Those of you who have heard me speak in the past couple of years know how vocal I am in my view that inconsistent nomenclature is a significant problem in our profession. Without normalized terminology, we sow confusion, waste time in religious arguments, and severely limit our ability to consistently and reliably measure risk. To highlight this problem, I took advantage of the fact that I was the opening act in the seminar. Knowing that the people attending this seminar were going to see presentations on “risk” from several different people, I asked them to pay attention to the variances in how presenters used foundational terminology, like “risk”. I didn’t suggest that one definition was better than another — just asked them to notice the differences and then ask themselves whether or not this is a problem.
Each of the other presenters — who didn’t know in advance that I was going to do this — handled my curveball well and gracefully in their own way. One took the opportunity to highlight the differences in his use of terms, others admitted the differences but remained a bit noncommittal, and still others simply didn’t address it. Regardless, the people in attendance had the opportunity to witness and consider the differences.
More agreement than disagreement
The presenter who highlighted the differences in his use of terms was Norman Marks. I had heard of Norman and knew of his excellent reputation, but I hadn’t met him before. For those of you who don’t know him, he’s a class act. Extremely knowledgeable and professional.
I’m very glad I had the opportunity to hear Norman speak, because it clarified a few things for me regarding the perspective on risk that he subscribes to (the ISO view). Now, before I get into the differences between how Norman and I see the risk world, I want to highlight the many things we agree on.
The points we disagree on boil down to two things (at least on the surface):
Before elaborating on these differences, let me briefly explain (as best I can) the basis for Norman’s position as he shared it in New Orleans.
Risk Management Today Isn’t Providing Value
According to Norman, many senior executives believe their risk management organizations provide little practical value by focusing on problems and compliance. Too often, “risk” is presented without the context of the other side of the coin — the opportunities and value proposition associated with decisions and conditions. In Norman’s view, this means that risk management professionals need to be able to speak to both sides of the coin in order to provide value.
I both agree and disagree with Norman on this point. I agree that risk management professionals too often don’t provide meaningful information to their executives. However, I disagree that this means we should be responsible for analyzing, measuring, and communicating about the opportunity side of decisions. In fact, in the years since developing and applying FAIR, the feedback I’ve invariably gotten from senior executives is that I am fulfilling the value proposition they expect of me in my role. My expectation has been — and theirs seems to be — that information regarding the opportunity side of their decisions is already being provided by the business executives.
When I shared my experience and expectation with Norman, he expressed a suspicion that, while my methods may be enabling me to provide valuable information about the downside, he doubts that information regarding the opportunity side of the equation was as rigorously evaluated and communicated to my decision-makers. He may be right, I’m not in a position to say. It’s my opinion, though, that it’s a leap to assume that the solution to incomplete and unbalanced information is to make it the responsibility of risk management to cover both sides of the decision-making coin. That said, he may have a point…
A New Role Altogether?
Something else Norman said during his presentation was that it might be useful to drop the word “risk” from the conversation altogether. Instead, perhaps the role in an organization that is responsible for evaluating and communicating the up-side and down-side of decisions should be referred to as “Decision Support” (or something similar). I don’t see a problem with that solution. In fact, it sounds very much like an economist or perhaps business analyst role. Since those roles already exist in many organizations, perhaps the solution is to evolve, clarify, and formalize the expectations for those roles.
Regardless, I can't support referring to that role as “Risk Management” because it would require a definition of “risk” that is problematic in a host of ways. My explanation for this will be covered in my upcoming blog post on the ISO 31000 definition of “risk.” Stay tuned…
BTW – Norman has published a book that I haven't read yet, but that undoubtedly contains some excellent material. You can find it here.
He also has a blog, which can be found here.