Risk Leadership


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk Leadership

  1. 1. VIEWPOINTS [ PROFILE ] Andrew Fenton of MBDA reveals the risks faced by businesses operating in the defence sector RISKS [ EMERGING ] Fracking offers cheap energy for years to come, but it remains controversial with opinion split on whether the benefits really outweigh the risks European risk and corporate www.strategic-risk.eu GOVERNANCE governance solutions [ November 2012 ] [ COMPLIANCE ] Deferred prosecution agreements are set Issue 82 €25 to bring a US-style system of plea bargaining to the UK THEORY & PRACTICE [ BEST PRACTICE ] How to stop the payment delays that can cause serious damage to business, particularly in theNEWS & ANALYSIS » BAE/EADS merger collapse » Middle East dangers » Global cyber threats current economic climate Risk Innovation Managers in Germany continue to lead the way in risk maturity Product recall Careful planning can maintain business continuity in difficult times Risk Indicator Forced labour and the rise of modern slavery CHAOS THEORY Risk managers look to academic concepts to gain advantages in the real world
  2. 2. THEORY & PRACTICE Transforming abstract concepts into reality From chaos theory to the consideration of unknown unknowns, there’s much risk managers can learn from academic thought Risk managers consult a wide range of information “unknown unknowns”. But seen from the sources before making decisions. Facts and data perspective of an inquisitive risk manager, his sets combine with historical perspective to shape concept in its most succinct form could be forecasts and inform judgments. construed as little short of genius. But should more risk managers be seeking to Taken at its basic level, serious contemplation of gain further insightful advantage through applied issues we are not yet aware of may seem daunting, study of theoretical behaviour, economic concepts, if not impossible owing to their very nature. It also mathematical constructs and quantums? makes sense, however. At StrategicRISK, we believe there is a place for Giving serious thought to what you do not know original ideas and academic thought leadership – especially what you do not know you do not that can assist and elevate the process of know – appears, on the face of it, preposterous. Yet, risk management. such radical mental reasoning can also have clear Even where theoretical opinion appears to offer logic by questioning why this is the case. no exact answer to a specific problem that an Black Swan events are called thus because most individual risk manager may have, there is every reasonable people had not foreseen them. The key possibility it will engage minds to consider other word here is “most”. issues in different ways. The 9/11 attacks are an explicit case in point. These were Black Swans to millions Exploring chaos theory of people – but not, of course, to those who Risk managers come from a variety of backgrounds planned and perpetrated them. They knew what and, as such, may never previously have studied or was going to happen. focused on the expansive academic theory The essayist and scholar Nassim Nicholas Taleb associated with the sector. develops this issue at some length in his risk and There is clear merit from exploring such ideas as probability-themed tome The Black Swan. chaos theory, even where its immediate relevance This discourse through the study of randomness is uncertain, as it stimulates debate and higher sees Taleb pour scorn on our abilities to predict thought processes even among sceptics. Lateral accurately. Or, more specifically, he questions the thinking engendered by theoretical discourse may, ability of so-called experts in this field and the in time, lead to practical real-world solutions. businesses world’s general foolishness Reward through process can sometimes be for being duped by their arrogance and allowing delivered simply by looking at an issue from a them to flourish. different perspective, perhaps even ignoring Taleb’s reasons are myriad but include, some evidence altogether that had been seen among others, a general failure to account for the as important but is actually little more enormous variables connected to events and than distraction. activity beyond our scope of knowledge and Former US defence secretary Donald Rumsfeld understanding but which occur nonetheless: was widely ridiculed when he made his now- external factors. legendary comments about “known unknowns” and The other obstruction blocking the path to32 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu
  3. 3. forecasting success comes from the lack of generalscrutiny of why previous predictions ended upwildly removed from what actually happened. Experts, in Taleb’s view, are no better – andsometimes worse – than novices at makingpredictions. They just convince us more effectivelyof their abilities to do so. Some risk managers may or may not agree withTaleb on this – particularly as he appears to bequestioning the validity of the foundations oftheir chosen careers. His opinions might seemextreme to some and, in particular, his dismissal aserroneous of so much of what many risk managershold to be true. But Taleb’s views are o en based on study seenfrom extreme perspectives – the eponymous BlackSwan – where all possibilities are both possibleand impossible. Such opinions can be as controversial as they aresubjective – unless they are based on a historicalstudy of similar views and their outcomes – butthese perspectives also enrich debate, as theybroaden the scope of ‘what if?’ open to those in therisk profession, among others.The wisdom of crowdsStrategicRISK wants to encourage more inspiredthinking among the profession and invitesacademics to submit papers for consideration aspart of a regular series. The first appears across the next three pages andis written by Transport for London (TfL) head ofrisk, benefits & planning Dr David Hancock. In his role at TfL, Dr Hancock is used to dealing ona daily basis with complex problems and behaviouralpatterns, such as the wisdom of crowds, and theconsequences of his decisions help move millions ofpeople around London safely. His paper looks at thebenefits of theory for risk managers and thepractical applications offered by academic ideas. Among the topics assessed are ‘tame messes’ and‘wicked problems’, along with an analysis of chaostheory – all of which offer relevance in a range ofareas covered by the risk management profession. Hancock’s perspectives make a compellingargument that real practical benefits can be derivedfrom theoretical concepts – read on to judge foryourself … If you would like to submit an academic paperfor consideration to run in our series, please emailit to mike.jones@strategic-risk.eu. www.strategic-risk.eu [ NOVEMBER 2012 ] StrategicRISK 33
  4. 4. THEORY & PRACTICECHAOS THEORY Tame messes and wicked problems: The case for risk leadership HERE IS A FEELING AMONG RISK PRACTITIONERS In 1969, the American Project Management Institute (PMI) T that theoretical risk management has strayed from our intu- was founded. In 2009, the organisation had more than 420,000 ition of the world in which we manage risk daily. Historically, risk members, with 250 chapters in more than 171 countries. It was management has developed from the numerical disciplines followed in 1975 by the UK Association of Project Managers dominated by a preoccupation with statistics (insurance, accoun- (changed to the Association for Project Management in 1999) tancy, engineering, and so on). This has led to a bias towards the with its own set of methodologies. numerical in the world of management of risks. To explicitly capture and codify the processes by which they It comes as no surprise if we look at the historical roots of this believed projects should be managed, they developed qualifica- newly emerging discipline. Risk management as a science really tions and guidelines to support them. But while the worlds of took off in the 20th century. It still tended to be dominated, physics, mathematics, economics and science have moved on however, by the worlds of mathematics and engineering. beyond Newtonian methods to a more behavioural understand- In 1921, Frank Knight, in Risk, Uncertainty and Profit, distin- ing, the so-called new sciences, led by eminent scholars in the guished between three types of probability, which he termed “a field such as Albert Einstein, Edward Lorenz and Richard Feyn- priori probability”, “statistical probability”, and “estimates”. The man, project and risk management appears largely to have standard example of the first type is the odds of rolling any remained stuck to the principles of the 1950s. number on a die. The probability of occurrence is known specifi- cally, that is, if there are mutually exclusive and exhaustive events Risk management and measuring problems and if they are equally likely, the probability of a given event The general perception among most project and risk managers occurring is 1/n; for a six-sided dice n=6, and the probability of that the future can somehow be controlled is one of the most ill- throwing any single number becomes 1/6. conceived in risk management. At least two advances have been Statistical probability identifies probability with relative fre- made in the right direction, however. First, we now have a better quency over a long series of events or the proportion of an event understanding about the likelihood of unpleasant surprises and, in a large population. In this case, risk practitioners need to have more importantly, we are learning how to recognise their occur- observed enough relevant data to make forward predictions. rence early on and, subsequently, to manage the consequences When there is no valid basis for classifying instances, however, when they do occur. only estimates can be made. In this final case, the use of statistical The biggest problem facing us is how to measure all these analysis would be meaningless. risks in terms of their potential likelihood, their possible conse- Most risk management practised today focuses predomi- quences, their correlation and the public’s perception of them. nantly on the first two types of probability, namely either that the Most organisations measure different risks using different tools. outcomes are known definitively, or that there is an underlying They use engineering estimates for property exposures, lead- number or ‘truth’ that can be found merely by further data ing to maximum foreseeable loss and probable maximum loss. analysis and interpolation. Actuarial projections are employed for expected This type of uncertainty is termed epistemic. It is loss levels where sufficient loss data is available. due to a lack of knowledge about the behaviour of Scenario analyses and Monte Carlo simulations the system. The epistemic uncertainty can, in prin- The perception are used when data is thin, especially to answer ciple, be eliminated with sufficient study and, thus, that the future ‘how much should I apply questions?’ expert judgments may be useful in its reduction. Probabilistic and quantitative risk assessments Alongside the mathematical development in can somehow are used for toxicity estimates for drugs and the 1950s, a new type of scientific management be controlled chemicals, and to support public policy decisions. was emerging: project management. This con- For political risks, managers rely on qualitative sisted of the development of formal tools and tech- is one of analyses by experts. When it comes to financial niques to help manage large complex projects that the most ill risks (credit, currency, interest rate and market), were considered uncertain or risky. It was domi- conceived we are inundated with Greek letters (betas, thetas, nated by the construction and engineering indus- and so on), and complex econometric models tries, with companies such as Du Pont developing that are comprehensible only to the trained and critical path analysis and RAND Corp developing programme initiated. The quantitative tools are often too abstract for evaluation and review technique techniques. laymen, whereas the qualitative tools lack mathematical rigour. Following on the heels of these early project management Organisations need a combination of both tools, so they can techniques, institutions began to be formed in the 1970s as deliver sensible and practical assessments of their risks to their repositories for these developing methodologies. stakeholders. Finally, it is important to remember that the result34 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu
  5. 5. Risk management 1  Works to a defined scope, budget, quality and programme. controlled against specification (quality), cost and time.of quantitative risk assessment development should be continu-ously checked against one’s own intuition about what constitutesreasonable qualitative behaviour. When such a check reveals disa- 2  Uses the instrumental lifecycle image of risk management as a linear sequence of tasks to be 6  Attempts to control risk by monitoring results, identifying deviations from the plan andgreement, the following possibilities must be considered: performed on an objective entity developing mitigation actions to• A mistake has been made in the formal mathematical using knowledge and procedures. return to plan. development• The starting assumptions are incorrect and/or constitute too drastic oversimplification• One’s own intuition about the field is inadequately 3  Manages process to ensure complicated projects of people and technology run smoothly. 7  Works on the assumption that the risk model is the actual ‘terrain’ (that is, the actual reality ‘out developed there’ in the world).• A penetrating new principle has been discovered.Only part of the story 4  Establishes detailed steps, processes and timetables. 8  Implementer of the risk process. Training and developmentOne of the first areas to be investigated is whether the currentsingle classification of projects is a correct assumption. The gen-eral view at present appears to treat them as linear, deterministic 5  Applies concepts and methodologies that focus on risk management for creation or produces practioners who can follow detailed procedures and techniques.predictable systems, where a complex system or problem can bereduced into simple forms for the purpose of analysis. It is thenbelieved that the analysis of those individual parts will give an improvement of a product, system or facility, and so on, monitored and 9  Seeks predictability and order.accurate insight into the working of the entire system. The strongly held feeling is that science will explain every-thing. The use of Gant charts, with their critical paths and quan-titative risk models with their corresponding risk correlations, Risk leadershipwould support this view. This type of problem that can be termed‘tame’ appears to be only part of the story when it comes todefining our projects, however. Tame problems are those that have straight-forward simplelinear causal relationships and can be solved by analytical meth- A  Recognises the possibility of different outcomes and tries to ensure risk activities focus on making value creation, while aware that ‘value’ and ‘benefit’ will have multiple meanings linked to different purposes.ods, sometimes called the ‘cascade’ or ‘waterfall’ method. Here, an acceptable outcome more likely.lessons can be learnt from past events and behaviours andapplied to future problems, so that best practices and procedurescan be identified. B  Uses concepts and images that focus on social interaction among F  Adapts the risk process to overcome political, bureaucratic and resource barriers to developing In contrast, ‘messes’ have high levels of system complexity, people, understanding the flux of change in behaviours through trustand are clusters of interrelated or interdependent problems. The events and human interaction, and the and managing expectations.elements of the system are normally simple, where the complex- framing of projects within an array ofity lies in the nature of the interaction of its elements. Their prin-ciple characteristic is that they cannot be solved in isolation, butneed to be considered holistically. The solutions lie in the realm social agenda, practices, stakeholder relations, politics and power. G  Is based on the development of new risk models and theories that recognise the complexity of riskof systems thinking. Project management has introduced the concepts of pro-gramme and portfolio management to attempt to deal with this C  Develops team behaviours and confidence through scenario planning and team building to identify and its management and that the model is one part of a complex ‘terrain’.type of complexity and address the issues of interdependencies.Using strategies for dealing with messes is fine, as long as most ofus share an overriding social theory or social ethic; if we don’t, we and respond to risks and opportunities. H  Is a reflective listener: learning and development facilitates theface ‘wickedness’. Wicked problems are ‘divergent’, as opposed to ‘convergent’ D  Understands the ‘many acceptable futures’ proposition and manages risk to produce changes development of reflective practitioners who can learn, operate and adapt effectively in complex environments.problems. Wicked problems are characterised by high levels of needed to achieve acceptable result.behavioural complexity. What confuses real decision-making isthat behavioural and dynamic complexities co-exist and interactin what we call wicked messes. Dynamic complexity requires high E  Applies concepts and frameworks that focus on risk management as I  Has learnt to live with chaos, complexity and uncertainty and leads by example to a successful result. www.strategic-risk.eu [ NOVEMBER 2012 ] StrategicRISK 35
  6. 6. THEORY & PRACTICECHAOS THEORY level conceptual and systems thinking English Dictionary describes chaos as skills; behavioural complexity requires “complete disorder and confusion”), high levels of relationship and facilitative but based on the Chaos Theory that was skills. The fact that problems cannot be developed in the 1960s. solved in isolation from one another This theory showed that systems that makes it even more difficult to deal with have a degree of feedback incorporated people’s differing assumptions and in them, that have tiny differences in values. People who think differently must input, could produce overwhelming learn about and create a common reality, differences in output (see below, left). one that none of them initially under- Here, chaos is defined as aperiodic stands adequately. The main thrust to the resolution of these types (never repeating) banded dynamics (a finite range) of a determin- of problems is stakeholder participation and ‘satisficing’. istic system (definite rules) that is sensitive on initial conditions. Many risk planning and forecasting exercises are still being This appears to describe projects much better than the linear undertaken on the basis of tame problems that assume the vari- deterministic and predictable view in which both randomness ables on which they are based are few, that they are fully under- and order could exist simultaneously within those systems. stood and able to be controlled. But uncertainties in the economy, The characteristics of these types of problems are that they politics and society have become so great as to render counter- are not held in equilibrium either among its parts or with its productive, if not futile, this kind of risk management that many environment, and are far from being held in equilibrium; the projects and organisations still practise. system operates ‘at the edge of chaos’, where small changes in input can cause the project to either settle into a pattern or just Chaos and risk as easily veer into total discord. At best, projects should be considered as deterministic For those who are sceptical, consider the failing project that chaotic systems rather than tame problems. This is not using the receives new leadership: it can just as easily move into abject fail- term ‘chaos’ as defined in the English language that tends to be ure as settle into successful delivery, and at the outset, we cannot associated with absolute randomness and anarchy (Oxford predict with any certainty which one will prevail. At worst, they are wicked messes. Conclusion How should the risk professional exist in this world of futureThis gave The Butterfly effect uncertainty? Not by returning to a reliance on quantitative assess-rise to the ments statistics and determinism where none exists. We need to embrace its complexities and understand the type of problem weidea that a In 1961, while working figures, and instead of face before deploying our armoury of tools and techniques tobutterfly could on long-range weather using the output of six uncover a solution, be they the application of quantitative data or prediction, Edward decimal places he had qualitative estimates. To address risk in the future tense, we needcould alter Lorenz made a startling used only three (.506 to develop the concept of ‘risk leadership’, which consists of:the path of, discovery. While instead of .506127). He • Guiding, rather than prescribing working on a particular had considered the • Adapting, rather than formalisingdelay or stop weather run, rather difference of one part in • Learning to live with complexity, rather than simplifying;a tornado than starting the 1,000 inconsequential, • Inclusion, rather than exclusion, and second run from the especially as a weather • Leading, rather than managing. beginning, he started it satellite being able to The implications of the new concept of risk leadership are part-way through using read to this level of described on the previous page. the figures from the accuracy was considered What does this all mean? At the least, it means we must apply first run. This should unusual. But this slight a new approach for risk management for problems that are not have produced an difference had caused a tame. We should look to enhance our understanding of the identical result, but he massive variation in the behavioural aspects of the profession and move away from a found that it started to result. This gave rise to blind application of process and generic standards towards an diverge rapidly until the idea that a butterfly informed implementation of guidance. a er a few months it could produce small What we need to develop are great risk leaders who realise bore no resemblance to undetectable changes that understanding risk is more of an art than a science, that this the first run. At first he in pressure that would truly is the best time to be alive and working in risk, and that thought he had entered be considered in the perhaps almost everything we thought we knew may turn out to the numbers incorrectly. model, and this be wrong. SR But this turned out to difference could result be far from the case: in altering the path of, Dr David Hancock MBA is head of risk, benefits and planning what he had actually delaying or stopping at Transport for London. His book, Messy and Wicked Risk done was round the a tornado. Leadership, is published by Gower36 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu