Home > Risk > Why I worry First about Uncertainty and then about Risk

Why I worry First about Uncertainty and then about Risk

February 26, 2013 Leave a comment Go to comments

One of the reasons I prefer the ISO 31000:2009 global risk management standard to COSO’s Enterprise Risk Management – Integrated Framework is the difference in the way they each treat the concept of uncertainty.

The ISO standard’s Introduction starts with this:

“Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization’s objectives is ‘risk’”.

COSO’s ERM Framework’s Executive Summary similarly and appropriately starts with a discussion of uncertainty:

“The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept [italics added for emphasis: ndm] as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”

So both discuss uncertainty, but I struggle with the idea that you accept different levels of uncertainty (per COSO) rather than decide whether the potential effect is acceptable (i.e., the ISO approach).

This is especially true when you consider that uncertainty may have a range of possible effects, some of which may even enhance your ability to perform.

As an organization looks to its future, it establishes a vision, goals, and objectives together with strategies and plans for achieving them. But, the path to achieving those objectives is always uncertain. Factors that may be external or internal to the organisation create sources of uncertainty.  Successful organisations consider and respond to these sources.

For example, an organization may have uncertainty about:

  • The future demand for its products and services, especially if it plans to introduce new products
  • The actions of its competitors
  • Whether its suppliers will be able to provide the materials required to meet customer demand, with the required quality, when they are needed, and at affordable prices
  • The activities of regulators and other agencies
  • Whether it will be able to retain key employees
  • Whether its employees will comply with the law or follow procedures.

Risks are not events. But we characterize risk by using descriptions of what might happen and what it could lead to in terms of the effect on our objectives.

A single area of uncertainty, such as the level of customer demand following the introduction of a new product, may have several possible outcomes. Those outcomes will have different effects on the ability of the organization to achieve or surpass its objectives. Some outcomes will have a beneficial effect, enabling the organization to perform at or higher than plan. Others will have a detrimental effect, calling into question the achievement of the plan.

We can compare and evaluate risks by considering the range of potential outcomes, whether they are beneficial or detrimental, and the likelihood of the effects.

Assumptions and presumptions (for example, with respect to how people or systems will behave or how events might occur) are a common source of uncertainty.  It is necessary, therefore, to be aware of assumptions inherent in plans and forecasts, and to address the underlying uncertainty. For example, a forecast or plan may assume that the new product will generate demand in line with prior predictions. But that is not certain, and if the new product launch is to be successful actions may need to be taken to improve the likelihood of success. I believe the process in the ISO standard is the one to follow to identify the actions required.

For an organization to be successful, it must:

  1. Understand the sources of uncertainties in its path to achieving its vision and objectives
  2. Assess the significance of the potential effect(s) by considering what could happen, what it could lead to, and the likelihood(s) of those outcomes
  3. Evaluate if the level of risk is acceptable and, if not what steps should be taken to modify the risk
  4. Act to modify the risk – by creating or changing controls
  5. Continuously monitor and periodically review the sources of uncertainty and the related controls to ensure that the level of risk remains acceptable

One of the strengths of the ISO 31000:2009 standard is this focus on uncertainty and the effect that it has on an organization’s objectives. It enables an organization to recognize and respond to uncertainty so that it optimizes the likelihood that it will be successful.

So why do I say that I prefer to focus on uncertainty first? Because it is easier to talk to management about the uncertainty they face as they direct and manage the organization towards achievement of objectives. Once we know those sources of identity, we can assess their potential effects and the likelihood of those effects – and act to optimize the likelihood of achieving or surpassing objectives.

If we only ask about what management fears, I fear that our identification of uncertainty and its effects (i.e., risks) will be incomplete.

  1. February 27, 2013 at 11:25 PM

    To add, there is a direct relationship between uncertanity and level of Risk. if we are uncertain, it becomes difficult to arrive at probobility / likelihood of occurance and impact which are basic components for arriving at risk level / rating i.e. Greater the uncertanity, Greater the risk level / rating and vice versa.

    In other words, risk level / rating is directly influenced by the level of uncertanity one percives. if one perceives uncertanity 9 out of 10 count, the risk level / rating may be rated as “High” when compared to percetion of 1 out of 10 count (1 being least and 10 being the most).

    It is the level of risk that determines the further course of action which may ultimately enhance or erode value. I think COSO ERM is coming from that prospective.

    To me, both ISO and COSO ERM as saying more or less the same thing but differently as both expects to act on uncertanity / risk by determining the potential effect is acceptable or not

  2. Ehtisham Syed
    March 19, 2013 at 6:52 PM

    A very thought provoking article, Norman.

    Levels of uncertainty is a valid concept IMO. Just recall Donald Rumsfeld’s 1. Known Known, 2. Known Unknown and 3. Unknown Unknown. The essence of any risk management activities is to remove as much uncertainty as possible re the future. For example careful analysis of the situation based on the best available information related to understanding or knowledge of an event, its consequences or likelihood usually redistributes the variables into the middle ground of known unknown (the possible outcomes represented NOT by a set of points (known known) OR total ambiguity (unknown unknown) but by a range that can be understood as a probability distribution).

    Re the effect of uncertainty, I find the ISO 31000 RMS excerpt that you quoted in your blog very disappointing! As per ISO Guide 73:2009 definition risk =effect of uncertainty on objectives where effect is a deviation from the expected – positive and/or negative.

    In statistical analysis an expected value functions as an average outcome which is always below your stated objective. So if the effect of uncertainty is a positive deviation then it will result in the achievement of objective But if the effect of uncertainty is a negative deviation then it will result in even below the average outcome (expected value) leave alone the achievement of objective. The reference point is average outcome above or below which will lead to a suboptimal performance culture IMO. Good performance management practices always keep business objectives as points of reference instead of any average outcome.

    The reason being strategic objectives are distinct from numerical targets in line with Deming’s principle i.e. eliminate management by objective as numerical targets. And this is what goal directed behavior is all about – a means for continual improvement.

    However, COSO’s excerpt (from your blog) termed the effect of uncertainty explicitly as risk and opportunity where risk being presented as a failure (downside) event while opportunity being presented as a success (upside) event. This is in contrast with ISO 31000’s stance which states that risk being the effect of uncertainty has BOTH upside AND downside characteristics. In other words risk is both OPPORTUNITY and THREAT.

    I am interested in your thoughts.

  3. Norman Marks
    March 20, 2013 at 7:54 AM

    I am not sure that I agree that “The essence of any risk management activities is to remove as much uncertainty as possible”.

    I see the essence or value of risk management as providing decision-makers with information about risk so they can make better decisions. Risk management has no value if it doesn’t lead to actions to improve outcomes.

    I am not a statistician, but see “expected values” more as the assumptions that are made by managers.

    Much of the article is about the fact that there is uncertainty around those assumptions, and that uncertainty is not explored by managers or their allies in risk management.

  1. March 1, 2013 at 9:48 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: