Human beings have been taking considered risks for thousands of years, ever since we  realised that we could understand the past and use this to try and predict the future. In our history the emergence of understanding mathematically the probability of certain events occurring and chaos theory stand out as key milestones in shaping what we now title ‘Risk Management’.

But therein lies the problem. How can we make the best decisions by ‘quantification and numbers, determined by the patterns of behaviour of the past’ (1). Of course we cannot quantify the future and thereby precisely predict what will happen, as it is unknown. But how much can we rely on existing risk management models that have been so often used and increasingly seem to be failing as the 21st Century unfolds?

Whilst this predictive use of the past is useful, it can only go so far, as other ‘subjective’ risk factors come into play. These live in the real world, the ether of the complexity of every day activity. It is one thing to set up a mathematical model that explains everything, it is quite another to apply that model in an environment where the ambiguity and unpredictability of daily life, human choice and interaction can destroy that mathematical model. We need to look no further than the causes of the Financial Crisis of this decade and how risk averse some are becoming as they go against the predictions of mathematical models. Maybe the ‘religion’ of using such models is flawed? How exposed are other Banking, Insurance and Investment sectors to the same phenomena? How exposed are Organisations of all shapes and sizes if they only use these models?

The big question is where do we draw the line between the mathematical world and the subjective? If we can make sense of this, then we will have created tools that merge the two ends of the spectrum together. A spectrum where we don’t just understand numbers but seek to understand what lies beneath them ‘in the ether’ as well.

Risk is about the choices people make, the chances they take based upon the best information they have and their ‘gut’ instincts. If we think about gambling for a moment and some would say this includes investing in the stock market and granting loans, this is what the gambler does. It is where the laws of probability come from. If we use a game of dice then only probability can determine what may happen as there are no external rules to apply, no special throw or how many times the dice should be rolled – hence the probability rules applied are truly predictive. It is very mechanistic as there is no choice that the dice can take in the way they are constructed, unless you cheat, or that the gambler can take in influencing the outcome. The other end of the scale is where the gambler has total choice and there are therefore no set rules in how the gambler acts, it is totally subjective and they have more information on where to place their bet. The laws of probability are less relevant here. Of course, this pure environment doesn’t exist in any every-day part of life, we all have to comply with rules and laws lied down by Society and the physics of the mathematical models.

‘the tools for managing lending risk are situational, positioning that risk decision on a spectrum between the mechanistic mathematical models at one end and the organic subjective on the other‘.

So, in reality, is risk management a science or an art? If we rely on mathematical models it is a science, rely on the subjective then it is an art. But the truth is that all risk decisions except very simple ones are situational; it is therefore neither. Risk Management is Risk Management and we don’t need labels that get in the way of understanding what risk management actually is. But we do need to understand what truly drives risk!

Computer models and Risk Management Matrices are mathematical and only shine a light on the risk of what is already known therefore tangible and visible. What about exposing the invisible and the intangible – the subjective? These are often forgotten or put in the ‘too hard to do box’ , yet bankers, investors and insurers are making decisions based on these models and tools every day and in every transaction. In doing so they are only working with part of the risk picture.

My Company, The HPO Group, has created a risk management methodology and associated tools that work not at either end of this spectrum but across it . In so doing the approach draws information of the tangible and visible and merges this data with the subjective, intangible and invisible to form a much, much richer picture of risk. This better informs these decisions in lending, investment or insurance risk.

In order to do this, the methodology  must firstly understand the situation, the decision to be made. It is not possible to identify the mix of intangible and tangible information needed without understanding this. Just working with generic risk has severe limitations.

From this, the indicators of tangible and intangible risk can be identified. Given the range of indicators it is likely that multiple input sources are needed. For example in making a lending decision for investment in an innovation, the following range of information might be needed: Failure score; Business Plan; Financial Performance; Personal Presentation; Expert Review of the product; Competitive and Market analysis; Sensitivity testing; the Organisation’s culture; People’s Behaviour, The level of insurance cover backing risk, to name a few key concerns.

An understanding of each of these will expose hundreds if not thousands of small indicators of risk. Exposing indicators of risk of the “tangible” is straightforward based on how effective the issue is being managed expressed on a risk continuum.  Understanding the subjective is experiential, what the impact or outcome of choice, the invisible  has on the same risk continuum . As both types of data can be placed on the same risk continuum,  a mathematical probability model can be created. When the data is added together, the model will run to give the much richer picture upon which the decision can be made. Only now, this picture is a mix of risk indicators from across the spectrum, not following slavishly what has happened in the past or what is easily seen:

‘Each risk management approach and mathematical model is only fit for the decision being made. If a different situation is presented or decision needed, then the approach and mathematical model must change – no one size fits all’

To emphasise this point just consider what happens after the lending, insurance or investment decision is made. The answer is normally very little. May be bank accounts can be reviewed along with returns and other KPIs – the normal, easily seen visible pictures of what has happened. But what about the emerging risk from the invisible – by the time that hits the KPI it is too late it can’t be undone!!! I wonder how many lenders, investors and insurers have a real idea of the ongoing level of risk they face having made their original decisions? That brings us nicely back to the Financial Crisis and other well known disasters, such as Deep Water Horizon  and Stafford hospital  that we all know about. How confident are you, or the risk owner, that you really understand risk?

This article seeks to briefly outline the concepts that underpin risk and, of course, the inbuilt assumptions on which that risk management are currently based. The HPO methodology, tools and case studies now exist that create an enhanced way of thinking about risk that far better informs decisions. These may challenge convention and may be uncomfortable for some, but the clear evidence is that risk management must move on.

(1) Act of God –Bernstein 1998: John Wiley Sons

©The High Performance Organisation Group Ltd

Bio:

Ian has developed a unique online added value audit methodology that helps organisation understand the impact of how people behave on the risk to delivery of objectives, outcomes and governance requirements.  By the time poor performance appears on a KPI it is late.  Ian also runs a UKAS accredited CB to prove that certification can be different and delivers training on behalf of CQI, also representing them on the ISO9000 working group considering management system concepts.

Ian is not a consultant but provides guidance, help and support in maturing and optimising the investment organisations make in management systems and auditing generally.