Risk - What Can Go Wrong

There is so many definitions of risk. The newer versions include 'positive risk' and variations thereof. These definitions try to be very inclusive, to make sure they cover all possible perspectives and manifestations of risk. It can be a bit confusing. Some days I am tempted to find a simple, clear, usable definition of risk.

I am not yet convinced that 'positive risk' should have the word 'risk' appended to it. On those days when I look at risk management as 'the management of uncertainty' I have no problem accepting that positive risks belong to this domain.

But for now, I will use as the most basic definition of risk:

Risk = what can go wrong.

Risk management = managing what can go wrong

The ‘wrong’ already implicitly includes a reference to our objectives.  If something can go wrong from our point of view, it means something going wrong in relation to our interests.  Something that doesn’t affect us is not something going wrong. So I don’t have to extend it to ‘something that can go wrong with regard to our objectives’  (in any case, I prefer to use ‘interests’ rather than objectives).

The ‘managing’ in ‘managing what can go wrong encompasses identification, assessment, and mitigation.

Let’s see how far these definitions will let me go.

No comments :

Review of "The Failure of Risk Management: Why It's Broken and How to Fix It" Part 2

In Chapter two of his book, Douglas Hubbard's discusses where the risk
management industry has been and where it currently thinks it is.

The chapter starts out with a very brief history of risk management
('800 words' according to the author), tracing the route from the
discovery of mathematical probabilities, to its initial commercial
application in insurance, and finally down to the modern day emerging
'new character' or risk management, incarnated in regulations like
Basel II, and in applications like Enterprise Risk Management. His
history is not very complimentary, comparing today's state of risk
management as similar to the Old West gold rush towns, where things
look brightly painted and pretty, but built on shaky foundations and
filled with snake oil peddlers.

His history aligns quite well with Peter Bernstein's own summary,
although at a very very high level and, I suspect, very much framed to
support his thesis (which I suppose is what the rest of the book is
about).

Hubbard then makes a brief discussion of the common risk assessment
approaches (expert intuition, weighted scoring, probabilistic models,
etc) and suggests that some of these are not up to par for the role
risk management is playing (corporate growth survival, after all) and
will probably need to be dispensed with.

The next section covers risk mitigation approaches. He has a brief
treatment of the common approaches (what risk management book
doesn't?): avoid, reduce, transfer, retain. The most interesting part
of this section is his list of examples of concrete manifestations of
risk mitigation approaches (in contrast to the abstract approaches of
avoid, reduce, etc. His list includes selection processes, contractual
risk transfer, insurance, liquid asset position, etc.).

In the final section, Hubbard discusses 3 major surveys of enterprise
risk management, conducted by Aon, The Economist, and Protiviti. The
surveys show what the executives in these companies thought about what
their top risks are (reputation, market, human capital, and regulatory
environment figure very high). The surveys indicate that risk
management is present in those companies primarily because they are
being required to have it (a necessary evil). It also shows that risk
management is well represented and increasingly so at the board level.
The executives seem pretty confident that they are doing risk
management well.

Hubbard suggests that that is not the case at all.
No comments :

Risk Versus Risk

One of the most critical processes in managing projects are those addressing project risks.  Some writers go so far as to call risk managent 'project management for adults'.  The implication being that if you’re not doing risk management in your project, then you’re just a kid, you haven’t grown up yet, and have no place among grown-ups (I agree with this view, by the way).

When asked what risk is, quite a few will give an answer that goes something like: 'a risk anything that can go wrong.'  In this view, a risk is something that can go wrong, and therefore risk management is about addressing those things that can go wrong.

But there is another, less commonly known, view of risk.   In this view, risk is something uncertain that may affect the project.  Not something necessarily bad, but something uncertain. 

Let's suppose you are planning a picnic for tomorrow.  Being an adult, you have prepared a risk management plan (your picnics may be boring, but they are predictable).  You have an entry for weather in your risk plan.  In the first view of risk, you look at the weather and look for something that could 'go wrong' that could negatively affect your picnic.  Is it going to rain tomorrow?  If there's a chance of rain, what can we do to mitigate the effects of this rain on the picnic? Perhaps bring an umbrella.  Perhaps plan to hold the picnic nearby an accessible shelter, to make escaping from the rain easier.

In the second view, we look at the weather not as something that is the harbinger of something that can go wrong, but simply something uncertain.  So there's a 50% chance of rain.  Let's prepare for that eventuality.  But there's also a 50% chance of no rain. Let's also prepare for that happy eventuality as well -- perhaps plan to go to a place with a nicer view if the weather clears up.

With this second view, risk is not simply viewed as about bad circumstances that can happe, but simply about all uncertain circumstances. Circumstances which can indeed turn out bad (and whose effects we should be ready to address), but which can also turn out good (which we should be ready to take advantage of).

In the first view, we simply prepared ourselves for the worst.  But in the second view, we also prepared ourselves for the best.

No comments :

Assumptions

Until we develop the ability to see the future, projects and programmes will have to be run in the face of uncertainty.

In the absence of complete information, assumptions will have to be made. Otherwise decisions cannot be made and activities will stall. At least some of these assumptions are documented in the projects. In the more badly run projects, the assumptions are there uncritically reviewed. Because a project is proceeding as if these assumptions are valid, it is critically important to review the assumptions.

You are trying to cross a bridge and making the assumption that the floor is sound. You have several choices: make the assumption, and proceed to walk normally as if the assumption is correct. You can also make the assumption, keeping in mind that you could be wrong, and proceed with caution, testing every step to see if the assumption holds. You can also, before, proceeding, inspect the bridge, and gather more information about the assumption. How likely is the assumption to be correct? How likely is it wrong? Apart from
physical inspection you can observe the environment. Are locals crossing the bridge? Are there local experts who know if the bridge is sound?

Because the assumptions are the 'floor' on which the programme will be proceeding, it is critical to review these assumptions to see how sound they are. These assumptions should be looked at with the following filters:

  • Are they complete? Are these the only critical assumptions?
  • Are they valid? Are we making assumptions about things that are not already known to be false?
  • Do we have a plan for reviewing the assumptions at a later date, when we may have more information and able to verify or reject the assumptions.
  • Have we identified the risks that will arise if the assumptions on which we are proceeding are proven false?
No comments :

Ten Rules of Effective Language

One of the challenges risk professionals wrestle with is how to convince stakeholders to take specific actions,  such as proactively identifying risks. These stakeholders can be individuals, or they can be organisations.  While these stakeholders are not necessarily reluctant to comply with the requirements of proper risk management, they do have to deal with their own realities, including other demands on their energy,  or simply a perception that risk management is a waste of time.

Perception is reality, as the saying goes.  If you want to change reality, you have to change perception.  And one way to change perception is through communication.  A risk professional often needs to organisational action through reports and recommendations and also through interpersonal communication.

Dr. Frank Luntz, who apparently is a highly sought political speech writer, provides ten rules for effective language in his book, “Words that Work”.   I think when he came up with these rules, he was thinking in the in the context of public speeches, political messages,  and media relations.  But his rules seem a useful guide for a launching  a coordinated approach to getting your message across. 

In summary his rules are:

  1. Use Small Words.  Use only words that you are certain your audience understands.  Don’t risk getting your message misunderstood. 
  2. Use Short Sentences. If you can deliver the same message using a dozen words, do not do so with a thousand.  Not only are fewer words easier to remember, you stand a better chance at having your writing  read.
  3. Credibility is as Important as Philosophy. Make sure you are telling the truth.  Very catchy marketing of something false will fool some people for a little while, but not for long, and not again. 
  4. Consistency Matters. This is a nice way of saying: repeat the message over and over, using the same words if possible.  Drill the message in. Repeat until it becomes the truth.  And don’t change your message. Don’t change what you are trying to say.
  5. Novelty: Offer Something New. Add a new twist on the language or coin a new phrase that capture the message vividly and clearly and memorably.  Definitely avoid clichés. Avoid it like the plague ;-).
  6. Sound and Texture Matter. A slogan that makes sound (like ‘Snap, Crackle, Pop!’) helps make the slogan memorable.  Alternatively, come up with combinations of words that make a distinctive sound (‘Melts in your mouth…’)
  7. Speak Aspirationally. Show the way to an ideal place. He gives the example of Crest toothpaste’s “Look ma, no cavities”. Tap into the audience’s aspirations and ideals.
  8. Visualize.  Paint a picture with your words.
  9. Ask a Question. Engage the listener by asking a relevant and memorable question.  Note that it is a single question, not several.
  10. Provide Context and Explain Relevance. Make it very clear ‘why’ you are telling them what you are going to tell them. Give context to your message.

Luntz summarises these ten rules with ten words: simplicity, brevity, credibility, consistency, novelty, sound, aspiration, visualisation, questioning, and context.

You don’t have to follow all his rules for every message you want to get across.  I don’t think that’s possible, nor is it Luntz’s intention.  However, the list is useful as a guide for formulating a memorable message.

No comments :

ERM is an Integrative Approach to Risk Management

Risk management as traditionally practiced in organisations tended to be silo-based.  Risks originating from one area is expected to be managed in that area which is assigned the responsibility for managing, while risk originating from another area is managed by that area.  

One of the reason Chapman gives to why this approach developed is our tendency to compartmentalise. Our analytical mindset approach to problem solving lead us to split things apart into their basic components to make them easier to manage.  

Over the years, there had been a growing recognition that a silo-based approach is flawed.  The impact of risks span across silos - a breakdown in manufacturing leads to impacts well beyond the manufacturing department.  Mismanagement of risk in one silo affects other silos, which may not be prepared for that risk because they had assumed that other area was managing that risk.  

ERM is a new approach to managing risk.  The thrust is of ERM is the integrative management of risks, understanding the interedependencies, their impacts, and areas where they can be leveraged so that addressing a single cause can prevent multiple risks.

Reference: Chapman, Robert. Simple Tools and Techniques for Enterprise Risk Management 2006.
No comments :

Tools and Techniques of Enterprise Risk Management, Part 1

I’m going to go through Robert Chapman’s ERM book.  Based on the table of contents, the first part of the book what ERM is. Part II is about ‘The Appointment’ or what I think is a discussion of the engagement process.  The table of contents covers topics about interviewing the client, preparing the proposal, and implementation (of what, I am not sure yet).

Part II covers the Risk Management Process.  It seems to be about a fairly standard process: Analysis of the Business, Risk Identification, Risk Assessment, Risk Planning, and Risk Management.

Part IV covers ‘Internal Influences’ which I think is about internally generated risks.  The table of contents says it covers Financial Risk Management, Operational Risk Management, and Technological Risk.

The final part covers ‘External Influences’ which seems like about risks generated externally.  It discusses Economic, Environmental, Legal, Political, Market, and Social risks.

Finally there are 14 short Appendixes which discuss techniques like SWOT, PEST, VRIO analysis, Change Management, among other topics.

No comments :

Corporate Social Responsibility as Risk Management: A Model for Multinationals

Kytle & Ruggie

Ideas:

Globalization

Large Enterprises

CSR – what you do with your money

How you make your money

Conceptual Framework

Greater interdependencies

Hidden vulnerabilities

Significant shift in market power

Social risk

Own behaviour or actions of others create vulnerabilities

CSR Programs

Global operating environment: networked operations, empowered global stakeholders, dynamic tension between stakeholders

Supply chain components bring their own individual vulnerabilities. Risk in one can ripple through supply chain

Being large being global makes you a platform for stakeholders

Other country issues – weak regulatory frameworks, means of enforecement, high levels of corruption inadequate provision of local service.

Social issues stakeholder interests are not profit motivated\

No comments :

A Framework for Risk Management

Froot, Scharfstein, and Stein

The purpose of risk management for an organisation is to ensure availability of funds for financing investments.  Risk management does not create new wealth; investment does. Wealth-creating investment is only possible if there are funds available to finance it. Risk management must be used to ensure the organisation has enough funds to finance its wealth-creating investments should events arise that threaten the availability of funds.

The best funds to use for funding investments are funds created internally.  Funds obtained through debt make the company less attractive for further debt, which may result in a dangerous spiral where it cannot obtain debts when it needs them.  Funds raised from equity raise the problem of investors knowing that organisations sell equity when they know it is overpriced.  So despite Modigliani and Miller, who posited that how the funds are obtained is generally irrelevant, internally generated cash is best for funding further investments.

Hedging is one way to insulate the organisation from fluctuations of funds availability.

To determine what to hedge, think about events you wish to hedge against, and understand the impact of that event to your cashflow requirements for funding wealth-creating investments.  For example, if your company manufactures in Europe (Euro) and sells in the USA. Suppose the Euro appreciates thus making sales in the USA slower. Then cashflow is lessened because a) there is less product demand in the USA and b) the value of dollar sales has decreased comapred to Euro, therefore, there is little incentive to further increase production capacity in Europe, therefore there is lessened need for cashflow during the time.  Thus there is little need to hedge.

However, if opposite occurs, and the Euro depreciates, then sales to the US can be expected to increase (cheaper products), however,

Risk management “lets companies borrow from themselves” by shifting funds to when they are more needed.

The goal is to align the internal supply of funds with the demand for funds. The goal is not to insure against the events (such as exchange rate fluctuations) but to ensure the company has the cash it needs during such times.

The company shouldn’t need to worry much about its own stock prices.  That is a problem for individual investors. They can mitigate that risk through diversification.

Choices of which financial instrument to use must not be left to financial engineers. Managers must align the instrument to the corporate goal – which is to ensure availability of cash appropriate to the environment it is hedging against.

Two key issues in derivative features is mark-to-market vs over the counter. In the former, you need to top up daily to compensate for short term losses. In the latter you only need to pay at maturity date.  The other feature is linearity vs non-linearity. Futures and forward contracts may have no floor. There is symmetry in your gain or loss. Options allows setting a floor to loss, while keeping the option to benefit from the event.

1 comment :

The Risk-Return Effects of Strategic Responsiveness: A Simulation Analysis

Torben Juul Andersen and Richard A. Bettis

Summary:

Companies in turbulent dynamic markets experience volatility in their performance. The turbulence described here is not only a case of going back and forth, or cyclical changes, but a case of structural changes.   Companies need to undergo learning about the new changes, devise new strategies to adapt to the changed market and implement those strategies.  This is called strategic responsiveness.

The paper creates a simulation model to determine the risk and return effects of being strategically responsive.

Organisations learn in at least three ways. One, they gain new knowledge (perhaps a better mental model) and notice that current peformance can be improved.

First order learning involves improving current processes. Second order learning creates new knowledge which changes practices.  Continuous improvement may lead to very efficient processes that are no longer required.

Competitive advantage arises from knowledge creation which increases range of strategy options.  Market learning which is about acquiring insights about market conditions prepares the way to taking steps to capitalise on the market condition.

The simulation model finds that strategic responsiveness does play a part in improving performance in a dynamic environment.  It does not require perfect learning since perfect learning costs more and the extra cost offsets the improvement in cashflow.  Strategic responsiveness is a way to achieve higher performance at lower risk.

No comments :

When to trust your gut

Alden Hayashi, Harvard Business Review

Summary:

Many decision situations do not lend themselves to quantitative analysis.  For one thing, the situation may be so complex that quantitative analysis simply cannot be applied. Examples include areas in public relations, which person to hire, research, marketing, and strategy.

In other cases there just is not enough data to perform quantitative analysis.

Even if data could eventually become available, there are times when decisions have to be made quickly, or else the opportunity is gone. There is no time to gather and analyse data in a systematic and rational manner. Situations like this can be expected to become more common in today’s increasingly turbulent and globalized economy, where things can change at the drop of a hat.

Executives in the strategic positions of organisations often face these types of situations.  They have to rely on gut instinct to make their decisions.  Although in some cases they are provided the results of quantitative analysis, the numbers are often biased to show why something is a good thing.  For example, mergers and acquisitions often show why the merger would succeed (from a quantitative point of view).  The executives have to rely on their instinct to tell them why it might not work.

The question for a decision maker then is how to tune in to your inner instincts and how to tune your inner instincts.

Executives and researchers discover that you need to have your subconscious knowledge emerge and connect with your conscious knowledge.  This can be done through meditative activities such as driving, day-dreaming, showering, and so on – it all depends on what works for you.

Our emotions assist in the decision making process by filtering out patterns that do not apply and by emphasising patterns that apply. In a sense, our emotions sort out and shortlist the considerations that our rational part of the brain can work with. When making decisions, be aware of your emotions and take them into consideration.

Gut instinct is simply based on rules and patterns we have within our subconscious. Some patterns may be built-in (true instincts).  Some are acquired through experience.

The quality of our gut instinct depends on the number of patterns our subconscious stores, the variety of patterns, and how it is able to interconnect those patterns.  The number of patterns come from our experiences, the variety comes the variety of experiences.

Instincts do not guarantee correct decisions. We need to continually self-assess our decisions and ‘train’ our instincts.  We can do this be reviewing our past decisions, reviewing why they were wrong, or why they were right.

Finally, it is important not to fall in love with your original decisions, but to keep flexible and adjust it as new information becomes available.

No comments :
Labels: ,

Contemporary Enterprise-Wide Risk Management Frameworks: A Comparative Analysis in a Strategic Perspective

Per Henriksen and Thomas Uhlenfeldt

Summary:

Many risk management frameworks claim to be holistic and ‘enterprise-wide’.  Henriksen and Uhlenfeldt argue that for a risk management framework to be truly holistic and strategic, it must address the strategy creation process and not just the strategy implementation arena.  It is in the area of strategy process where many strategic risks are created. Hence, an enterprise-wide risk management system that does not lend itself to be used in the strategy creation process falls short of the mark. 

The authors investigate 4 ERM frameworks that claim to be holistic: DeLoach EWRM, COSO ERM, FERMA (a precursor to the current IRM Risk Management Standard), and AS/NZS 4360:2004.  Their study reveals that while these frameworks claim to be applicable at the strategic level, they fall short of providing actionable guidance on how risk management can be performed concurrently with the strategic processes.

A key weakness lies in the frameworks’ treatment of consolidating, prioritizing, and communicating key risks.  The very point of ERM is to consolidate the key risks faced by the organisation so that it can allocate scarce resources most effectively. The frameworks provide little, if any, guidance on how this consolidation, prioritisation, and organisational communication can be done.

The frameworks also acknowledge that risks can result in positive opportunities for the organisation but provide little guidance on how to take advantage of this.  Since the frameworks are not integrated with the strategy creation process - where the biggest opportunities to identify and seize opportunities exists - the frameworks’ take on positive risks are not that helpful.  The authors recognise that in the real world, preventing losses is the focus of management and identifying opportunities is generally the remit of strategy. 

Hence, while risk management in theory helps in identification and grabbing of opportunities, this is seldom done in practice.  The orientation of the frameworks in the process steps is still heavily slanted toward negative risks.

The frameworks add some value in that they pave the way for common risk language and processes across an organisation.

No comments :
Labels: ,

“Communicating Risk”, Dickson Chapter 9

A. Introduction

B. Communicating Risk Information

C. Reports

C.1 Preparation for Report Writing

C.2 Know Your Reader

C.3 Purpose

C.4 The Parameters of the Report

C.5 Management Support

C.6 Timing

C.7 Format of the Report

C.8 Writing the Report

D. Oral Presentations

No comments :

Kelly, P. (2007) Risk Decisions, Unit 2

Mod 3/2
A. Decision Makers
B. Personality
C. Attitudes
D. Beliefs
E. Perception
F. Judgement
G. Heuristics
H. Risk Behaviour – Propensity and Perception
I. Predictors of Risk Behaviour
I.1 Individual Characteristics
I.2 Organisational Characteristics
I.3 Problem Characteristics
J. Risk Taking Culture
K. Risk Philosophies
L. Organisational Risk Philosophy
M. Activity – Assess Your Own Personality
N. Culture and Practice
O. Risk Thinking Models
P. Activity – Managing Telecoms Risk
Q. Risk and Uncertainty
Q.1 What is Risk?
R. The Risk Management Process
S. Traditional Approaches
T. New Approaches to Business Risk
U. New Simple Approaches
V. Structuring Risk Problems and the Problem of Prediction in Turbulent Environments
W. Sources and Consequences of Bias
X. Treating Risk
Y. Related Issues
Z. Summary
AA. Risk Decisions
BB. Activity – Read Article ‘Risk Management Risks’
CC. The Risk Management Process
DD. Telecoms Risk
EE. Findings
FF. Risk Decisions and Findings of Risk Professionals
GG. Risk Management Risks
HH. The Risk Management Risks
II. Concluding Remarks
JJ. Standards and Governance
KK. External Expectations for Risk Management
LL. What Does this Mean for Risk Decision Making?
MM. Activity – Research Risk Standards From Around the World
NN. Participation
OO. A
Technorati Tags:
Final Word
No comments :
Labels:

“Risk and Human Behaviour” Dickson Chapter 2

Mod 3/2

A. Introduction

B. Risk and Human Behaviour

C. Measuring Attitude Towards Risk

C.1 The Standard Gamble

C.2 Perception of Risk

C.3 Value of Measuring Attitudes Towards Risks

D. Risk in Decision Making

D.1 The Decision Making Process

D.2 Problem Recognition

D.3 Problem Definition

D.4 Structure of Decisions

E. Groups and Risk Taking

E.1 Risky Shift

E.2 Choice Shift

No comments :

“Inter-Personal Barriers to Decision Making” Argyris Chapter 4

 

Mod 3/2

A. Introduction

B. Words Vs Actions

B.1 Practical Consequences

C. Why the Discrepancy?

C.1 Basic Values

C.2 Influence on Operations

D. Some Consequences

D.1 Restricted Commitment

D.2 Subordinate Gamesmanship

D.3 Lack of Awareness

D.4 Blind Spots

D.5 Distrust & Antagonism

D.6 Processes Damaged

E. What Can Be Done?

E.1 Blind Alleys

E.2 Value of Questions

E.3 Working With the Group

E.4 Utilizing Feedback

E.5 Laboratory Training

E.6 Open Discussion

No comments :

“Humble Decision Making” Etzioni Chapter 3

Mod 3/2

A. Introduction

A.1 Incrementalism

A.2 Focused Trial and Error

A.3 Tentativeness

A.4 Procrastination

A.5 Decision Staggering

A.6 Fractionalizing

A.7 Hedging Bets

A.8 Maintaining Strategic Reserves

A.9 Reversible Decisions

No comments :

“Risk Analysis” Dickson Chapter 8

Mod 3/2

A. Introduction

B. The Meaning of Probabilities

C. Derivation of Probabilities

C.1 A Priori

C.2 Relative Frequency

C.3 Subjective

D. Combining Probabilities

D.1 Alternative Events

D.2 Joint Events

D.3 Probability Trees

E. Probability Distributions

E.1 Discrete and Continuous Variables

E.2 Actual and Theoretical Distributions

F. The Normal Distribution

F.1 Using the Normal Distribution

G. Binomial Distribution

No comments :

Kelly, P. (2007) Risk Decisions, Unit 1

Mod 3/1

A. A Beginning

B. Decision Making Theory and Models

C. Decision Making Strategies – An Introduction

C.1 Activity – Reading and Reflecting

1 Framing Risk Management Problems – Common Elements

2 Time Horizons

3 Externalities

4 Data Credibility

5 Interdependencies

6 Uncertainty Recognition

7 Measurement of Costs and Benefits

No comments :

“Probability”, Dickson Chapter 8

Mod 3/1

A. Introduction

B. The Meaning of Probabilities

C. Derivation of Probabilities

C.1 A Priori

C.2 Relative Frequency

C.3 Subjective

D. Combining Probabilities

D.1 Alternative Events

D.2 Joint Events

D.3 Probability Trees

E. Probability Distributions

E.1 Discrete and Continuous Variables

E.2 Actual and Theoretical Distributions

F. The Normal Distribution

F.1 Using the Normal Distribution

G. Binomial Distribution

No comments :

“Risk Analysis”, Dickson Chapter 1

Mod 3/1

A. Introduction

B. The Nature of Risk Analysis

B.1 Risk and Human Behaviour

B.2 Risk Analysis Methodology

B.3 Statistical Analysis

C. The Risk Management Standard

C.1 Risk Identification

C.2 Risk Description

C.3 Risk Estimation

C.4 Risk Analysis Methods and Techniques

C.5 Risk Profile

D. The Cost of Risk

D.1 The Cost to Individuals

D.2 The Costs to the Country

E. The Cost of Risk Analysis

F. Conclusion

No comments :

1.1 Drucker, et al. (2001) The Effective Decision Chapter 1, Harvard Business Review

Paper Outline

A. Introduction

B. Sequential Steps

C. The Classification

D. The Definition

E. The Specifications

F. The Decision

G. The Action

H. The Feedback

I. Concluding Note

No comments :

7 Deadly Sins – Illusory Correlation

Or ‘magical thinking’ as Massimo Piattelli-Palmarini calls it.  This is about making positive correlations even though the supporting data is weak.  Sometimes we notice only data that supports our hypothesis and ignore data that doesn’t.

An example of magical thinking goes like this. We come across a few people who exhibit a certain symptom and also a certain illness, and we associate that symptom with the illness, such that if we see that symptom, then we decide that the illness is also present.

You see someone with red spots, and you diagnose measles.

We forget that sometimes the same symptom appears for a different illnes.  Or the illness is present without that symptom.

No comments :

7 Deadly Sins – Overconfidence

Massimo Piatelli-Palmarini writes in his deliciously written book “Inevitable Illusions” about the 7 deadly sins of our cognitive illusions.

His first sin is overconfidence. This is where we feel certain about our knowledge of something, but our knowledge does not really warrant such confidence.

He describes experiments where subjects are asked to answer questions and then rate how confident they are about each answer.  Experiments show that our confidence leads our knowledge.

We think we know something more than we really know.

The results of the experiments also bring about something sobering: we are most overconfident in areas we are more knowledgeable about.  That is, the difference between the level of our overconfidence and knowledge in these areas is bigger than the difference between our level of overconfidence and knowledge in other areas - hence we tend to make mistakes of overconfidence in our areas of expertise.

No comments :

On Issues Versus Risks

Whenever you find yourself in an introductory presentation on risk management, you can expect to hear a question like: “What’s the difference between an issue and a risk?” The expected answer seems to be always: “A risk is something that may or may happen, while an issue is something that has already happened.” 

Correct enough, but this description falls short of conveying any relationship between the two.

Here’s one I coined, I like, and plan to use and re-use: “Issues are the risks you failed to manage, now come to haunt you.

The sentence makes clear that many of the issues that you face could have been mitigated if only you had done proper risk management.  The assertion is not always true of course.  Some issues just come from unpredictable circumstances, and no risk management is that perfect.  So surely,  there are exceptions, but the strong assertion of the sentence emphasises just that – that exceptions are the exception.

I believe I originally picked up this relationship from Bill Duncan.  A few years ago he quoted someone he knew who said that in a good risk management process, all the issues that arise will have been previously identified in the risk register.  So it’s not my original idea, but I like the “now come haunt you” bit, which is mine.

No comments :

ISO 31000:2009 The Effect of Uncertainty on Objectives

For several weeks, I had been consumed with trying to understand what the new definition of risk really means.

As anyone involved in risk management knows, the ISO late last year published the new Risk Management Standard known as ISO/IEC 31000:2009.  One of the innovations in this standard is a new definition of risk -- a rather oddly phrased definition, in my view. The new definition says that risk is "the effect of uncertainty on objectives."

Clear as mud?  Compare that with the previous definition used by a de facto worldwide standard.  AS/NZS 4360:2004 defined risk as "the chance of something happening that will have an impact on objectives."  Here it’s clear that risk is clearly tied to "something happening".  Risk is an event or a circumstance (together with its chance of happening).

In the new ISO definition, risk is the "effect of uncertainty".  This is quite unfortunate because “uncertainty” is not about how things will happen, but is more about our state of knowledge.  Our lack of knowledge about how things will turn out.  Events will happen, we just don't know which and when.  Uncertainty is our ignorance.   Even ISO is aware of this, and notes that uncertainty is "the  state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood."

If I replace this meaning of uncertainty in the definition of risk, we come up with:

  • Risk = the effect of ignorance on objectives.

Clear as Florida swamp water.

But what about "effect"? What does this word mean? Well ISO 31000 defines effect as "a deviation from the expected -- positive or negative". So if we use that definition, and
insert it into the definition of risk, we get:

  • Risk = the deviation from the expected, due to our ignorance, on objectives.

Which is now really realy murky.

An inadvertent clarifying light came last night while I was re-reading Elaine Hall's "Managing Risk: Methods for Software Systems Development".  Hall notes that risk is “potential loss.” Since potential means possible, which can be another definition of “uncertain” (not certain = possible = uncertain), and since I know the ISO 31000 wants to incorporate "positive risks" into the new definition of risk, then maybe ISO is trying to say that risk is "loss or gain on our objectives due to events which may occur".

If we rephrase it this way, then it becomes clearer that risk is the loss or the gain  (rather than the event).

This is a conceptual shift from the previous definition used in 4360:2004 in which risk is the event and its likelihood ("the chance of something happening")

Let's apply these new definitions to an example risk. Suppose we have to deliver a product by March 30, 2010, and if we fail to deliver it, our client loses $30,000 per day.

Then by 4360:2004's definition that the risk is the event that has an impact on objectives, we have the risk as "risk that product will be delivered late."  And the impact / consequence will be that the client stands to lose $30,000 per day.

And by 31000:2009's definition where the risk is the effect of the event, we have the risk as "risk of losing $30,000 per day" and the consequence is whatever the impact of that impact.  What about the event of failing to deliver on time?  Then that is a cause of the risk.

Both standards recommend qualification (or if applicable, quantification) of the likelihood of the event, so we should apply some description of likelihood to the risk. Let's say the likelihood of meeting the deadline has been assessed at 90%. So our risks are:

  • Risk as per 4360: 10% chance that the product will be delivered late.
  • Risk as per 31000: 10% chance that the client will lose $30,000 per day.

The definition of risk as per 31000 is consistent with their note: "Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.21) of occurrence."

I think I have finally nailed to my satisfaction what the drafters of ISO 31000 mean when
they say risk is "the effect of uncertainty on objectives". I still do not like their definition, and I think it is muddled (primarily because of the desire to incorporate positive risks), but I have a workable meaning now, which I can use for further work.

No comments :
Subscribe to: Posts ( Atom )