From confusing to helpful definitions
Bad news: experts don't agree on the definitions of basic risk management terms, including "risk". Worse, debates about these things can be either terribly dry or surprisingly emotional, as participants defend their intellectual territory.
The "helpfulness principle" avoid the two pitfalls: since there is a choice over definitions we choose one which is most helpful for us. I also set out:
- three crisp definitions, but then accept that risk is used in other ways by people
- why it's helpful to think of risk as including "upside uncertainty"
- the importance of different people's approaches to risk management
The ISO 31000 risk management standard defines risk as (the) "effect of uncertainty on objectives".
David Hillson suggests this definition results in an incomplete emphasis; as well as "effect" we should also consider the probability of various effects. Dr Hillson's alternative definition – "risk is uncertainty that matters" – is certainly crisp, and may be all we need. But two tweaks to ISO31000 are an alternative:
- insert "potential": this is how we get back the probability aspect
- insert "the achievement of": this is just tidying up; it's not that the objectives change, it's whether they are achieved.
Risk is the potential effect of uncertainty on the achievement of objectives.
Defining risk management
Turning to risk management and enterprise risk management, Dave Ingram's Uncertain decisions hits the sweet spot: a meaningful crisp definition:
Risk Management is a system for enhancing decision making under uncertainty
that focuses on risks as well as returns.
So much meaning in so few words:
- System: There's some organisation to this, not just experience and gut feel.
- Enhancing: The aim is to be better not just preventative.
- Decision making: This is central – a point that is often lost.
- Uncertainty: The presence (or otherwise) of uncertainty determines whether risk management might add value.
- Risks as well as returns: We can take this as shorthand for "returns away from those expected as well as expected returns".
Defining enterprise risk management
Enterprise risk management (ERM) is a system for enhancing decision making under uncertainty that requires consideration of ALL of the risks of the enterprise.
Although it's the "ALL" point that distinguishes ERM we can probably take the "Risks as well as returns" as read.
The helpfulness principle: how to relax a little more about risk
Some of the terms used in the field of risk management – including the word "risk" itself – have multiple definitions and interpretations. We cover some of these below. Some uses of "risk" are from everyday conversation, but some more technical meanings – the last one in our examples – are used primarily by experts.
Even experts do not always agree on the meaning of central concepts such as "risk", "risk management" and "enterprise risk management" (ERM). Some experts insist that "risk" is just about downside, while others think it should encompass a broader concept of uncertainty. What are organisations and risk managers to do?
- Don't be a definition bore: Taking the definition debate too far can appear obsessive. When does seeking clarity become "fiddling while Rome burns"?
- Consider wide definitions: Sometimes technical definitions bring insight and improved actions. Example: Wikipedia on Frank Knight's risk and uncertainty.
- The helpfulness principle: Choose definitions which are helpful for your organisation. If this seems like mental gymnastics invent/define a new word.
- Accept some definition flexibility: Even if you've defined a new word, don't insist everyone has the same interpretation. Alternative angles can help.
The acceptance of alternative possibilities for risk and risk management can be really useful. We can make progress on risk management without all-encompassing definitions, and with what some might consider deficient definitions. Finally we can change those definitions when this would be helpful. Sometimes we can relax a little more about risk.
Defining risk – take 2
In Sven Ove Hansson's paper Seven myths of risk the first myth is that "risk" must have a single meaning. Hansson gives examples of five uses. We have slightly changed the examples – completely in example 5 – but readily acknowledge the source. Each example takes the form of a statement (in bold) followed by an explanation of the sense in which "risk" is being used.
In each of 1-4 below, the statement about an "event" relates to something which may or may not occur – it is a future possibility.
- Lung cancer is a major risk that affects smokers. Risk as an unwanted event – lung cancer – which affects smokers (and, more rarely, non-smokers).
- Smoking is by far the most important health risk in industrialised countries. Risk as a cause (smoking) of an unwanted event (poor health).
- The risk of having one's life shortened by smoking is about 50%. Risk as the probability (smoking) of an unwanted event (see note 1).
- Smoking is by far the most important health risk in industrialised countries. Risk as the statistical expectation of unwanted events.
- Gambling with fair dice is "a decision under risk"; score probabilities are fully known. Risk as an environment of known probabilities (see note 2).
- Risk is the potential effect of uncertainty on the achievement of objectives.
- A slightly strange example; does this mean that the "risk" of having one's life lengthened by smoking is about 50%?!
- The distinction made by Frank Knight was between risk and uncertainty. Risk is where the probabilities are known (school examples such as dice and cards) while with uncertainty the probabilities are unknown (many business examples such as the probability of becoming insolvent over the next year). Often probabilities can be based at least partly on past data, but there challenges – see The reference class problem and its implications for project management.
Helpful principles when talking about risk
- When making decisions under uncertain conditions, precision can help. So if we mean "cause", "probability" or "expectation" let's say so.
- Treating others – including non-experts – with respect, allowing them to use non-technical language with which they are comfortable. Technicians can interpret.
- Different aspects of risk can be important, depending on the context. Known versus unknown probabilities can be a useful distinction, but there are many others.
We now look at another aspect of risk; the idea that uncertainty comprises both upside and downside in comparison to our best guess.
"Upside risk" and uncertainty
We suggested that the distinction between known and unknown probabilities can be useful. Since the early 20th century this has been one way of distinguishing between risk and uncertainty. In reality, however, most probabilities are unknown to organisations – they don't play dice. Therefore they operate under uncertainty, where an important aspect is the availability and relevance of past data when we need to make estimates. Typically some data is combined with "expert" opinion to form an estimate.
Under the "helpfulness principle" there are good reasons for risk management to cover more than the downside: "bad things that might happen". Let's consider two:
Core business decisions: These decisions are about carrying out the organisation's purpose – its reason for existing. The business strategy and rules will leave room for management and operational decisions: should we quote £100m or a more competitive £98m in a tender to provider services? The risk-return trade offs will consider not only price but guarantees, options and assurances given under the contract. In coming to a conclusion consideration will be given to upside as well as downside; pricing which assumes that every outcome is worse than best estimate will be as uncompetitive as it is illogical.
If pricing takes into account upside shouldn't risk management?
Simpler decisions and the importance of baseline: Some experts suggest that risk management (and hence risk) should only be about downside. In reality it's common sense that few people make decisions based only on downside; I know that I might be knocked over by a car if I leave the house, but I go out.
Sometimes different examples are given – a winning lottery ticket or a game show. It's then claimed that it makes no sense to talk about "risk" (what's to lose?) But step back. Is there uncertainty? Is the amount generated by the prize-winning ticket known, or is it to be split among a currently unknown number of winners? What if someone offers to buy the ticket from you? Is the final game show prize known, or are you mid game, with the host offering you the opportunity to "stick" or walk away with a fixed amount?
The baseline is often not zero, but some unknown, expected or hoped for win (or feared loss). The baseline might be set at the best guess rather than zero and there is upside and downside compared to this. This "baseline" approach can be a helpful way of looking at things. Risk management techniques can help with many forms of uncertainty.
Summary: the lottery ticket example is naive and unhelpful as a pointer for action.
Whenever there is uncertainty it is natural to think about upsides, downsides and decisions and for those decisions not simply to be based on the worst possible thing that can happen. Some people prefer to think about "uncertainty" rather than "risk", to reflect that norm. If that helps you why not?
When risk management gets personal
People. Their beliefs and attitudes make or break risk management. They can be an organisation's greatest asset and largest risk.
Consider three types of people working in an organisation: board members, front line decision makers and operational managers. What is their major area of interest and responsibility? What is their likely approach to risk management? What perspectives do they bring? How should the risk manager seek to work with them?
|Board member||Planning, Pounds and larger Projects.||"Best guess" returns and quantifying and managing a "reasonably worst case scenario".|
|Front line decision maker||Products and some Projects.||Choosing between alternatives and balancing of risk and return, especially in a financial context.|
|Operational manager||Processes especially||A natural focus on underperformance; process failure and "risk events" e.g. network unavailability.|
- How does a risk manager respond to the above perspectives? They do not naturally fit a classic risk management process.
- In seeking to remove operational "silos" and bring rigour and consistency to risk management, could a "one size fits all" ERM actually hurt more than help?
- ERM has some big advantages compared to more ad hoc approaches – can we get the best of both worlds?