Reflection on risk (2008)
It is astonishing how easily people are taken in by well-written prose, even when the content is lacking. This is a recurring theme that I noticed around risk management processes which are put together almost mechanically. This article (drafted in 2008 with minor updates in 2023) gives some background and offers a specific tactic towards the end to help build better risk plans.
Key takeaways
Managing uncertainty and resilience is more critical than predicting risks.
This article provides a structure that helps provide depth on mitigation tactics & governance when developing the risk management plan.
Components of risk management and why it is hard
The key components of the risk management document are often expressed as a table of [Risk Type, Likelihood, Impact and Mitigation]. The well-crafted prose supports (or is informed) by the likelihood column. But, how is this probability arrived at? In many cases, an expert’s opinion (with their bias) informs this probability; sometimes, a model is built using (frequentist) probability methods.
The true value of this whole plan is to outline how we would handle risks that arise due to lack of knowledge (epistemic uncertainty) — the one aspect that is often not given sufficient consideration and one that can be addressed with a more expansive checklist/tactics.
Real-world is complex and risk management needs to be multi-dimensional
The world and many real-world systems are complex adaptive multi-agent systems. With innumerable components interacting and exchanging information, creating both positive and negative feedback. Given this innate complexity, can we ever hope to forecast risk at any level that is materially and practically helpful? Can we build models that govern and run socio-economic activities with anything but an arrogance of belief that we can control and guide this complex beast?
Effective risk management necessitates a multidimensional approach, encompassing scenario planning, real-time monitoring of indicators, expert judgement, continuous learning, adaptive strategies, diversification and redundancy, and transparent communication with stakeholders to navigate the inherent uncertainties and complexities associated with risks.
Risk management is difficult. We should be humble about our ability to predict and manage risks. We should continuously question our risk models and narratives, and we should prepare for surprises.
Two types of uncertainty: epistemic and aleatory
Epistemic uncertainty is caused by a lack of knowledge. For example, one may be uncertain of an outcome because they have never used a particular technology before. This uncertainty is biased by the individual’s knowledge and experience.
Aleatory uncertainty is caused by variability that is inherent in some systems. For example, one can be confident about the long-term frequency of selecting the queen-of-hearts from a deck of cards, but they remain uncertain about the outcome of any given card pick. This uncertainty can be objectively determined by calculating the probability of each outcome.
Frequentist probability theory is used to analyse systems that are subject to inherent (aleatory) uncertainty. Bayesian probability theory is used to analyse uncertainty due to lack of knowledge (epistemic).
We have to make choices in face of uncertainty
Leaders have to make choices. The decisions are risk taking choices; ideally, should be informed by analysis that considers both epistemic and aleatory uncertainty. However, epistemic uncertainty (lack of knowledge, or new knowledge discovered along the way) has a bigger practical effect. So, what are the options to resolve this situation?
Simulations are a tool to support working with uncertainties
Simulations (e.g. Monte Carlo) can be used to develop a model to inform decision making. However, all simulations are informed by some prior information as well as how we structure the simulation modelling itself. For instance, if we treat uncertainties as aleatory, or random, even though they are predominantly epistemic, or knowledge-based, this can lead to outputs that are weak and potentially dangerous.
However, simulations have limits. The shape of the chosen probability distribution curves affect the results in non-trivial ways as errors compound; additionally, the longer the simulation is run, or the more complex the model we aim to simulate (as in it carries more assumptions) — the worse these errors compound. Simulation models also make assumptions about the correlations among probabilities of individual outcomes, ignoring their complex and varied nature. In particular, this form of simulation overlooks the unavoidable practicality that correlations can be both positive and negative. These limits amplify, when we apply simulation for analysis based on incomplete historical data.
Statistical models are inherently limited by their reliance on historical data, simplifying assumptions (needed for modelling), inability to fully capture complex and nonlinear risk relationships, and lack of structural consideration for human and societal factors, rendering them potentially inadequate for fully understanding and predicting risks.
There are practical consequences of poor modelling
Most economic models are based on variations of these forms of simulations; which also carry some innate inductive bias of the people involved in building the models and the users that plug in their baseline data (the entropy that informed these inputs is however never put into the model). These models are then used to make ever increasing bets impacting a large number of real humans. In effect, the models informing decisions are incomplete in a fundamental way.
The unstated assumption is that risks are representable, have patterns and computable
If we are deeply reflect and look at the situation,
Representation: Due to their inherent unpredictability, complexity, and the influence of subjective human factors, risks cannot be fully represented or encapsulated within a single model or narrative,
Patterns: Given the complex and interconnected nature of risks, their inherent non-linearity, emergence from multiple factors, influence of stochastic events, presence of feedback loops, and temporal delays, risks defy simple causal patterns and cannot be neatly traced back to singular (or few) causes.
Computation: Given the innate multifaceted nature of risks, they resist reduction to simple analytical equations, necessitating more nuanced, dynamic, and system-oriented modelling approaches.
Contributors to risk assessment complexity
The Unpredictability and Complexity of Risk — Risks are about future events that have not happened yet and may never happen. We can estimate true probabilities only on past data. However, these probabilities are inherently uncertain and may not fully represent future realities. Furthermore, risks are often complex and interdependent. A small change in one risk factor can have cascading effects on other risks, and these complex interdependencies can be difficult to represent fully.
Limitations of Models and Data — All risk models rely on data, and all data has limitations. Data might be incomplete, inaccurate, outdated, or biased, leading to a skewed representation of risk. Even if the data was perfect, models are simplifications of reality and might not capture all relevant risk factors. For example, risk models often assume that risks are normally distributed, an assumption that can lead to underestimation of extreme risks.
Human and Cultural Factors — Risk perception and risk tolerance can vary significantly among individuals and cultures. What one person considers a high risk, another might consider a low risk. Furthermore, people are not always rational in their assessment of risks, and they can be influenced by cognitive biases, emotions, social factors, and cultural norms. These human and cultural factors are difficult to represent in a tabular risk management plan.
The Narrative Fallacy and Cognitive Bias — Humans are prone to the narrative fallacy and multiple forms of cognitive biases — we tend to create stories post-hoc, making events appear more predictable, and hence giving an illusion of understanding and managing the risk involved. This fallacy can create a false sense of security and undermines our ability to manage risks.
Risk themes
These risks can be grouped into the following non-exhaustive themes that provide a starting point to define the risk management plan,
People — Capability, Recruitment & Retention, Knowledge, Skills, Safety
Data — Collection, Integrity, Security, Storage, Recruitment (participant)
Management — Project, Issues, Methodology, Process, Controls, Budget, Relationships
Technical/Engineering & Delivery — Start-of-Art, Technology platforms, Tools/Techniques, Standards
Regulation & Legislation — Ethics, Privacy, Policy, Compliance
Towards a structure of tactics to deal with risk
Tactics provide activities to consider within the various themes and provide the mitigations. Governance plays an overarching role in risk management, providing the structure, processes, and guidelines within which all these activities occur.
Predictive Analysis & Modelling
Tactic: Integrate statistical models with scenario planning and stress testing to prepare for a range of possible outcomes, especially those that are rare but have a high impact.
Governance: Policies set the rules for how scenarios and stress tests are created and used, including the frequency of scenario planning and the standards for stress tests.
Real-time monitoring & Observation
Tactic: Use a set of (leading) indicators to monitor risks and adapt responses as conditions change.
Governance: Define what indicators are monitored, the thresholds for action, and the procedures for responding to the indicators.
Expert Consultation (Judgement)
Tactic: Leverage the knowledge of groups of experts who can use their experience to identify potential risks and devise mitigation strategies that statistical models cannot consider (within time and resource constraints).
Governance: Define how experts are chosen, how their input is used, and how conflicts of interest are managed.
Continuous Organisational Learning
Tactic: Update risk models and management strategies continuously based on new data, experiences, and insights. Embrace a culture of learning from mistakes and near-misses.
Governance: Define procedures to guide learning from past experiences (what and how), conducting after-action reviews, and updating practices based on lessons learned. Specify and control frequency for how often reviews are conducted and how/what is updated.
Adaptation & Resilience
Tactic: Acknowledge that risk profile changes continuously. Implement strategies that record this risk and then adjusts to anticipated consequences. Diversify to reduce the impact of any one risk and ensure redundancy in critical systems to increase resilience.
Governance: Promote agility by setting guidelines for how quickly and under what conditions the organisation should adapt its strategies. Set of rules for diversification and redundancy, defining how resources are allocated to reduce risk exposure and increase overall system robustness.
Stakeholder Engagement and Communication
Tactic: Involve a diverse set of stakeholders in risk management, keep them informed about potential risks and how you are managing them, and be transparent about uncertainties and limitations in your risk assessments.
Governance: Have a guide for how risk information is communicated to stakeholders, setting standards for transparency, frequency, and methods of communication.
Prioritising mitigation and governance over estimating likelihood and building models
The concluding remark is that the exercise of attempting to better understand risks is worth doing with complete humility and an understanding of the innate limits of the exercise. Many project plans and funding requests demand risk management plans — given the difficulty, the tactics and governance structure presented in this article provide a structure to present the prose and narrative while acknowledging the difficulties.