Practical benefits of defining risk and uncertainty. Part 1.

This article contains several arguments for defining risk and uncertainty. In short, in my opinion proper risk and uncertainty definition and their agreement among professionals would cause a lot of benefits for the domain of risk management itself and for daily practice decision makers, analysts or risk professionals.

Structure of this article results from the challenging statements and questions formulated by Alexei Sidorenko, CRMP while commenting my previous article "Define or not define risk - is this the right question?"These are as follows:

1. The definition of risk matters little if any. Because if we use risk management as a proper decision making tool, we still going to use scenarios and simulations for complex decisions and decision trees and real options for simpler decisions. Risk management is easy. The word risk doesn't come once to do good risk management using proper tools.
2. It is nonsense in saying that definition of risk helps us understand the nature of risk. Proper risk analysis helps us understand the nature of risk.
3. How definition of risk could influence if risk analysis method when helping a decision maker?

I strongly disagree with above two statements and one question asked from the position with silent assuption that defining has little impact on selection of risk assessment method supporting decision. Let's examine then why defining of risk and uncertainty – could be beneficial, why it matters and why in my opinion defining which is looking like theoretical exercise could influence proper practices and more pragmatic behaviour.

1.     The definition of risk matters little if any.

Proper defining is fact agreement - among thought leaders or professionals - the respective naming/terminology coventions based on observed/identified interactions of relations between objects or in wider sense - systems. Defining understood in such way provides the following benefits:

• assists in identifying risks from non-risks,
• enables quick identification and differentiation of competent expert from non-competent one,
• verify methodologies used by specific knowledge domains indicating whether their usage means practising science or non-science - agnosticism based on set of beliefs,
• identifies misinterpreting or reduction of risk to its components,
• enables efficient and effective communication - quickly clarifies if we are talking/dicussing about the same thing,
• last but not least - defining can show the scope and limitations of the subdomain of management which risk and uncertainty management.

As a result of the above, proper defining of risk and uncertainty help to recognise respective conditions in which decisions are made and apply methods relevant to those conditions. This is in my opinion critical topic.

Let's explore more on the above.

Risk & Non-Risks. How many times in your professional life did you clarified with customers that "risks" they tried to communicate or analyse - were in facts incidents which already occurred with known impact or unknown yet impact (summons started but yet completed)? Or how many times it was not risk because nothing you could do to (no decision you could do make because it was too late…) Example: "Boss, there is "risk" that we are late (tomorrow is the deadline) for system delivery". It is not a risk it is an incident or even the crisis which must be managed by different methods than in risk management ;-). Expression of urgency of risk is often mixed with crisis situation already being started. This impacts communication of risk. Anywhere, I met old school of risk management - I eliminated a lot of such "risks" from project risk registers and transformed them into decision making problems. Summing up: Whether anything is still potential or already happened – really matters little? Is this you are trying to say? ;-) If you do not define risk you do not know it whether it is within your scope.

Competence or skill checking. Many times during recruitment I checked analytical skills, by asking: "please state what is the difference between risk and uncertainty" or "based on what criteria would you differentiate data from information?" That is brilliant and immediate indicator of way how candidate sets assumptions to problem, defines it and solves it. I also checked in the same way potential advisory services quality – asking potential consultants about differences between risk appetite and tolerance (when I worked for telecommunication and financial sector). Automatic competence related risk indicator ;-)

P.S. I would have no problem if the candidate would define success as failure and failure as success if she/he could properly set assumptions to presented opinion.;-)

Science and non-science. The definition of risk and uncertainty matters much as it differentiates science from belief, and differentiates phenomenon research from seeking “hidden” meanings of words, which is useless and bad practice - and that was unfortunately what happened mainly in most cases with risk terminology discussions in standardisation. I observe that many anti-definition followers perceive defining exercise as separate lexicology, semantics, theoretical exercise which has little in common with risk assessment or decision making itself. I heard long ago that it is characteristic to specific school of pseudo-thought or pseudo-science: “definition ok, let’s say something, but the real is measurement”. Above mentioned bad practices resemble blind searching for the presumed "meanings" of words instead of observing carefully at the phenomenon elements and interactions being in the subject of the study of a given research problem. It introduces ambiguity and hence uncertainty. Apart from the fact that it is non-scientific approach (lack of agreed observed phenomenon components and ambiguous language allowing miscommunication), also such approach is also not pragmatic one. Why? If we want to follow the principles of scientific research, we have to define problem (say what is included and what is excluded) in a way it could be a subject of repetitive attempts or examinations by other scientists or we have to refuse it. Moreover, because this is of course disintegration (disconnection) of goal of research or decision making problem from its scope and its transformation into measurement methods and results. If you not properly identify and differentiate (and respectively name it - what proper defining is about), you won’t observe it, if you won't observe it, you forget it or you will be not aware that you could observe it and measure it - and you most probably say that "this is not measureable". This is in line with Doug Hubbard’s approach described in his outstanding book “How to measure anything”. So in this context defining enables better observations aligned with its primary goals. This is the benefit of proper identification of level of details and the differentiation of elements to analyse various relations between them on reasonable detail/generality level. This leads also another Doug conclusion: “We know that, if we are resourceful, there is a lot more data than you think and you may need much less data than you think to produce a valuable reduction in uncertainty with some trivial math.”

Misinterpreting risk with its componets. Quite a lot during preparation of ISO 31004 in 2011-2012 guidance on ISO 31000 we have spent as ISO/TC 262 on fundamental concepts of risk, i.e. in order to clarify it. Purpose of this activity was enabling non-professionals understanding what phenomenons are within scope of risk management, how to express risks, how to differentiate from non-risks. In this context proper defining of risk benefits with the following:

• Helps to differentiate threats, hazards (potential cause of an event) from risk.
• Helps to differentiate vulnerabilities (weaknesses selected as one of attributes of asset/resource which may be exploited by a threat or hazard) from risk and helps also differentiate vulnerabilities from threats.
• Helps to differentiate controls from vulnerabilities and differentiate controls from risk.
• Helps to differentiate impact/consequences from top/main event or risk from event or risk from impact.
• Helps to differentiate generic risks from specifics risks that are relevant to deal with them.

Why above mentioned differentiations are important? In order to be able to identify separate analysis/assessment - or more wider - management practices around above components of risk from coordinated management of components of risk one thing is threat, hazard management (updating list, catalogue of weather threats or communicating them to society with level of threat related to its potential impact - expected strength of wind on the specific country region). The other components which you can manage separately or in coordinated way are: vulnerability management, control/safeguards management, event, incident (insurance claim) management, loss adjusting/crisis management, reputational (PR) impact management after event happening. As we can see clearly some of that above elements may work reasonably well in separate, but how to coordinate them in order to add value and contribute to manage risk or assure achievement of organization objectives/financial results is the other story. Summing up risk management is different, from threat management, vulnerability management, event, emergency, incident, insurance claim management, impact conquences management itself. If you would like to apply MC (Monte-Carlo), decision tree and real option to decisions in all that domains that would be just simply not relevant.;-) But as a exprimentator I would even recommend to check it.

Of course above mentioned components are only cause-and-effect chain elements interesting for risk related phonmenon's interactions . How we could use management of separate parts for decision making is separate story. So we got finally here two separate stories: coordination of information flow, delegation of managerial power to coordinate separate items (managements) and use information coming from those separated items - to support decision making. As simple as that.

Makes us sure that we are talking, discussing the same think – critical for communication. From time to time I observe the dicussion where to two opponets exchange arguments on the given topis, and hour of clarification they came to a conlusion that they meant something else in meaning. ;-) All quarrels, prejudices, attepmts to lower credibility before agreeing what two oponnents mean is useless and wasting energy.

In every training I make, I ask all participants to provide me their first thought, association with risk. And in 90-95% I receive wrong answers based on the definition I apply in practice. What I call wrong answers? Reduction of risk or uncertainty to its elements composing them (mistaking set with its element) without having holistic picture. People asked to recall for their meaning of risk directly from their experience are in most cases are naming threats, hazards, sometimes some weaknesses (technically called vulnerabilities), events or consequences alone. From time to time: lack or not complete information or other things. So I clarify both elements meaning and risk meaning using relations/interactions between above elements. This has direct implication on saying what are various possibilities of level of details of risk analysis. I call it operationalisation of risk definition. There is some optimum here – balance between complication, complexity, too-much details - dividing hair in to four – and too much generality level of analysis which gives to general or no useful results.

Scope and limitation of domain of risk management. If somebody is asked what you are doing and the answer is "I am carpenter" - most probably anyone understands what does it mean. If you try to explain while making answer to similar question asked by young kids on "what risk manager does", then they do not understand if you say to them "I help to manage risk of not achieving organisation objectives". If you answer: "I help to make better decisions", they do not understand it. The same with "I help to make sure that company strategy is executed as planned" or "I help in checking if it is still justified". But if you try like this: "I help to check people whether what they planned is really possible to do in planned time, helping them make decision on starting activties according to plan or not-starting them because of a need of correcting the plan or writing brand new plan" - this sounds a bit better. "Why they need help?" kids could ask. Because we as people are making a lot of mistakes while planning and making difficult decisions (there are also simple ones for which nobody needs help). But ok, does it more resemble financial planner or controller than risk manager? Yes. So natural question arises whether it makes sense to identify/differentiate risk manager as profession from other professions like planner or controller? Without recalling to what risk and uncertainty means, this actually does not make sense.

Therefore, risk definition cannot be explained as if it was self-explanatory like Grant says "risk is (just) risk". This is idem per idem mistake (defining by the same word) and simply not clear, but I believe that this is Grant's mental shortcut as I know him from his outstanding clarity of thinking and reasoning. If we look how Grant together with other experts defined risk in AS/NZS 4360 as "the chance of something happening that will have an impact on objectives" - it was far much better and clearer than in ISO 31000, however in my opinion this definition more relates to uncertainty (I will explore it more in article Part 2 and 3).

We must be clear also in order not to pretend that we manage risk. Some clarification requires “Risk pretending being risks” – I call them generic or inherent risks - but not in the meaning we know from bad practices (i.e. inherent versus residual risk). In fact, there are inherent risks - for example - related to bicycle riding - as you cannot disconnect them from riding a bicycle - they are integrally bound to activity of riding bicycle and decision to select bicycle as mean of transport or relaxing journey. Saying that it is a "risk that I may hurt my head elbow, knee what may lead to pain and even satisfaction loss due to the fact that I cannot ride my bike for the moment" because I decided to ride a bicycle it is what I called "generic risk". Why because they are part of living like from the fact that child starts to walk results "risk" that it may fall or from the fact that information is confidential results "risk" that it may be disclosed. A lot of such generic risks I found in risk registers. In that context we should not report such risks but we should transform it into decision making problem to influence it. But here the whole new story begin. What is safe for one person may be perceived by another as bravery or crazy and based on that react or not react (decide or not decide to something). Mother, father seeing that the child is riding aggressively or very quick, or with bravery style - needs to influence (based on her/his own "safety perception - risk averse or risk acceptance" it in order to prevent child not from both light injuries but above all from more heavy ones - and this is real justification… I reviewed many of risk registers “old – present (!?) type” only to make aware to people, managers, decision makers that they are not necessary to report generic risks or lose time for them. They may used them to identify acceptable or non acceptable corporate behaviour and modify it. Sounds familiar to your consulting practice? ;-) Those risks who left in risk registers (less than 10% of initial value) I transformed them into decision making problems or challenges, and after transformation it after further consultation it appeared to left only 2-5% percent intial number in the register ones. ;-). 

Saving 95-98% of time of allocated resources for not necessary activities in my opinion is worth doing. This is about clarity on what risk is and what pretends being risk.

And you, do you started to be convinced?

Response to the other two challenges in Part 2 of this article.