Norman Marks, a well known writer and thinker on risk management, has just had published a challenging book World Class Risk Management. Grant Purdy was asked to review the book as it was being written and to write the Forward, shown below.
You can obtain a copy of Norman's book here.
People seek to achieve their overall goals by taking and implementing decisions against an environment that creates uncertainty. Quite simply, we are never sure quite how things will turn out when we make a decision; we always have incomplete and imperfect knowledge. Whether we call the effect this uncertainty has on our objectives “risk” or give it some other label doesn’t change that reality.
On this basis, it makes sense that the purpose of managing this artificial concept we call “risk” is to improve decision-making so as to make it more likely that our subsequent actions will contribute as much as possible to the achievement of our objectives. It has no other valid role, whatsoever.
And it further makes sense that to achieve this purpose, the relevant sources of uncertainty associated with the proposed decision must first be detected by considering different scenarios and the nature and magnitude of the uncertainty and its implications explored and understood. Then, as necessary, our decision can be varied to ensure that the level and nature of the uncertainty we face are acceptable.
This is the process that we all intuitively follow when we make our decision to cross the road – we understand the risk, decide if it is OK and either cross now or delay until the risk is more acceptable.
It follows that, despite the general use of the term, risk is neither inherently good nor inherently bad. It is a neutral concept that is just a part of life and we must make of it what we can. However, if it is only viewed as bad, then this can lead us and our organisations to fail to expose themselves to the sorts of risk that are necessary for their objectives. Similarly, unless risk is always seen as being inseparably associated with objectives there will be confusion as to what is or is not risky. For example, there is a marked difference between how an approaching cyclone is viewed by a homeowner in its path and a company that repairs storm damage.
Of course, we should try to be more systematic and structured in the way we consider and tackle this thing we call risk, to counter some of the normal tendencies humans display when faced with a decision that will affect their future. Being more systematic allows us to:
- Challenge our assumptions and preconceptions before decisions are made, particularly whether the actions we decide to take will lead to success and will contribute to the achievement of our overall goals
- Take appropriate actions to lower uncertainty that outcomes will be successful and that overall goals will be achieved
- See early warning signs that the most important things (often called controls) we rely on for success and to achieve our objectives are not in place or are not fully effective, so that we can take early and pre-emptive action
- Learn systematically from successes and failures in such a way that we can understand how to improve our decision-making next time and ensure the thing we reply on to be successful are in place actually work
- Watch out for changes in our environment (internal and external) that might mean that risk has changed and we need to alter our decision or actions to ensure we are successful.
This process of risk management is, quite naturally, dynamic: it is triggered by the need to make a decision or review a previous decision because something of significance might have changed. It is not a static activity that is meant to occur because of a calendar or some committee meeting cycle that requires the generation of a report.
Unless this process is seen to and (only) used to support decisions, little real value is created. Worse still, these other uses (particularly if framed as compliance) distract from, dilute and confuse the natural risk management process.
The way I view risk and its management has evolved over the years and continues to change. I know that Norman’s thoughts have also evolved and that while he and I come from totally different backgrounds and environments, we have both independently come to the conclusion that making things simpler makes them more obvious, logical and relevant.
However, it seems some others always want to make the simple and useful concepts and processes described above much more complex and opaque. Almost every month we hear of a new confection invented to explain the subject and which, in the process, confuses people even more. Many of these seem to fall within the category of solutions seeking problems and few pass muster on any test of intellectual rigour.
I’m pleased to say that Norman believes, like I do, that less is more and I’m delighted he has used his considerable experience in business to explain risk and its management from first principles, to challenge some of the logically inconsistent, complex and self-serving concepts that currently bedevil the practice and the profession.
Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.
Associate Director, Broadleaf Capital International