I provide a range of speeches and training in Australia, Europe and Southeast Asia. Sadly, not yet India. One of my favourite talks is titled “So you think you know about Risk. You don’t.”
In the prelude to may talk about Risk I ask a series of questions;
- What is Risk?
- What is Uncertainty?
- What is the difference between Hazard, Threat and Risk?
- What is the relationship between Consequence and Risk?
It is always exciting to find a diversity of views from which I deduce that when one person says risk another means consequence or threat and so on.
I generally revert back to the ISO31000 Definition of Risk – the effect of uncertainty on objectives. But this has its problems as the meaning and conceptual background in this definition is not always understood nor agreed.
In research by the ISO Technical Committee, TC262 Risk Management, it was found that a range of definitions were falling into two main categories, those that treat Risk as a purely potential negative outcome and those that looked at risk from the point of the balance, where the balance between successful outcomes versus the negative or unforeseen outcomes. This was roughly a 70% as risk measured as likelihood of a negative outcome to 30% where risk is neutral and is the decision point of likelihood of success versus that of failure.
This division has consequences, as if can lead to only addressing the likelihood of failure where it is organisationally unbalanced compared to identifying and managing actions to enhance the likelihood of success.
In its Guidance Handbook for 31000, TC 262 makes the following point; “To be effective, risk management needs to be understood within the context of the governance, compliance, processes, and operating procedures of an organization. For organizations to achieve their strategic, tactical, and operational objectives, risk management should be in-sync with the governance structures, mission, values, and culture of the organization.”
A failure of shared language and concepts directly undermines the likelihood of an organisation to effectively manage risk.
The future is uncertain, and what we seek, discover and endure in the future is conditioned by this uncertainty. Risk is one of many concepts and words used to understand and communicate about what is to come in the future and what you might do to get the preferred outcome and avoid a less than optimal result.
This changing risk landscape, our understanding of the nature of risk, the art and science of choice, lies at the core of our modern economy and its operational elements. Every choice we make in the pursuit of objectives has its risks. As we seek to optimize a range of possible outcomes, decisions are rarely binary, with a right and wrong answer.
Organizations encounter challenges that impact reliability, relevancy, and trust. Stakeholders are more engaged today, seeking greater transparency and accountability for managing the impact of risk while also critically evaluating leadership’s ability to crystalize opportunities. Even success can bring with it additional potential for a negative outcome—the risk associated with failure of not being able to fulfil unexpectedly high demand, or maintain expected business momentum, for example.
An understanding of how risk works is required as organizations need to be more adaptive to change. They need to think strategically and operate effectively to manage the increasing volatility, complexity, and ambiguity of the world, particularly at the senior levels in the organization and in the boardroom where the stakes are highest, noting that an operational risk-based decision may have strategic consequence.
The relationships between the common use of risk, the dictionary definitions of risk, risk as a concept and managing risk professionally, are ones which expose the rational and irrational nature of human behaviour and decision making and the confrontation between the “ideal world” and the “real world”. In a professional context, time is devoted to a cognitive construction of an “ideal world” which can be understood and in which rational decisions and actions will control its evolution. What follows are the issues between prescribed conditions and procedures and “real world” events.
A term used in the research of Herbert Simon is “limited rationality”, which describes the limbo between objective rationality and the apparent irrationality of much of human behaviour. Herbert Simon also observed how the capacity of the human mind for formulating and solving complex problems is very limited to the potential size of those problems. Our modern world is growing in complexity and much of this complexity is beyond the limits of our understanding.
Charles Perrow provides many illustrations in his book Normal Accidents. Technology has developed more quickly than scientific knowledge and the theories necessary to understand its global effects. Examples such as: Petrol and its by products and its environmental impacts and climate change, Facebook and its use to disrupt societies, insecticides and the collapse of insect populations show that even in a connected world with ready, available knowledge, understanding of “real world” phenomena are lagging. An observation after an accident analysis is that we all seem wiser, individuals and organisations, after the event. If only this new state of understanding and awareness had preceded the decisions and actions which led to the accident.
The concept risk can be found in human anticipation for an uncertain future, resolving problems, making decisions and determining actions and the overall developing of a better understanding of the world in which we live and the limits to this understanding.
In some future blogs I will examine the nature of some key risk related concepts and the meta concepts hiding within some of the definitions.
Blog written by: Jason Brown, Chair of the International Standards Committee for Risk Management (ISO TC262) 2017 o 2023