Sometimes, it seems that every newspaper edition, news broadcast or news website carries yet another story about a disaster – an event that might have been avoided by better decision making.
But do we ask whether such decisions were informed by risk assessments? And if so, how effective were those risk assessments for informing the decision makers about the risks? Which techniques were used in the risk assessments? Were the results presented in a way that made sense to the decision makers? Do risk assessors follow a good process and so achieve some consistency in results, or do they just get lucky?
During the global financial crisis, questions were raised about the failure of risk management. Were there failures in how the risks were assessed? Were there any risk assessments at all? Were the decisions themselves faulty?
For those who work in the quality management field, risk is in the next version of ISO 9001 and includes consideration of risk – raising more questions about crossovers in language and techniques.
Such questions have interested me for several years and I’m now conducting some post-graduate research at Victoria University in Wellington to try to find some (actually, a few) answers to such questions.
MY RESEARCH SO FAR
A review of academic literature has found little research covering how well risk assessments informed decision makers and – specifically – how decision makers know they could rely on a risk assessment. There is some research touching on these questions but it relates particularly to project management and software development. Yes, we have AS/NZS ISO31000:2009, ISO 22301, OHSAS 18001 – and the COSO enterprise risk management document, plus risk analysis documents – setting out guidance on how to carry out a risk assessment, but there seems to be little research investigating how and how well these work in practice. Do decision makers get the information they need?
Similarly, there is some research covering those risk techniques used in project risk management and IT risk management. At this point you may say “But I use techniques A, B and C”. The point is there has been little research to find out which techniques are used by which groups of risk practitioners. Yes, we have an international standard IEC/ISO 31010:2010 Risk management: risk assessment techniques (now published in Australia and New Zealand as Handbook HB 89 Risk management: risk assessment techniques) that sets out 29 risk techniques but my research has found more than double that number that are not in the standard (and you may be familiar with).
So questions arise, such as do all risk assessments cover what ISO31000:2009 calls the context? Do such risk assessments include risk criteria (or, for some practitioners, risk appetite). Which techniques are used to decide who to communicate and consult with?
And then the questions about risk assessment techniques. Which ones are actually used? About half the practitioners I meet use a mixture of professional judgement and some form of 5×5 consequence likelihood matrix. But I live in New Zealand and work in the Asia/Pacific region so there are lots of people I don’t meet, so limiting my first-hand knowledge. So which techniques are being used worldwide in risk assessments? And quality management?
The International Standards Organization is heading towards some commonality in the structure and language of management standards. By my count there are 17 commonly used standards that relate to risk assessments and thus to decision making. Who uses which ones?
Does it matter if we don’t know who which techniques? Perhaps not – but if we don’t know, how can standards-writers know which to include or exclude? How can educators and trainers know which to teach? And perhaps most importantly, how can risk practitioners use the most appropriate techniques to gather the “best available information” (ISO31000:2009, principle f)?
You may be a risk practitioner (for example, a risk manager, emergency manager, risk advisor or safety practitioner), or a person who has to make decisions about or involving risk (for example, a quality manager or consultant, a manager, director or other professional). I would really appreciate your help to answer some of my questions.
THE RESULTS SO FAR
My online survey has now been running for a few weeks. Remembering that risk is defined in ISO31000:2009 as the “effect of uncertainty on objectives”, some patterns are starting to emerge.
Decisions are often supported by risk assessments, but uncertainty and the context are not always mentioned or discussed in detail. However, stakeholders are usually consulted as part of risk assessments. But the survey details start to suggest where some problems might lie.
A simple majority of respondents said they use named risk techniques, suggesting that many do not. And risk criteria (risk appetite to some people) were not always developed or used.
About a third of respondents work in risk management and about half are in New Zealand and Australia. More positively, most have a degree and at least five years experience.
Where does this leave the survey? I need more respondents from other countries and professions. So…
HELP PLEASE!
Participate in the anonymous online survey that forms part of my post-graduate research and help me get a broader picture of risk management practices.
The survey is open to anyone whose work involves any part of decision making, management, or risk management and I hope you’ll find it professionally interesting and stimulating!
Participation is voluntary and confidential and should take about 20 minutes to complete. No information will be identifiable to an individual. The survey closes on 10 October 2014.
I will be presenting survey results at the Risk NZ conference in October 2014 and will offer CERM a summary article. Also, a working paper containing the results will be posted on my professional website www.riskmgmt.co.nz.
I would really appreciate your participation. If you’re ready to start please follow this link http://vuw.qualtrics.com/SE/?SID=SV_4G6EKf9ihsxspZb.
BIO:
Chris Peace is the Principal Consultant and Risk Trainer with Risk Management Ltd, a specialist consultancy based in Wellington (www.riskmgmt.co.nz) and can be contacted via chris.peace@riskmgmt.co.nz. He is increasingly nervous about road travel but loves travelling by boat and train.