This past week I had the privilege of taking part in the Risk Management Summit 2016 that was part of the MIS | TI conference in New Orleans. I was joined by several contemporaries who all brought the wealth of their experience to the event. And this is where it got interesting…
Those of you who have heard me speak in the past couple of years know how vocal I am in my view that inconsistent nomenclature is a significant problem in our profession. Without normalized terminology, we sow confusion, waste time in religious arguments, and severely limit our ability to consistently and reliably measure risk. To highlight this problem, I took advantage of the fact that I was the opening act in the seminar. Knowing that the people attending this seminar were going to see presentations on “risk” from several different people, I asked them to pay attention to the variances in how presenters used foundational terminology, like “risk”. I didn’t suggest that one definition was better than another — just asked them to notice the differences and then ask themselves whether or not this is a problem.
Each of the other presenters — who didn’t know in advance that I was going to do this — handled my curveball well and gracefully in their own way. One took the opportunity to highlight the differences in his use of terms, others admitted the differences but remained a bit noncommittal, and still others simply didn’t address it. Regardless, the people in attendance had the opportunity to witness and consider the differences.
More agreement than disagreement
The presenter who highlighted the differences in his use of terms was Norman Marks. I had heard of Norman and knew of his excellent reputation, but I hadn’t met him before. For those of you who don’t know him, he’s a class act. Extremely knowledgeable and professional.
I’m very glad I had the opportunity to hear Norman speak, because it clarified a few things for me regarding the perspective on risk that he subscribes to (the ISO view). Now, before I get into the differences between how Norman and I see the risk world, I want to highlight the many things we agree on.
- The fundamental purpose of risk analysis is to help decision-makers make well-informed decisions.
- In order to be well-informed, decision-makers require an understanding of both the potential upsides and downsides of the decisions they face.
- Today, decision-makers often are not provided the information they need to make well-informed decisions.
- Common techniques like heat maps, the over-focus on compliance, the reliance on “best practice” and the absence of critical thinking all contribute to poorly-informed decisions.
- Many risk management professionals aren’t well-prepared to do the kinds of analyses that should be part-and-parcel of the role.
- It is crucial to keep in mind that the ultimate focus should be on helping our organizations succeed. Avoiding significant failures is simply one aspect of making that happen.
The points we disagree on boil down to two things (at least on the surface):
- The role of risk management.
- The definition of “risk”.
Before elaborating on these differences, let me briefly explain (as best I can) the basis for Norman’s position as he shared it in New Orleans.
Risk Management Today Isn’t Providing Value
According to Norman, many senior executives believe their risk management organizations provide little practical value by focusing on problems and compliance. Too often, “risk” is presented without the context of the other side of the coin — the opportunities and value proposition associated with decisions and conditions. In Norman’s view, this means that risk management professionals need to be able to speak to both sides of the coin in order to provide value.
I both agree and disagree with Norman on this point. I agree that risk management professionals too often don’t provide meaningful information to their executives. However, I disagree that this means we should be responsible for analyzing, measuring, and communicating about the opportunity side of decisions. In fact, in the years since developing and applying FAIR, the feedback I’ve invariably gotten from senior executives is that I am fulfilling the value proposition they expect of me in my role. My expectation has been — and theirs seems to be — that information regarding the opportunity side of their decisions is already being provided by the business executives.
When I shared my experience and expectation with Norman, he expressed a suspicion that, while my methods may be enabling me to provide valuable information about the downside, he doubts that information regarding the opportunity side of the equation was as rigorously evaluated and communicated to my decision-makers. He may be right, I’m not in a position to say. It’s my opinion, though, that it’s a leap to assume that the solution to incomplete and unbalanced information is to make it the responsibility of risk management to cover both sides of the decision-making coin. That said, he may have a point…
A New Role Altogether?
Something else Norman said during his presentation was that it might be useful to drop the word “risk” from the conversation altogether. Instead, perhaps the role in an organization that is responsible for evaluating and communicating the up-side and down-side of decisions should be referred to as “Decision Support” (or something similar). I don’t see a problem with that solution. In fact, it sounds very much like an economist or perhaps business analyst role. Since those roles already exist in many organizations, perhaps the solution is to evolve, clarify, and formalize the expectations for those roles.
Regardless, I can't support referring to that role as “Risk Management” because it would require a definition of “risk” that is problematic in a host of ways. My explanation for this will be covered in my upcoming blog post on the ISO 31000 definition of “risk.” Stay tuned…
BTW – Norman has published a book that I haven't read yet, but that undoubtedly contains some excellent material. You can find it here.
He also has a blog, which can be found here.