process is still seen as being separate to the way of doing business - it is an add on and not part and parcel of how people approach things. I'm basing this on ten years in OpRisk - risk profiles/registers are reviewed and used infrequently and projects still overly focus on project risks (time/budget/deliverables) and not on the end impact once delivered. So my perception is that it is better to build in uncertainty thinking into the actual processes that management use in a way that makes sense to them as opposed to specifically using the standard risk management steps. Oh and as for the number of prompts - bit of a toss up between 3 and 7. The challenge a lot of people would find is coming up with more than 3-5 different scenarios. Beyond that level I think that they would become all variations on a theme."
"I struggled a little to understand what 'Implement the risk management process in all your management processes' would mean in practice. I shied away from searching for places to use good practice [in Q2, on acceptable ways for ideas to arise] as it sounded like a recipe for duplicating effort and/or increasing complexity."
"In Q2 [on acceptable ways for ideas to arise] and Q3 [on reasonable forms of encouragement] I haven't ruled anything out, although I think that clearly some routes are preferable to others. Just because there is desire or enthusiasm for change / improvement doesn't make it right that there should be some, or that it is in those areas that improvements should be prioritised. Good ideas can come from anywhere at any time, focus should always be on improvement in areas of key objectives, or to take out least value add, or maximise benefit / efficiency. Risk management is a great technique to assist in improvement, but is only ever a part of the process. Clear definition of a problem, and analysis and measurement of what underlies that problem are critical before development of a solution can take place. Risk management is a key part of this end-to-end process - and continues right through to ensuring the solution / improvement is operating and delivering what it was expected to deliver (or not). Q5 [on the best number of prompts] was difficult to answer; too many options tends to confuse, however if the process I have set out above is followed it is likely that a clear solution delivering improvement will emerge without requiring many options to be presented."
"Q2 [on acceptable ways for ideas to arise]. In healthy organizations complementary tactics for improvement are applied. Some opportunism is OK, since it might increase the momentum of success e.g. search for improvements where people are willing to change. Most search answers are way too much "push"; we have a hammer, let's start looking for anything to hammer on. Q3 [ on reasonable forms of encouragement] is for me close to Q2 [on acceptable ways for ideas to arise]. Q4.1 [on best prompt for measurement uncertainty] I have seen too many "cockpits" with huge amounts of data, but no interpretation and follow-up, hence B. Maybe when a company is "mature and ripe" then A can work in such company. Q4.2 [on best prompt for forecasting] idem, hence A. Q4.3 Many people get lost in too much data, unable to filter out the relevant. The risk management process as described here could function when all participants live and understand it. I have never seen that. Mostly I see that people 'go through the motions' as prescribed. Hence B. Q5 [on the best number of prompts]: I would in due time provide employees with a much richer toolbox with suggestions, e.g. tens or even hundreds. In a workshop, a practical limit is ~3. Q6 [on helpful objectives]: This list seems quite limited. My first priority would be increased awareness and understanding of the status quo, both for leaders and employees."
"Q5 [on the best number of prompts] does not allow for differences between individual and group. Three good suggestions are a good start if they cover the waterfront (i.e. are constructed so as to look specifically at independent solutions). Three is definitely not enough where group facilitation does not set out to achieve this objective. If ideas are randomly generated, and especially if they are shared as they are conceived, 50 may not be enough. In other words, this depends very strongly on how you phrase the task and define the conditions of satisfaction."
"I tended to feel 'all' in your listed options questions. Have therefore been a little more discerning."
"Given a competitive, changing business environment, I'm thinking about the links between effective, integrated risk management with cultural factors e.g. 'the learning organisation' (which switches people onto a spirit of continuous improvement) with the openness to ideas from anyone in the organization. I think about blind spots and gaps (for example, in the vision, perceptions and focus of the leadership team...and in what communication is shared more widely). Experience also demonstrates that feeling ownership is key (with clear roles and responsibilities), and then it's back to culture and levels of people-engagement to 'glue' an integrated approach together. I also wonder about risk management maturity models, to paint a 'word picture' of where an organization is now and where to head next, in terms of best practice and 'excellence'."
"It may be useful to clarify what the minimum audit criteria for risk management are e.g. IIA or ISO 31000?"
"We can't lose sight of the fact that risk is a good thing in business. Risk leads to opportunities. Unrecognized risk or mismanaged risk are threats to the business and should be corrected. However, it is a sound business strategy to recognize and leverage risk."
"Need to consider tracking and response methods and processes, and the attributes of such methods and processes: usability, reliability, maintainability and so on. Need to consider incentives and rewards related to achieving goals with respect to risk management and performance management. Time is important, as shorter life cycles for products and services reduce predictability."
"I think this survey depicts an overall ERM process (like ISO 31000) in the worst possible light. Certainly its prescriptive approach to process is of little (or more likely negative) benefit when the risk and uncertainty relate to a well defined objective as in the specific examples given here. Still, I can imagine framing a survey like this to reflect the value of a coherent overall ERM process as a kind of high level uniting perspective. To my mind, the biggest problem is that the current situation does not enable assembly of good technical risk analysis in specific areas into an overall enterprise risk management approach. Has there been any work done on considering whether or not that is even theoretically possible? Or are there complexity related constraints on our ability to ever do that?"
"As time has passed and I have had experiences developing risk assessments and then being on the other side, I have two comments for you to ponder: (1) due to the high degree of familiarity risk one major consideration for risk management and assessment must come from an external resource. People are too much like a fish in water ... can't see what they can't/don't want to see. (2) The more tools that can be designed to measure performance metrics and provide a baseline to remove subjectivity the better. I think that the activity based costing model from cost accounting could be revamped to the risk world."
"I think that risk management needs to decide what it is. By embracing the management of opportunities - all uncertainties that matter - as a result it is really turning itself into a 'theory of business' / 'theory of the firm'. Namely, this is how a good an enterprise should be managed. However, I think that its 'methodology' is too simplistic - the five risk steps, plus setting the risk appetite."
"I am generally in favour of adopting the practice of implementing risk management as a part of all governance and day-to-day management activities. That said, I too frequently see it just not happen. Some cases in point: a network penetration test conducted a year ago revealed an area of potential weakness that the responsible technology manager later deemed irrelevant. A month ago, a client stumbled upon the issue, 'triggering' the risk. Now the manager is scrambling to fix things but can't come out of this looking good. Another example: we had certain data on our network that belonged to our clients' account-holders. The tax regulators have very strict penalties if that very data is exposed due to theft/blackmail/etc. The problem persisted for years until a specific risk management process defined the risks (e.g. executives doing prison time). And this is just a small software firm. At a previous employer in a different regulatory environment I witnessed my employer run afoul of AML issues time after time - there simply wasn't any ownership. As maddening as it is, that mindfulness of risk mitigation just isn't there until someone's done a round-up of risks independent of 'business as usual'."
Invitations to participate in the survey were sent to RISKANAL (an internet discussion list about risk analysis), the PMA Forum (an internet discussion list about performance management), the Auditnet discussion list (for auditors), and a varied selection of my contacts. Most respondents were from my contacts. 81% of respondents stated their first language as some kind of English, with the rest having a variety of other first languages. Total response rate cannot be calculated but will have been low.
As usual, this is a limitation of the survey and the selection of respondents will have affected the pattern of answers given to some extent.
However, the patterns of responses were broadly similar regardless of what background respondents claimed, and regardless of whether they gave their name or not. (Giving a name was typical of respondents known to me personally.)
Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.
Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.
Words © 2012 Matthew Leitch