|Related articles - All articles - The author - Services|
How to be positive about risk
by Matthew Leitch 4th August 2010
The author is available to help with work to evaluate existing arrangements for governing risk taking, design new tools and processes, write guidance on their use, review work done using them for lessons to learn, and to provide relevant individual technical tutoring and teletutoring.
Most published guides and policies on risk management portray risks as undesirable or redefine risk as including nice surprises as well as nasty ones and portray risks as being both. Very occasionally people have made the mistake of talking as if risk generally is a good thing in itself.
However, I have noticed that recently there has been an increased tendency to, occasionally, portray risk as inherently desirable or to say that particular risks that are clearly downside ones are desirable. This is still rare in published documents, but more common in internal documents such as policies on risk taking, and much more common in conversation. I think this is thanks to the blaze of interest in the treacherous but intriguing phrase 'risk appetite'.
Saying risk is good is odd because, for most people, 'risk' is obviously a bad thing, so why say it, and is there a better approach?
There are some sensible drivers behind the desire to say that risk is good:
To counter personal over-sensitivity to risk: There is some evidence suggesting that people tend to be too sensitive to the risk of small losses. If this is true in practical situations as well as in the psychologist's laboratory then perhaps it would be good to encourage people to be less worried about the risk of small losses.
To counter wasteful personal risk reduction: When something goes wrong in an organization it often happens that the repercussions for the manager responsible are serious for that manager despite being trivial for the organization as a whole. Consequently, managers occasionally see too much value in controls that mitigate or avoid risks that are trivial for their organization. For example, they may be unwilling to take charge of innovative, exploratory projects for fear of being associated with a failure. Perhaps something can be done to counter this tendency.
To gain a more positive perception of risk management and risk managers: In some organizations risk management and risk managers are seen as obstructive, pessimistic bureaucrats. They feel they need to be seen in a more positive light. (I suggested a way to do this in "The Risk Manager people want to work with".)
To promote management methods that deal with all uncertain outcomes: Considering possible bad outcomes in one management process but possible good outcomes in another doesn't make much sense, so 'risk' management processes should aim to include both in one process. This is easier. It is unfortunate that we still use the name 'risk management' for these processes.
While these motives may be understandable, it is rarely the best strategy to say something that obviously is not true. Surely there is a better way? But first, let's just confirm that risk really is bad and look at the problems that can result from saying it is good.
No, it isn't. If you do not like an outcome, such as falling off a cliff, then you will not like the possibility of that outcome. Making something just a possibility rather than a certainty does not flip it from undesirable to desirable.
Risk is often something that goes along with rewards we want, but that does not make the risk itself good and we would still be interested in reducing it.
The best that can be said for risk is that, if you define it in particular, rather unusual ways, it can be positive in some situations. Here are the two definitions that I am aware of that have this property:
Risk as spread: In some theories of risk taking, risk is the spread of outcomes (regardless of whether those outcomes are desirable or undesirable), and in some situations spread can be an advantage. For example, if outcomes near the top of the spread are more important that outcomes near the bottom then increasing the spread will increase both high and low outcomes, but overall this is a net gain. Unfortunately, in most real life situations boosting the downside does not automatically boost the upside too.
Risk as the 'effect of uncertainty on objectives': This definition is currently promoted by ISO's Guide 73 glossary. Its meaning is unclear but what most agree is that it means a risk can be helpful or unhelpful. The reason for this definition is to allow all uncertain outcomes to be tackled in one management process while still calling it 'risk management'. However, even though ISO is the highest level of standard setting body in the world, I suspect that very few people will ever read this definition still less change the way they use the word 'risk' from day to day.
Saying something that people immediately know to be untrue can undermine your credibility, but the greatest worry about saying risk is good is that some people may actually believe you and act on it.
For example, imagine that a company's business is making loans to people to buy cars. In the past it has been able to charge higher interest rates on loans to people without jobs so it decides to do more of that kind of business in the next year. It tells its employees that it wants 5% of its loans to be to people without jobs. Taking the higher risk of lending to unemployed people has just become a target, in itself, not a limit on risky lending. What might happen if the company is struggling to make loans to unemployed people is that employees might start to think that making the loans cheaper for unemployed people is a way to solve the problem.
A better approach would have been for the company to set higher interest rates as a target and explain clearly that keeping bad debts low is important and '5% of total loans' is a maximum limit on loans to unemployed people. This is not perfect but at least it reduces the risk of people seeing risk taking as desirable in itself.
Here are some tactics to use, illustrated by examples of statements mistakenly positioning risk as 'good', with some explanation of the problems they could cause, and alternative wordings.
Instead of saying people should take more risk, say what they should be doing that really is desirable, even though it involves taking risk, such as launching new products, tackling new markets, and trying new methods - in short, exploring.
Exhibit A: from Risk appetite - How hungry are you? by Richard Barfield of PricewaterhouseCoopers
"One of the more interesting internal challenges in financial services organisations, which often tend to be risk averse and conservative, is to ensure that business unit management is assuming sufficient risk!"
The implication is that these organizations should not be risk averse and that some business unit management teams need to take more risk. Presumably they should be doing their jobs in more risky ways. In truth they should remain risk averse, but perhaps not as averse as they have been, and those business unit management teams should do more to develop new products, trial new ways of working, and make investments that pay better than cash, among other things.
Exhibit A would have been better written as follows:
"One of the more interesting internal challenges in financial services organisations, which are often too strongly risk averse, is to ensure that business unit management does enough to develop new products, trial new ways of working, and find attractive new investments."
This version is more informative and does not give the reader that vague sense of unease that comes from reading something that does not make sense.
The phrase 'risk appetite' makes most people think of other appetites, which are for things we consider desirable such as food, drink, and sex. Use plainer, more self explanatory language instead and avoid this misleading metaphor.
Exhibit B: from the Walker review(Source: A review of corporate governance in UK banks and other financial industry entities, Final recommendations, 26 November 2009. These sentences come from the section on 'risk appetite and tolerance', which is what the writer is trying to explain.)
"6.20 While the specific approach will plainly need to be adapted to the business scope and particular risk profile of the entity, differentiation will be needed between a level of risk that is actively sought and willingly borne such as credit risk (for a bank), market risk (in a trading book), and risks arising as a consequence of doing business and which the firm may wish to tolerate, limit or reduce through mitigating action (such as some types of counterparty risk, reputational risk that might be linked to miss-selling to retail clients), operational, legal and compliance risks."
The distinction between risks 'actively sought and willingly borne' and others the firm 'may wish to tolerate' gives the definite impression that the former type are good risks, and the latter bad. The unwary banker could be forgiven for thinking this means that risks taken through lending or buying securities are a good thing, so the more they take the better and efforts to cut those risks are wasted.
However, there is nothing positive about credit risk itself. If people don't pay back their loans or fail to pay the interest they owe then that is bad for the bank. Likewise, market risk is something banks should be averse to. There is nothing inherently good about these risks, even though the commercial activities give rise to them directly.
A better way to write that sentence would have been:
"6.20 While the specific approach needs to be adapted to the business scope and risk profile of the entity, differentiation will be needed between risks arising as a direct result of commercial activities, such as credit risk (for a bank) and market risk (in a trading book), and risks arising from being in business, such as operational, legal and compliance risks."
In this version the implication that some risks are good ones to be happily taken is removed along with the grammatical mistakes. It does not solve the problem of finding examples that make sense. Surely some operational risks are generated by processing each loan or market trade?
Exhibit C: From Thinking about your risk - Setting and communicating your risk appetite, by unnamed authors at HM Treasury
"1.2 The board will have an appetite for some types of risk and an aversion for others."
Again the phrase 'risk appetite' has led to a statement that makes risk into something desirable. (Strictly speaking, the approach to risk management promoted by HM Treasury says that risks are nice surprises as well as nasty ones, so the statement about having an appetite for some risks could reasonably apply to those nice surprises. However, the examples given in the same document are entirely in terms of nasty surprises. Indeed, using the methods of the examples shown there is no way to assess a nice surprise.)
Exhibit C would have been better as:
"1.2 The board should have a view as to the level to which each risk should be managed, taking into account factors such as the size of the risk and the scope for, and cost of, risk responses."
The problem with 'risk attitude' is that it drags in three terms: 'risk averse', 'risk neutral', and 'risk seeking'. These come from some theorising about why people see losses of a given amount of money as more important than gains of the same amount. They rely on a particular definition of risk as the spread of possible returns. In this theory it is taken as obvious that people do not like risk in the usual sense of 'bad things that might happen'.
Unfortunately, having said 'risk attitude' we feel almost compelled to explain that it can be risk averse, risk neutral, or risk seeking, even though the usual interpretation of risk means that every sane person is risk averse.
Instead of saying that risk is good, say that managing risk skillfully is good. For example, you could say that risk management is the skill of doing dangerous things safely.
Exhibit D: from Risk appetite - The strategic balancing act, by unnamed authors at Ernst & Young
"After all, risks are the source of profit. The board should therefore ask itself: 'What are our three most profitable risks?'"
In this version of reality the things people do to make money have been confused with the risks run as a result. Does taking risk produce profits? Would you make more money by doing things in a more risky way? Surely it has more to do with providing goods and services that people value and doing it better than your competition. What has happened here is that what we should require has become confused with what we can expect. Specifically, the fact that we should require profit to compensate for bearing risk has become an assertion that bearing risk will bring profit. Given the context of exhibit D, a better version would have been.
"After all, better management of risk is a source of profit. The board should therefore ask itself: 'What are the three activities where our superior management of risk provides the greatest profit?'"
If you want to position 'risk management' as being less of a pessimistic exercise then avoid the word 'risk' and use uncertainty instead. For example, you can say:
"The methods that, today, are still referred to as 'risk' management are in fact focused on managing uncertainty. They involve opening our minds to more possible futures and asking, 'What would we do if...' Some of those futures would be welcome, some unwelcome, and many are a mixture or just different."
Exhibit E: The risk approach to strategic management in development NGOs, by Ricardo Wilson-Grau
"Risk is inherent to life. The future is always uncertain and the outcomes of events unpredictable. Furthermore, for development NGOs, risks cannot be avoided and indeed must be embraced. Innovation for human development requires risk-taking. Commonly, risk is thought of as something negative, as the danger of something undesirable occurring. That is too limited. Risk is also positive; there is an upside and a downside. A development organisation must dare to succeed and dare to fail."
This typical attempt to redefine 'risk' for the reader has all the cliches. Risk is positive too. Risks must be embraced. Innovation requires risk taking. The problem is just that most readers already have an idea of what 'risk' means and it's bad. This re-write shows the improvement that is possible by switching to 'uncertainty'.
"Uncertainty is inherent to life. The future is always uncertain and the outcomes of events unpredictable. Furthermore, for development NGOs, uncertainty cannot be avoided and indeed we can rarely afford to delay action until certainty is achieved. Innovation for human development involves doing things whose outcome is uncertain and ranges from dismal failure to astounding success, with most innovations providing some useful learning whatever the outcome. A development organisation must be willing and able to experience failures in its search for successes."
Risk management is good, especially if it includes potential nice surprises as well as nasty ones, but we need to be very careful when talking about 'risk' and remember that for most people it isn't good, by definition. There are also some logical mistakes it is easy to make, particularly if the phrases 'risk appetite' and 'risk attitude' are used.
Take care, and use the tactics suggested in this article.
|Related articles - All articles - The author - Services|
|If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details|
About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it. more