Systemic Risk Management Principles

The assumptions and principles identified here are a work in progress.  Please provide feedback or comment, to help to improve their quality and completeness.

Key Assumptions

When a systems thinking approach is taken to the management of risks in organisations, the nature of the underlying assumptions reflect both the complexity of human organisations and the nature of effective systems thinking responses to that complexity:

1.   Risk management is only a means to an end.  The main game is to make good decisions.

2.   A risk is a potential threat.

This assumption is necessary in order to make it clear that the word "risk" has negative connotations. This assumption is not 'fashionable' according to ISO 31000, but there are good reasons for it.  World-wide, people understand the term 'risk' to be negative.  If we wish to include both positive and negative uncertainty, changing the meaning of a commonly used word is not the best way to do that.  To understand this more fully, review the Systemic Risk Management definition of risk.

3.   A risk has potential negative consequences, whether the source of that risk is uncertain or not.

Ultimately, the only uncertainty that matters relates to impact or consequences.  Sources of risk may or may not be uncertain.

4.   The risks that impact most powerfully upon the success of human organisations are often complex, intangible, interrelated and even ‘wicked’.

5.   Every organisation faces risks that are not in its risk register.

Partially because some risks are emergent, they exist now but are truly invisible until some future time.  Partially because we can never find all our risks anyway.  Partially because of Assumption 6 - risks that are sensitive will not be in our risk register.

6.   Many critical organisation risks are too sensitive to be dealt with openly.

This assumption is important because it causes us to consider how we manage such risks, as an important aspect of organisational risk management.  What impact does this have on risk frameworks, principles, processes?

Systemic Risk Management Principles

1.        Risk management should be embedded in business decision making, not separate and then integrated.

A powerful advantage is gained when effective risk practices are embedded within business processes, rather than separate (albeit integrated) activities.  An example of this is when leaders examine risks as an inherent part of their business planning, rather than as a separate activity.  It follows that risk work cannot be fully delegated and that specialist support should be limited to initial analysis and advice - without doing the work that leaders must do themselves.  Separate risk management activities should be the exception not the rule, and the ‘risk management framework’ for an organisation should be a conceptual structure that describes how risk management is embedded in the work of leaders, not a separate real structure of risk policies, risk rules and processes.  Having separate (albeit integrated) risk management processes creates silos of thinking and unnecessary bureaucracy.  It also means that risk processes tend to be "paper exercises" or even ignored because they are seen to lie outside the real work of the organisation.

2.       Building an effective understanding of organisational risks requires inquiry, appropriate analysis and an active shared dialogue with stakeholders.

Here analysis means the use of evidence based, rigorous and repeatable methods to reach conclusions that may, or may not, be evident from experience and intuition.   Clearly, the extent of analysis required should match the particular risk(s) being examined.  Complex organisational risks require approaches that deal well with complex problems and that have the potential to take leaders outside their current paradigms.  If this is not possible, organisations remain trapped within their own often unstated assumptions, even when this is a major cause of strategic risk.

3.        The tools used for assessing, analysing and representing risks must be capable of dealing with the kinds of complexity experienced in human organisations. 

Tools such as risk rating matrices or tables are not capable of dealing with dynamic, complex risk interactions.  Although more sophisticated, systems engineering approaches are also limited since they require that each element of the system under study is able to be described in a repeatable way.  In reality, complex human systems are not repeatable and cannot be modelled effectively.  Work by eminent researchers including Senge, Checkland, Jackson, Flood and Rosenhead in the 1980s and 1990s (and since) has led to ‘soft systems thinking’ approaches that require far fewer assumptions and that can deal with real complexity.  However their methods are generally difficult to apply directly in real time by ordinary leaders.  Risk management tools must in practice both recognise the complexity involved and yet also be able to be applied by real leaders as part of their ongoing work.

4.        A key objective of risk management is to understand what is going on as a whole, in order to find leverage points that enable sustainable, effective risk responses.

Organisational risks are very often interrelated, and have shared causes.  Working on risks one a time or failing to do the work required to find and understand shared risk sources, leads to sub-optimised risk management outcomes at best.  Worse, it often leads to perverse unforeseen outcomes. The corollary to this is that to achieve the best possible risk outcomes, it is necessary to find, understand and then work to manage shared root causes of systemic organisational risks.

Too often, risk treatments are developed simply by referring to a written risk description in a risk register and the application of "management experience" to decide what to do.  In all but the simplest of cases, this is likely to lead to treatments that are well intentioned but incomplete, ineffective or even perverse.  For most organisational risks of any consequence, using inquiry and dialogue to develop a 'risk map' of the risk being discussed leads to a much more powerful and shared understanding of the true nature of the risk.  In turn, this permits more complete and sustainable decisions that have the desired influence.

5.        Quantitative/technical approaches to risk analysis and management are powerful in specific cases and should be used when appropriate.

There a number of ways in which quantitative analysis can be powerful and useful.  For example, insurance companies analyse historical data in order to understand their future risk and to set insurance premiums.  Investments decisions can be assisted using methods such as Monte Carlo to make better estimate of future financial, schedule or performance outcomes.  Some risks are directly associated with engineering issues or can best be identified or understood using operational analysis.  These examples show that although quantitative techniques are NOT appropriate when dealing with complex risks in organisations, they do have a valuable place in a leader’s toolbox of risk methods.

6.        A focus on prioritising risk responses is inherently more powerful and effective than prioritising risks themselves.

The ISO 31000 approach includes prioritisation of risks (risk ratings) so that leaders can focus on the most critical risks.  However when risks are interrelated, complex and dynamic (changing), that approach leads at best to sub-optimised responses and perhaps to perverse unforeseen outcomes.   It is far more powerful to first do the systemic analysis work required to understand all risks as a whole, and then to decide where and how to respond in order to reduce the risk faced by organisation as a whole system.  In this way, leaders can achieve the best possible total risk reduction within their resources, and at the same time reduce the likelihood of unintentionally creating new risks.

7.        The key risk role of senior leaders is organisational development, to create an organisation that is alert, responsive, proactive and resilient in the face of uncertainty and change.

Although executive leaders tend to focus on managing crises or making major operational or strategic decisions, the most powerful way for them to impact on the future of their organisation is to build its capability.  Risk management is no exception.  Senior leaders should be involved in finding, understanding and managing strategic risk, but they create greater risk management value and impact when they build structures, systems, processes and culture that lead to awareness and responsiveness across the organisation.  This is their key risk management work.  It is also the most difficult and strategic of all risk management work.

Critique of ISO 31000 Risk Management Principles

 Unlike its AS/NZS 4360 predecessor, ISO 31000 describes principles for risk management.  These are:

1.    Risk management creates and protects value

2.    Risk management is an integral part of all organisational processes

3.    Risk management is part of decision making

4.    Risk management explicitly addresses uncertainty

5.    Risk management is systematic, structured and timely

6.    Risk management is based on the best available information

7.    Risk management is tailored

8.    Risk management takes human and cultural factors into account

9.    Risk management is transparent and inclusive

10.  Risk management is dynamic, iterative and responsive to change

11.  Risk management facilitates continual improvement of the organisation.

These eleven principles are not all obvious in their meaning.  For example, the first principle requires explanation since in isolation it is not at all clear what it is trying to say.  Readers are invited to refer directly to ISO 31000 if they wish to more fully understand these principles.  

A quick examination leads to some questions and comments about these principles from a ‘systems thinking’ perspective:

• Principle 1.  Everything we do in organisations should create and protect value.  However it is not clear exactly how this statement is helpful for risk managers in practice.
  
  
• Principle 2. At face value Principle 2 is useful, as a guide to the development of integrated business processes. However the stress on ‘integration’ can be a problem. In practice risk management processes are created, linked to (or integrated with) larger business processes. Integration of processes is valuable, but is not the most powerful approach.  A systems thinking approach would see a single business system, with risk management work embedded within that system. This approach removes completely the notion that risk management is a separate activity.
  
  
• Principle 3.  A strong link between effective risk management and effective decision making is clearly appropriate, since decision making is where risks are either managed or created.  However by describing risk management as part of decision making, it fails to recognise that decision making is risk management.  Every time a decision is taken the whole point is to increase the likelihood of success.  Principle 3 reflects the current risk management paradigm and reduces the likelihood that risk managers will take a more complete, systemic approach.
  
  
• Principle 4.  Principle 4 is misleading in the context of ISO 31000.  It implies that risk management deals with the potential impacts of all kinds of uncertainty.  However ISO 31000 does not deal well (if at all) with some forms of uncertainty. For example, unknowable unknowns, true emergence, and uncertainty created by innovation.  ISO 31000 is only partially aligned with this principle, but fails to acknowledge this.  Complete approaches to the management of risk cannot afford to have such constraints. 
  
  
• Principle 5.  For complex organisations, Principle 5 is inappropriate and misleading.  It is the systematic nature of ISO 31000 that limits its effectiveness.  Principle 5 contradicts a systems thinking approach, and represents a “systems engineering” view of risk management. It is outdated and is easily discredited when dealing with the risks faced by leaders of complex organisations.  It is not an appropriate principle for the management of risks in organisations, although it might be valid in other situations.
  
  
• Principle 6. Principle 6 demands information so that risk management work can be undertaken.  This seems to be based upon an assumption that you can’t manage what you don’t know.  This is a strong constraint in a complex fast-changing world where we need to be able to handle emerging risks that yesterday were truly unknowable unknowns.  Systems thinking approaches do not make this assumption, and hence do enable risk management strategies for dealing with unknowable unknowns.  Principle 6 is a major constraint on the effectiveness of ISO 31000 as a risk management methodology.
  
  
• Principles 7, 8, 9 & 10.  These ‘principles’ can be applied to all management work.  It is useful to acknowledge them in context of risk management, if it is assumed that they are not already being applied.  However they rend to be a distraction from the core risk management conversation and would be better removed.
  
  
• Principle 11.  Principle 11 makes sense in the context of ISO 31000, since effective treatment of risks should often lead to improvements in how an organisation operates.    However applying a systemic risk management approach creates the opoportunity for a much more powerful learning and review dynamic.   Organisational risks are often indicators of complex, interrelated issues in organisational processes, structures, systems and culture.   In this context, systemic risk analsyis can be used to drive fundamental organisational development and as a test of the efficacy of governance arrangements in practice.  From the perspective of CEOs and Boards, systemic risk analysis can be a uniquely powerful tool for driving sustainable, whole of organisation improvement.

The comments above are in some cases critical of the ISO 31000 principles.  This is not surprising, given that ISO 31000 is quite deliberately a ‘systematic’ approach to the management of risk.  From a soft systems thinking perspective, it is inevitable that any such approach will have serious shortcomings when applied to complex human organisations.  Arguably, ISO 31000 is simply the latest version of the same paradigm of risk management thinking that commenced in the 1970s and 1980s.  It is accepted practice rather than best practice, and does not reflect the emergence of systems thinking as a more powerful and complete way of working on human organisations.

This does not mean that ISO 31000 is not useful in some situations.  Systematic approaches to risk might safely be applied when seeking to understand and to deal with technical or tangible, measurable risks.  However this is never the case when humans are involved in the system or problem being studied.  This limits the effectiveness of systematic risk management techniques, except when dealing with relatively simple risk problems such as engineering failure modes and insurance risks calculations based upon empirical data.