1. VIEWPOINTS
[ PROFILE ] Andrew Fenton of MBDA reveals the risks
faced by businesses operating in the defence sector
RISKS
[ EMERGING ] Fracking offers cheap energy for years to
come, but it remains controversial with opinion split on
whether the benefits really outweigh the risks
European risk and corporate www.strategic-risk.eu GOVERNANCE
governance solutions [ November 2012 ] [ COMPLIANCE ] Deferred prosecution agreements are set
Issue 82 €25
to bring a US-style system of plea bargaining to the UK
THEORY & PRACTICE
[ BEST PRACTICE ] How to stop the payment delays that
can cause serious damage to business, particularly in the
NEWS & ANALYSIS » BAE/EADS merger collapse » Middle East dangers » Global cyber threats current economic climate
Risk Innovation
Managers in
Germany continue
to lead the way in
risk maturity
Product recall
Careful planning
can maintain
business continuity
in difficult times
Risk Indicator
Forced labour
and the rise of
modern slavery
CHAOS
THEORY
Risk managers look to academic concepts
to gain advantages in the real world
2. THEORY
& PRACTICE
Transforming abstract
concepts into reality
From chaos theory to the consideration of unknown unknowns,
there’s much risk managers can learn from academic thought
Risk managers consult a wide range of information “unknown unknowns”. But seen from the
sources before making decisions. Facts and data perspective of an inquisitive risk manager, his
sets combine with historical perspective to shape concept in its most succinct form could be
forecasts and inform judgments. construed as little short of genius.
But should more risk managers be seeking to Taken at its basic level, serious contemplation of
gain further insightful advantage through applied issues we are not yet aware of may seem daunting,
study of theoretical behaviour, economic concepts, if not impossible owing to their very nature. It also
mathematical constructs and quantums? makes sense, however.
At StrategicRISK, we believe there is a place for Giving serious thought to what you do not know
original ideas and academic thought leadership – especially what you do not know you do not
that can assist and elevate the process of know – appears, on the face of it, preposterous. Yet,
risk management. such radical mental reasoning can also have clear
Even where theoretical opinion appears to offer logic by questioning why this is the case.
no exact answer to a specific problem that an Black Swan events are called thus because most
individual risk manager may have, there is every reasonable people had not foreseen them. The key
possibility it will engage minds to consider other word here is “most”.
issues in different ways. The 9/11 attacks are an explicit case in point.
These were Black Swans to millions
Exploring chaos theory of people – but not, of course, to those who
Risk managers come from a variety of backgrounds planned and perpetrated them. They knew what
and, as such, may never previously have studied or was going to happen.
focused on the expansive academic theory The essayist and scholar Nassim Nicholas Taleb
associated with the sector. develops this issue at some length in his risk and
There is clear merit from exploring such ideas as probability-themed tome The Black Swan.
chaos theory, even where its immediate relevance This discourse through the study of randomness
is uncertain, as it stimulates debate and higher sees Taleb pour scorn on our abilities to predict
thought processes even among sceptics. Lateral accurately. Or, more specifically, he questions the
thinking engendered by theoretical discourse may, ability of so-called experts in this field and the
in time, lead to practical real-world solutions. businesses world’s general foolishness
Reward through process can sometimes be for being duped by their arrogance and allowing
delivered simply by looking at an issue from a them to flourish.
different perspective, perhaps even ignoring Taleb’s reasons are myriad but include,
some evidence altogether that had been seen among others, a general failure to account for the
as important but is actually little more enormous variables connected to events and
than distraction. activity beyond our scope of knowledge and
Former US defence secretary Donald Rumsfeld understanding but which occur nonetheless:
was widely ridiculed when he made his now- external factors.
legendary comments about “known unknowns” and The other obstruction blocking the path to
32 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu
3. forecasting success comes from the lack of general
scrutiny of why previous predictions ended up
wildly removed from what actually happened.
Experts, in Taleb’s view, are no better – and
sometimes worse – than novices at making
predictions. They just convince us more effectively
of their abilities to do so.
Some risk managers may or may not agree with
Taleb on this – particularly as he appears to be
questioning the validity of the foundations of
their chosen careers. His opinions might seem
extreme to some and, in particular, his dismissal as
erroneous of so much of what many risk managers
hold to be true.
But Taleb’s views are o en based on study seen
from extreme perspectives – the eponymous Black
Swan – where all possibilities are both possible
and impossible.
Such opinions can be as controversial as they are
subjective – unless they are based on a historical
study of similar views and their outcomes – but
these perspectives also enrich debate, as they
broaden the scope of ‘what if?’ open to those in the
risk profession, among others.
The wisdom of crowds
StrategicRISK wants to encourage more inspired
thinking among the profession and invites
academics to submit papers for consideration as
part of a regular series.
The first appears across the next three pages and
is written by Transport for London (TfL) head of
risk, benefits & planning Dr David Hancock.
In his role at TfL, Dr Hancock is used to dealing on
a daily basis with complex problems and behavioural
patterns, such as the wisdom of crowds, and the
consequences of his decisions help move millions of
people around London safely. His paper looks at the
benefits of theory for risk managers and the
practical applications offered by academic ideas.
Among the topics assessed are ‘tame messes’ and
‘wicked problems’, along with an analysis of chaos
theory – all of which offer relevance in a range of
areas covered by the risk management profession.
Hancock’s perspectives make a compelling
argument that real practical benefits can be derived
from theoretical concepts – read on to judge for
yourself …
If you would like to submit an academic paper
for consideration to run in our series, please email
it to mike.jones@strategic-risk.eu.
www.strategic-risk.eu [ NOVEMBER 2012 ] StrategicRISK 33
4. THEORY & PRACTICE
CHAOS THEORY
Tame messes and wicked problems:
The case for risk leadership
HERE IS A FEELING AMONG RISK PRACTITIONERS In 1969, the American Project Management Institute (PMI)
T that theoretical risk management has strayed from our intu- was founded. In 2009, the organisation had more than 420,000
ition of the world in which we manage risk daily. Historically, risk members, with 250 chapters in more than 171 countries. It was
management has developed from the numerical disciplines followed in 1975 by the UK Association of Project Managers
dominated by a preoccupation with statistics (insurance, accoun- (changed to the Association for Project Management in 1999)
tancy, engineering, and so on). This has led to a bias towards the with its own set of methodologies.
numerical in the world of management of risks. To explicitly capture and codify the processes by which they
It comes as no surprise if we look at the historical roots of this believed projects should be managed, they developed qualifica-
newly emerging discipline. Risk management as a science really tions and guidelines to support them. But while the worlds of
took off in the 20th century. It still tended to be dominated, physics, mathematics, economics and science have moved on
however, by the worlds of mathematics and engineering. beyond Newtonian methods to a more behavioural understand-
In 1921, Frank Knight, in Risk, Uncertainty and Profit, distin- ing, the so-called new sciences, led by eminent scholars in the
guished between three types of probability, which he termed “a field such as Albert Einstein, Edward Lorenz and Richard Feyn-
priori probability”, “statistical probability”, and “estimates”. The man, project and risk management appears largely to have
standard example of the first type is the odds of rolling any remained stuck to the principles of the 1950s.
number on a die. The probability of occurrence is known specifi-
cally, that is, if there are mutually exclusive and exhaustive events Risk management and measuring problems
and if they are equally likely, the probability of a given event The general perception among most project and risk managers
occurring is 1/n; for a six-sided dice n=6, and the probability of that the future can somehow be controlled is one of the most ill-
throwing any single number becomes 1/6. conceived in risk management. At least two advances have been
Statistical probability identifies probability with relative fre- made in the right direction, however. First, we now have a better
quency over a long series of events or the proportion of an event understanding about the likelihood of unpleasant surprises and,
in a large population. In this case, risk practitioners need to have more importantly, we are learning how to recognise their occur-
observed enough relevant data to make forward predictions. rence early on and, subsequently, to manage the consequences
When there is no valid basis for classifying instances, however, when they do occur.
only estimates can be made. In this final case, the use of statistical The biggest problem facing us is how to measure all these
analysis would be meaningless. risks in terms of their potential likelihood, their possible conse-
Most risk management practised today focuses predomi- quences, their correlation and the public’s perception of them.
nantly on the first two types of probability, namely either that the Most organisations measure different risks using different tools.
outcomes are known definitively, or that there is an underlying They use engineering estimates for property exposures, lead-
number or ‘truth’ that can be found merely by further data ing to maximum foreseeable loss and probable maximum loss.
analysis and interpolation. Actuarial projections are employed for expected
This type of uncertainty is termed epistemic. It is loss levels where sufficient loss data is available.
due to a lack of knowledge about the behaviour of Scenario analyses and Monte Carlo simulations
the system. The epistemic uncertainty can, in prin- The perception are used when data is thin, especially to answer
ciple, be eliminated with sufficient study and, thus, that the future ‘how much should I apply questions?’
expert judgments may be useful in its reduction. Probabilistic and quantitative risk assessments
Alongside the mathematical development in
can somehow are used for toxicity estimates for drugs and
the 1950s, a new type of scientific management be controlled chemicals, and to support public policy decisions.
was emerging: project management. This con- For political risks, managers rely on qualitative
sisted of the development of formal tools and tech-
is one of analyses by experts. When it comes to financial
niques to help manage large complex projects that the most ill risks (credit, currency, interest rate and market),
were considered uncertain or risky. It was domi- conceived we are inundated with Greek letters (betas, thetas,
nated by the construction and engineering indus- and so on), and complex econometric models
tries, with companies such as Du Pont developing that are comprehensible only to the trained and
critical path analysis and RAND Corp developing programme initiated. The quantitative tools are often too abstract for
evaluation and review technique techniques. laymen, whereas the qualitative tools lack mathematical rigour.
Following on the heels of these early project management Organisations need a combination of both tools, so they can
techniques, institutions began to be formed in the 1970s as deliver sensible and practical assessments of their risks to their
repositories for these developing methodologies. stakeholders. Finally, it is important to remember that the result
34 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu
5. Risk management
1 Works to a defined scope, budget,
quality and programme.
controlled against specification
(quality), cost and time.
of quantitative risk assessment development should be continu-
ously checked against one’s own intuition about what constitutes
reasonable qualitative behaviour. When such a check reveals disa-
2 Uses the instrumental lifecycle
image of risk management as a
linear sequence of tasks to be
6 Attempts to control risk by
monitoring results, identifying
deviations from the plan and
greement, the following possibilities must be considered: performed on an objective entity developing mitigation actions to
• A mistake has been made in the formal mathematical using knowledge and procedures. return to plan.
development
• The starting assumptions are incorrect and/or constitute too
drastic oversimplification
• One’s own intuition about the field is inadequately
3 Manages process to ensure
complicated projects of people
and technology run smoothly.
7 Works on the assumption that
the risk model is the actual
‘terrain’ (that is, the actual reality ‘out
developed there’ in the world).
• A penetrating new principle has been discovered.
Only part of the story
4 Establishes detailed steps,
processes and timetables.
8 Implementer of the risk process.
Training and development
One of the first areas to be investigated is whether the current
single classification of projects is a correct assumption. The gen-
eral view at present appears to treat them as linear, deterministic
5 Applies concepts and
methodologies that focus on risk
management for creation or
produces practioners who can follow
detailed procedures and techniques.
predictable systems, where a complex system or problem can be
reduced into simple forms for the purpose of analysis. It is then
believed that the analysis of those individual parts will give an
improvement of a product, system or
facility, and so on, monitored and 9 Seeks predictability and order.
accurate insight into the working of the entire system.
The strongly held feeling is that science will explain every-
thing. The use of Gant charts, with their critical paths and quan-
titative risk models with their corresponding risk correlations, Risk leadership
would support this view. This type of problem that can be termed
‘tame’ appears to be only part of the story when it comes to
defining our projects, however.
Tame problems are those that have straight-forward simple
linear causal relationships and can be solved by analytical meth-
A Recognises the possibility of
different outcomes and tries to
ensure risk activities focus on making
value creation, while aware that
‘value’ and ‘benefit’ will have multiple
meanings linked to different purposes.
ods, sometimes called the ‘cascade’ or ‘waterfall’ method. Here, an acceptable outcome more likely.
lessons can be learnt from past events and behaviours and
applied to future problems, so that best practices and procedures
can be identified. B Uses concepts and images that
focus on social interaction among
F Adapts the risk process to
overcome political, bureaucratic
and resource barriers to developing
In contrast, ‘messes’ have high levels of system complexity, people, understanding the flux of change in behaviours through trust
and are clusters of interrelated or interdependent problems. The events and human interaction, and the and managing expectations.
elements of the system are normally simple, where the complex- framing of projects within an array of
ity lies in the nature of the interaction of its elements. Their prin-
ciple characteristic is that they cannot be solved in isolation, but
need to be considered holistically. The solutions lie in the realm
social agenda, practices, stakeholder
relations, politics and power. G Is based on the development
of new risk models and theories
that recognise the complexity of risk
of systems thinking.
Project management has introduced the concepts of pro-
gramme and portfolio management to attempt to deal with this
C Develops team behaviours and
confidence through scenario
planning and team building to identify
and its management and that the
model is one part of a complex ‘terrain’.
type of complexity and address the issues of interdependencies.
Using strategies for dealing with messes is fine, as long as most of
us share an overriding social theory or social ethic; if we don’t, we
and respond to risks and opportunities.
H Is a reflective listener: learning
and development facilitates the
face ‘wickedness’.
Wicked problems are ‘divergent’, as opposed to ‘convergent’
D Understands the ‘many
acceptable futures’ proposition
and manages risk to produce changes
development of reflective practitioners
who can learn, operate and adapt
effectively in complex environments.
problems. Wicked problems are characterised by high levels of needed to achieve acceptable result.
behavioural complexity. What confuses real decision-making is
that behavioural and dynamic complexities co-exist and interact
in what we call wicked messes. Dynamic complexity requires high E Applies concepts and frameworks
that focus on risk management as
I Has learnt to live with chaos,
complexity and uncertainty and
leads by example to a successful result.
www.strategic-risk.eu [ NOVEMBER 2012 ] StrategicRISK 35
6. THEORY & PRACTICE
CHAOS THEORY
level conceptual and systems thinking English Dictionary describes chaos as
skills; behavioural complexity requires “complete disorder and confusion”),
high levels of relationship and facilitative but based on the Chaos Theory that was
skills. The fact that problems cannot be developed in the 1960s.
solved in isolation from one another This theory showed that systems that
makes it even more difficult to deal with have a degree of feedback incorporated
people’s differing assumptions and in them, that have tiny differences in
values. People who think differently must input, could produce overwhelming
learn about and create a common reality, differences in output (see below, left).
one that none of them initially under- Here, chaos is defined as aperiodic
stands adequately. The main thrust to the resolution of these types (never repeating) banded dynamics (a finite range) of a determin-
of problems is stakeholder participation and ‘satisficing’. istic system (definite rules) that is sensitive on initial conditions.
Many risk planning and forecasting exercises are still being This appears to describe projects much better than the linear
undertaken on the basis of tame problems that assume the vari- deterministic and predictable view in which both randomness
ables on which they are based are few, that they are fully under- and order could exist simultaneously within those systems.
stood and able to be controlled. But uncertainties in the economy, The characteristics of these types of problems are that they
politics and society have become so great as to render counter- are not held in equilibrium either among its parts or with its
productive, if not futile, this kind of risk management that many environment, and are far from being held in equilibrium; the
projects and organisations still practise. system operates ‘at the edge of chaos’, where small changes in
input can cause the project to either settle into a pattern or just
Chaos and risk as easily veer into total discord.
At best, projects should be considered as deterministic For those who are sceptical, consider the failing project that
chaotic systems rather than tame problems. This is not using the receives new leadership: it can just as easily move into abject fail-
term ‘chaos’ as defined in the English language that tends to be ure as settle into successful delivery, and at the outset, we cannot
associated with absolute randomness and anarchy (Oxford predict with any certainty which one will prevail. At worst, they
are wicked messes.
Conclusion
How should the risk professional exist in this world of future
This gave The Butterfly effect uncertainty? Not by returning to a reliance on quantitative assess-
rise to the ments statistics and determinism where none exists. We need to
embrace its complexities and understand the type of problem we
idea that a In 1961, while working figures, and instead of face before deploying our armoury of tools and techniques to
butterfly could on long-range weather using the output of six uncover a solution, be they the application of quantitative data or
prediction, Edward decimal places he had qualitative estimates. To address risk in the future tense, we need
could alter Lorenz made a startling used only three (.506 to develop the concept of ‘risk leadership’, which consists of:
the path of, discovery. While instead of .506127). He • Guiding, rather than prescribing
working on a particular had considered the • Adapting, rather than formalising
delay or stop weather run, rather difference of one part in • Learning to live with complexity, rather than simplifying;
a tornado than starting the 1,000 inconsequential, • Inclusion, rather than exclusion, and
second run from the especially as a weather • Leading, rather than managing.
beginning, he started it satellite being able to The implications of the new concept of risk leadership are
part-way through using read to this level of described on the previous page.
the figures from the accuracy was considered What does this all mean? At the least, it means we must apply
first run. This should unusual. But this slight a new approach for risk management for problems that are not
have produced an difference had caused a tame. We should look to enhance our understanding of the
identical result, but he massive variation in the behavioural aspects of the profession and move away from a
found that it started to result. This gave rise to blind application of process and generic standards towards an
diverge rapidly until the idea that a butterfly informed implementation of guidance.
a er a few months it could produce small What we need to develop are great risk leaders who realise
bore no resemblance to undetectable changes that understanding risk is more of an art than a science, that this
the first run. At first he in pressure that would truly is the best time to be alive and working in risk, and that
thought he had entered be considered in the perhaps almost everything we thought we knew may turn out to
the numbers incorrectly. model, and this be wrong. SR
But this turned out to difference could result
be far from the case: in altering the path of, Dr David Hancock MBA is head of risk, benefits and planning
what he had actually delaying or stopping at Transport for London. His book, Messy and Wicked Risk
done was round the a tornado. Leadership, is published by Gower
36 StrategicRISK [ NOVEMBER 2012 ] www.strategic-risk.eu