risk leadership

European risk and corporate governance solutions

www.strategic-risk.eu[ November 2012 ]Issue 82 €25

NEWS & ANALYSIS » BAE/EADS merger collapse » Middle East dangers » Global cyber threats

VIEWPOINTS [ PROFILE ] Andrew Fenton of MBDA reveals the risks faced by businesses operating in the defence sector

RISKS [ EMERGING ] Fracking off ers cheap energy for years to come, but it remains controversial with opinion split on whether the benefi ts really outweigh the risks

GOVERNANCE [ COMPLIANCE ] Deferred prosecution agreements are set to bring a US-style system of plea bargaining to the UK

THEORY & PRACTICE [ BEST PRACTICE ] How to stop the payment delays that can cause serious damage to business, particularly in the current economic climate

CHAOS THEORYRisk managers look to academic concepts to gain advantages in the real world

Risk InnovationManagers in Germany continue to lead the way in risk maturity Product recallCareful planning can maintain business continuity in diffi cult times Risk IndicatorForced labour and the rise of modern slavery

FC_SRNov12.indd 1FC_SRNov12.indd 1 25/10/2012 15:5725/10/2012 15:57

THEORY & PRACTICE

32 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu

Transforming abstract concepts into reality

Risk managers consult a wide range of information sources before making decisions. Facts and data sets combine with historical perspective to shape forecasts and inform judgments.

But should more risk managers be seeking to gain further insightful advantage through applied study of theoretical behaviour, economic concepts, mathematical constructs and quantums?

At StrategicRISK, we believe there is a place for original ideas and academic thought leadership that can assist and elevate the process of risk management.

Even where theoretical opinion appears to off er no exact answer to a specifi c problem that an individual risk manager may have, there is every possibility it will engage minds to consider other issues in diff erent ways.

Exploring chaos theoryRisk managers come from a variety of backgrounds and, as such, may never previously have studied or focused on the expansive academic theory associated with the sector.

There is clear merit from exploring such ideas as chaos theory, even where its immediate relevance is uncertain, as it stimulates debate and higher thought processes even among sceptics. Lateral thinking engendered by theoretical discourse may, in time, lead to practical real-world solutions.

Reward through process can sometimes be delivered simply by looking at an issue from a diff erent perspective, perhaps even ignoring some evidence altogether that had been seen as important but is actually little more than distraction.

Former US defence secretary Donald Rumsfeld was widely ridiculed when he made his now-legendary comments about “known unknowns” and

“unknown unknowns”. But seen from the perspective of an inquisitive risk manager, his concept in its most succinct form could be construed as little short of genius.

Taken at its basic level, serious contemplation of issues we are not yet aware of may seem daunting, if not impossible owing to their very nature. It also makes sense, however.

Giving serious thought to what you do not know – especially what you do not know you do not know – appears, on the face of it, preposterous. Yet, such radical mental reasoning can also have clear logic by questioning why this is the case.

Black Swan events are called thus because most reasonable people had not foreseen them. The key word here is “most”.

The 9/11 attacks are an explicit case in point. These were Black Swans to millions of people – but not, of course, to those who planned and perpetrated them. They knew what was going to happen.

The essayist and scholar Nassim Nicholas Taleb develops this issue at some length in his risk and probability-themed tome The Black Swan.

This discourse through the study of randomness sees Taleb pour scorn on our abilities to predict accurately. Or, more specifi cally, he questions the ability of so-called experts in this fi eld and the businesses world’s general foolishness for being duped by their arrogance and allowing them to fl ourish.

Taleb’s reasons are myriad but include, among others, a general failure to account for the enormous variables connected to events and activity beyond our scope of knowledge and understanding but which occur nonetheless: external factors.

The other obstruction blocking the path to

From chaos theory to the consideration of unknown unknowns, there’s much risk managers can learn from academic thought

32_36_T&P_Chaos_SRNov12.indd 3232_36_T&P_Chaos_SRNov12.indd 32 25/10/2012 15:3525/10/2012 15:35

www.strategic-risk.eu [ NOVEMBER 2012 ] StrategicRISK 33

forecasting success comes from the lack of general scrutiny of why previous predictions ended up wildly removed from what actually happened.

Experts, in Taleb’s view, are no better – and sometimes worse – than novices at making predictions. They just convince us more eff ectively of their abilities to do so.

Some risk managers may or may not agree with Taleb on this – particularly as he appears to be questioning the validity of the foundations of their chosen careers. His opinions might seem extreme to some and, in particular, his dismissal as erroneous of so much of what many risk managers hold to be true.

But Taleb’s views are o� en based on study seen from extreme perspectives – the eponymous Black Swan – where all possibilities are both possible and impossible.

Such opinions can be as controversial as they are subjective – unless they are based on a historical study of similar views and their outcomes – but these perspectives also enrich debate, as they broaden the scope of ‘what if?’ open to those in the risk profession, among others.

The wisdom of crowdsStrategicRISK wants to encourage more inspired thinking among the profession and invites academics to submit papers for consideration as part of a regular series.

The fi rst appears across the next three pages and is written by Transport for London (TfL) head of risk, benefi ts & planning Dr David Hancock.

In his role at TfL, Dr Hancock is used to dealing on a daily basis with complex problems and behavioural patterns, such as the wisdom of crowds, and the consequences of his decisions help move millions of people around London safely. His paper looks at the benefi ts of theory for risk managers and the practical applications off ered by academic ideas.

Among the topics assessed are ‘tame messes’ and ‘wicked problems’, along with an analysis of chaos theory – all of which off er relevance in a range of areas covered by the risk management profession.

Hancock’s perspectives make a compelling argument that real practical benefi ts can be derived from theoretical concepts – read on to judge for yourself …

If you would like to submit an academic paper for consideration to run in our series, please email it to [email protected].



THEORY & PRACTICE

CHAOS THEORY

THERE IS A FEELING AMONG RISK PRACTITIONERS that theoretical risk management has strayed from our intu-

ition of the world in which we manage risk daily. Historically, risk management has developed from the numerical disciplines dominated by a preoccupation with statistics (insurance, accoun-tancy, engineering, and so on). This has led to a bias towards the numerical in the world of management of risks.

It comes as no surprise if we look at the historical roots of this newly emerging discipline. Risk management as a science really took off in the 20th century. It still tended to be dominated, however, by the worlds of mathematics and engineering.

In 1921, Frank Knight, in Risk, Uncertainty and Profi t, distin-guished between three types of probability, which he termed “a priori probability”, “statistical probability”, and “estimates”. The standard example of the fi rst type is the odds of rolling any number on a die. The probability of occurrence is known specifi -cally, that is, if there are mutually exclusive and exhaustive events and if they are equally likely, the probability of a given event occurring is 1/n; for a six-sided dice n=6, and the probability of throwing any single number becomes 1/6.

Statistical probability identifi es probability with relative fre-quency over a long series of events or the proportion of an event in a large population. In this case, risk practitioners need to have observed enough relevant data to make forward predictions. When there is no valid basis for classifying instances, however, only estimates can be made. In this fi nal case, the use of statistical analysis would be meaningless.

Most risk management practised today focuses predomi-nantly on the fi rst two types of probability, namely either that the outcomes are known defi nitively, or that there is an underlying number or ‘truth’ that can be found merely by further data analysis and interpolation.

This type of uncertainty is termed epistemic. It is due to a lack of knowledge about the behaviour of the system. The epistemic uncertainty can, in prin-ciple, be eliminated with suffi cient study and, thus, expert judgments may be useful in its reduction.

Alongside the mathematical development in the 1950s, a new type of scientifi c management was emerging: project management. This con-sisted of the development of formal tools and tech-niques to help manage large complex projects that were considered uncertain or risky. It was domi-nated by the construction and engineering indus-tries, with companies such as Du Pont developing critical path analysis and RAND Corp developing programme evaluation and review technique techniques.

Following on the heels of these early project management techniques, institutions began to be formed in the 1970s as repositories for these developing methodologies.

In 1969, the American Project Management Institute (PMI) was founded. In 2009, the organisation had more than 420,000 members, with 250 chapters in more than 171 countries. It was followed in 1975 by the UK Association of Project Managers (changed to the Association for Project Management in 1999) with its own set of methodologies.

To explicitly capture and codify the processes by which they believed projects should be managed, they developed qualifi ca-tions and guidelines to support them. But while the worlds of physics, mathematics, economics and science have moved on beyond Newtonian methods to a more behavioural understand-ing, the so-called new sciences, led by eminent scholars in the fi eld such as Albert Einstein, Edward Lorenz and Richard Feyn-man, project and risk management appears largely to have remained stuck to the principles of the 1950s.

Risk management and measuring problemsThe general perception among most project and risk managers that the future can somehow be controlled is one of the most ill-conceived in risk management. At least two advances have been made in the right direction, however. First, we now have a better understanding about the likelihood of unpleasant surprises and, more importantly, we are learning how to recognise their occur-rence early on and, subsequently, to manage the consequences when they do occur.

The biggest problem facing us is how to measure all these risks in terms of their potential likelihood, their possible conse-quences, their correlation and the public’s perception of them. Most organisations measure diff erent risks using diff erent tools.

They use engineering estimates for property exposures, lead-ing to maximum foreseeable loss and probable maximum loss.

Actuarial projections are employed for expected loss levels where suffi cient loss data is available. Scenario analyses and Monte Carlo simulations are used when data is thin, especially to answer ‘how much should I apply questions?’

Probabilistic and quantitative risk assessments are used for toxicity estimates for drugs and chemicals, and to support public policy decisions.

For political risks, managers rely on qualitative analyses by experts. When it comes to fi nancial risks (credit, currency, interest rate and market), we are inundated with Greek letters (betas, thetas, and so on), and complex econometric models that are comprehensible only to the trained and

initiated. The quantitative tools are often too abstract for laymen, whereas the qualitative tools lack mathematical rigour.

Organisations need a combination of both tools, so they can deliver sensible and practical assessments of their risks to their stakeholders. Finally, it is important to remember that the result

The perception that the future can somehow be controlled is one of the most ill conceived

Tame messes and wicked problems: The case for risk leadership


www.strategic-risk.eu [ NOVEMBER 2012 ] StrategicRISK 35

of quantitative risk assessment development should be continu-ously checked against one’s own intuition about what constitutes reasonable qualitative behaviour. When such a check reveals disa-greement, the following possibilities must be considered:• A mistake has been made in the formal mathematical

development• The starting assumptions are incorrect and/or constitute too

drastic oversimplifi cation• One’s own intuition about the fi eld is inadequately

developed• A penetrating new principle has been discovered.

Only part of the storyOne of the fi rst areas to be investigated is whether the current single classifi cation of projects is a correct assumption. The gen-eral view at present appears to treat them as linear, deterministic predictable systems, where a complex system or problem can be reduced into simple forms for the purpose of analysis. It is then believed that the analysis of those individual parts will give an accurate insight into the working of the entire system.

The strongly held feeling is that science will explain every-thing. The use of Gant charts, with their critical paths and quan-titative risk models with their corresponding risk correlations, would support this view. This type of problem that can be termed ‘tame’ appears to be only part of the story when it comes to defi ning our projects, however.

Tame problems are those that have straight-forward simple linear causal relationships and can be solved by analytical meth-ods, sometimes called the ‘cascade’ or ‘waterfall’ method. Here, lessons can be learnt from past events and behaviours and applied to future problems, so that best practices and procedures can be identifi ed.

In contrast, ‘messes’ have high levels of system complexity, and are clusters of interrelated or interdependent problems. The elements of the system are normally simple, where the complex-ity lies in the nature of the interaction of its elements. Their prin-ciple characteristic is that they cannot be solved in isolation, but need to be considered holistically. The solutions lie in the realm of systems thinking.

Project management has introduced the concepts of pro-gramme and portfolio management to attempt to deal with this type of complexity and address the issues of interdependencies. Using strategies for dealing with messes is fi ne, as long as most of us share an overriding social theory or social ethic; if we don’t, we face ‘wickedness’.

Wicked problems are ‘divergent’, as opposed to ‘convergent’ problems. Wicked problems are characterised by high levels of behavioural complexity. What confuses real decision-making is that behavioural and dynamic complexities co-exist and interact in what we call wicked messes. Dynamic complexity requires high

A Recognises the possibility of diff erent outcomes and tries to

ensure risk activities focus on making an acceptable outcome more likely.

B Uses concepts and images that focus on social interaction among

people, understanding the fl ux of events and human interaction, and the framing of projects within an array of social agenda, practices, stakeholder relations, politics and power.

C Develops team behaviours and confi dence through scenario

planning and team building to identify and respond to risks and opportunities.

D Understands the ‘many acceptable futures’ proposition

and manages risk to produce changes needed to achieve acceptable result.

E Applies concepts and frameworks that focus on risk management as

value creation, while aware that ‘value’ and ‘benefi t’ will have multiple meanings linked to diff erent purposes.

F Adapts the risk process to overcome political, bureaucratic

and resource barriers to developing change in behaviours through trust and managing expectations.

G Is based on the development of new risk models and theories

that recognise the complexity of risk and its management and that the model is one part of a complex ‘terrain’.

H Is a refl ective listener: learning and development facilitates the

development of refl ective practitioners who can learn, operate and adapt eff ectively in complex environments.

I Has learnt to live with chaos, complexity and uncertainty and

leads by example to a successful result.

1 Works to a defi ned scope, budget, quality and programme.

2 Uses the instrumental lifecycle image of risk management as a

linear sequence of tasks to be performed on an objective entity using knowledge and procedures.

3 Manages process to ensure complicated projects of people

and technology run smoothly.

4 Establishes detailed steps, processes and timetables.

5 Applies concepts and methodologies that focus on risk

management for creation or improvement of a product, system or facility, and so on, monitored and

controlled against specifi cation (quality), cost and time.

6 Attempts to control risk by monitoring results, identifying

deviations from the plan and developing mitigation actions to return to plan.

7 Works on the assumption that the risk model is the actual

‘terrain’ (that is, the actual reality ‘out there’ in the world).

8 Implementer of the risk process. Training and development

produces practioners who can follow detailed procedures and techniques.

9 Seeks predictability and order.

Risk management

Risk leadership



THEORY & PRACTICE

CHAOS THEORY

level conceptual and systems thinking skills; behavioural complexity requires high levels of relationship and facilitative skills. The fact that problems cannot be solved in isolation from one another makes it even more diffi cult to deal with people’s diff ering assumptions and values. People who think diff erently must learn about and create a common reality, one that none of them initially under-stands adequately. The main thrust to the resolution of these types of problems is stakeholder participation and ‘satisfi cing’.

Many risk planning and forecasting exercises are still being undertaken on the basis of tame problems that assume the vari-ables on which they are based are few, that they are fully under-stood and able to be controlled. But uncertainties in the economy, politics and society have become so great as to render counter-productive, if not futile, this kind of risk management that many projects and organisations still practise.

Chaos and riskAt best, projects should be considered as deterministic chaotic systems rather than tame problems. This is not using the term ‘chaos’ as defi ned in the English language that tends to be associated with absolute randomness and anarchy (Oxford

English Dictionary describes chaos as “complete disorder and confusion”), but based on the Chaos Theory that was developed in the 1960s.

This theory showed that systems that have a degree of feedback incorporated in them, that have tiny diff erences in input, could produce overwhelming diff erences in output (see below, left).

Here, chaos is defi ned as aperiodic (never repeating) banded dynamics (a fi nite range) of a determin-istic system (defi nite rules) that is sensitive on initial conditions. This appears to describe projects much better than the linear deterministic and predictable view in which both randomness and order could exist simultaneously within those systems.

The characteristics of these types of problems are that they are not held in equilibrium either among its parts or with its environment, and are far from being held in equilibrium; the system operates ‘at the edge of chaos’, where small changes in input can cause the project to either settle into a pattern or just as easily veer into total discord.

For those who are sceptical, consider the failing project that receives new leadership: it can just as easily move into abject fail-ure as settle into successful delivery, and at the outset, we cannot predict with any certainty which one will prevail. At worst, they are wicked messes.

ConclusionHow should the risk professional exist in this world of future uncertainty? Not by returning to a reliance on quantitative assess-ments statistics and determinism where none exists. We need to embrace its complexities and understand the type of problem we face before deploying our armoury of tools and techniques to uncover a solution, be they the application of quantitative data or qualitative estimates. To address risk in the future tense, we need to develop the concept of ‘risk leadership’, which consists of:• Guiding, rather than prescribing• Adapting, rather than formalising• Learning to live with complexity, rather than simplifying;• Inclusion, rather than exclusion, and• Leading, rather than managing.

The implications of the new concept of risk leadership are described on the previous page.

What does this all mean? At the least, it means we must apply a new approach for risk management for problems that are not tame. We should look to enhance our understanding of the behavioural aspects of the profession and move away from a blind application of process and generic standards towards an informed implementation of guidance.

What we need to develop are great risk leaders who realise that understanding risk is more of an art than a science, that this truly is the best time to be alive and working in risk, and that perhaps almost everything we thought we knew may turn out to be wrong. SR

Dr David Hancock MBA is head of risk, benefi ts and planning at Transport for London. His book, Messy and Wicked Risk Leadership, is published by Gower

In 1961, while working on long-range weather prediction, Edward Lorenz made a startling discovery. While working on a particular weather run, rather than starting the second run from the beginning, he started it part-way through using the fi gures from the fi rst run. This should have produced an identical result, but he found that it started to diverge rapidly until a� er a few months it bore no resemblance to the fi rst run. At fi rst he thought he had entered the numbers incorrectly. But this turned out to be far from the case: what he had actually done was round the

fi gures, and instead of using the output of six decimal places he had used only three (.506 instead of .506127). He had considered the diff erence of one part in 1,000 inconsequential, especially as a weather satellite being able to read to this level of accuracy was considered unusual. But this slight diff erence had caused a massive variation in the result. This gave rise to the idea that a butterfl y could produce small undetectable changes in pressure that would be considered in the model, and this diff erence could result in altering the path of, delaying or stopping a tornado.

The Butterfl y eff ectThis gave rise to the idea that a butterfl y could could alter the path of, delay or stop a tornado


risk leadership

Documents