Star Trek movie fans will likely recognize “Kobayashi Maru” as a reference to the training exercise used by Star Fleet to evaluate how cadets respond to a no-win scenario.
Here’s the exercise…
Describe how you would answer one or both of the following everyday challenges that exist in almost any organization:
- Prioritize three common audit findings (of your choice)
- Perform a cost-benefit analysis on a risk remediation solution (of your choice)
Here’s the catch though. Your approach has to strictly adhere to the definition for risk used by ISO31000, which is: “The effect of uncertainty on objectives”. By “strict adherence” your answer has to:
- Clearly define the objective(s) that would be affected
- Demonstrate how you would measure the effect(s)
- Demonstrate how you would measure uncertainty
Because ISO also states that the effects may be positive or negative, your approach should account for this as well.
I don't believe it can be done...and every example I've seen or heard where someone tried to apply the ISO risk definition turned into a garden variety measurement of loss likelihood and impact in monetary terms. Of course, just because I haven’t seen a good example or figured out how to apply the ISO risk definition to solve practical decision-making problems doesn't mean it can't be done.
What’s the point?
If our task is to manage something we refer to as "risk", then it is imperative that we're able to pragmatically define and measure it so that we can make informed choices – trade-offs – in terms of the concerns we focus on and the solutions we implement.
The FAIR model for risk analysis is based on a rigorous definition of risk. To learn more about FAIR and how it approaches risk, here are a few links to get you started:
Although I understand the underlying premise behind the ISO risk definition, I believe it is purely philosophical in nature and impractical in practice. As such, at best it is an interesting notion that provides no practical benefit. At worst it confuses practitioners, creates friction on the topic of risk, and impedes meaningful progress in risk management efforts. But maybe I'm wrong. If so, all I need is for someone to demonstrate how to pragmatically apply it to solve decision-making problems like those above.
Jack Jones is Chairman of the FAIR Institute and the creator of FAIR, the international standard for risk quantification.