Home > Risk > What is wrong with a typical risk register?

What is wrong with a typical risk register?

January 10, 2021 Leave a comment Go to comments

I recently presented at a Zoom meeting of IIA Qatar on the topic of “Risk Management for Success”. At one point, I shared an example of a risk register I had found on the web. I explained how it was removed from the context of achieving objectives (i.e., risk to what?) and that periodically managing a list of risks is not sufficient. Far more is needed for effective risk management as I see it (enabling an acceptable likelihood of achieving objectives[1]).

Risk register

In the Q&A session, somebody asked how the risk register could be improved.


There are multiple problems that need to be overcome, including:

  • As mentioned above, it is a static list of risks, updated occasionally. Managing a list of what could go wrong is not the same as considering how best to achieve objectives. That requires understanding what might happen as part of every decision and that changes often – requiring more than a periodic discussion. However, there is a measure of value in the periodic review of those sources of potential harm that need to be addressed, typically monitored, on a continuing basis. I will come back to that.
  • Also as noted above, these are risks to what and what the devil does a “high” rating mean? It doesn’t help us understand how an adverse event would affect the objectives of the organization. That is not addressed at all, potentially leading those who review a risk register to note it with interest but not know how important the issues are, especially when compared to other matters needing their time and money.
  • A risk register leads to managing and mitigating individual risks in silos instead of considering all the things that might happen, the big picture, to determine the best cause of action and how much to take of which risks.
  • A list of risks focuses only on what might go wrong, ignoring the possibilities of things going well. For example, excellent performance by the project team might lead to early completion of the project.

There are more problems, but I want to talk about one that seems to confound many risk practitioners: that risks (and opportunities) are not a point; there is a range of potential effects or consequences and each point in that range has its own likelihood.


Take the first “risk” in the register above: “Project purpose and need is not well-defined” and ask the people involved in the project for their “risk assessment”.

  • The business unit manager considers the meetings she has attended with the project team. She believes that there is a 15% possibility that they have misunderstood her people’s needs and that could be quite significant. If that is the case, she can see a combination of revenue and cost impacts that she estimates as $300,000 over the next quarter, more and for longer if the problems are not corrected promptly. If you asked her to rate the likelihood and impact, she would say that is medium likelihood and medium impact, for a medium overall severity.
  • The COO tells you that he has confidence in both the business and IT people working on the project and there is a very low probability, maybe 5%, of an issue that he says would not amount to more than $100,000 (the cost of additional work) and would not affect revenue goals. He rates that as low likelihood and impact, for a low overall severity.
  • The project leader exudes confidence. He is 100% confident that there will not be any serious issues. He dismisses the idea of small snags as something that always happens. He also assesses likelihood, impact, and severity as low.
  • The analyst responsible for working with the vendor to identify and implement any customizations is reluctant to give her estimate. Eventually, she admits there is a 30% chance that something will go wrong and it would cost up to $1,000 per day of consultant time to make corrections. She doesn’t know how that might affect the business. When pushed, she whispers that the likelihood is high, effect is medium, and she doesn’t know how to assess overall severity from her junior position.

Are they wrong? Or, are they all right? How can they have different answers?

In all likelihood (pun intended) they are all right.

Like those who only see or touch one part of an elephant, each person has a different perspective, bias, and interest. They also have different information and insight.

Blind men and elephant


A typical risk practitioner would report either the most likely effect and its likelihood, ignoring the others, or the most severe and its likelihood. Some would try to come up with an average of some sort.

That would mean that they would pick the assessment of 30% and $1,000 per day, or 15% and $300,000. But that would then run into a problem when more senior management, the COO, tries to overrule those who don’t (in his opinion) see the big picture. (This is something I have encountered multiple times in my career, but that’s not the topic today.)


Attempting to boil these different answers down to one ‘value’ for likelihood and impact is not what I consider part of effective risk management. (I describe that as addressing what might happen every day so you can have an acceptable likelihood of achieving your objectives.) It is also questionable whether you can calculate ‘severity’ either by multiplying severity and impact or using a heat map.

The fact is that there is no single point.

The fact is that there may be different gradations of ‘failure’, each with its own level of consequence and each with its own likelihood.

The risk register talks about the likelihood of the risk event when it should be talking about the likelihood of the effect.

When you can have multiple levels of effect, you have a range.


A better approach involves bringing all the players (and there would likely be more than these four) into a room and asking these and other questions to come to a shared assessment that makes business sense – recognizing that this is just one of several risks and opportunities to consider.

  • Why is this project needed? How does it relate to enterprise objectives? Why does it matter and how much does it matter? What is important about it?
  • How would a failure to define the “purpose and need” affect the business? What would happen if the project is, for example, delayed? What about if it doesn’t deliver all the required functionality?
  • How should we measure the consequences? Are traffic light ratings (high, medium, low) meaningful? Should we use a dollar figure, for example in estimating additional costs and revenue losses? Would that help us make the right business decisions? How about making the assessment based on how one or more enterprise objectives would be affected, such as how a failure could affect the likelihood they would no longer be achieved?
  • What is the worst that could happen? Now, what is its likelihood?
  • How likely is it that everything is perfect?
  • Assuming that we are using a dollar figure to estimate potential consequences, what is the likelihood of a $300,000 impact? (This would be modified if instead we are assessing based on the effect on objectives.)
  • How about a $100,000?
  • ..and so on until a range of potential effects (or consequences) and their likelihoods are agreed upon.


There are tools (such as Monte Carlo) that can calculate a value for the range of effects and their likelihood. However, while it is possible to have a value, I would talk to the consumers of risk information, the decision-makers, whether they want to see a single value or understand the full range of possible consequences.

This is only the assessment of a single source of risk and it is likely that other risks and opportunities might have to be considered before agreeing (a) whether the situation is acceptable, and (b) what actions to take if it is not.


Even though I talk about risk management providing the information about what might happen (both risks and opportunities) that is required for informed and intelligent decisions, there is still value in the periodic taking stock (to quote my friend, John Fraser) of those risks and opportunities that are so significant they merit a more continuing level of attention.

But such a list has to show why these risks and opportunities are important.

Saying it is “high” means nothing.

It is imperative to explain how it relates to the achievement of objectives.

It is also imperative to show that there is a range of potential effects or consequences; the only exception I would make is where the decision is made that only the likelihood of particularly severe consequences needs to be monitored.


As I explain in my books, what makes the most sense (in addition to the continuous enabling of decision-making) is reporting the likelihood of achieving objectives considering all the things that have happened, are happening, and might happen.

This is actionable information that helps leaders understand whether they are likely to achieve what they have set out to achieve. They can determine whether that likelihood is acceptable and decide what actions are needed, if any.


So, where does all of this leave us?


This is my recommendation:

  1. Ensure there is appropriate attention to what might happen (both for good and harm) every day as part of both strategic and tactical decision-making.
  2. Monitor on a regular basis the likelihood of achieving objectives[2], considering what has happened, what is happening, and what might happen.
  3. Monitor on a continuing basis those risks and opportunities that merit attention because of their potential to affect the business and the achievement of its objectives, both short and longer-term.


I welcome your thoughts.

[1] If you prefer the approach of Estell and Grant, consider the acceptable likelihood of achieving the purpose.

[2] If objectives are designed to achieve purpose or mission over time, this equates in a practical way to monitoring the likelihood of achieving purpose or mission.

  1. John Fraser
    January 10, 2021 at 2:27 PM

    For the 13 years I was a CRO I never had a risk register for the reasons you give. However, when I taught classes then I showed what one could look like, as many students might be expected to produce one for their organizations even though we discussed their shortcomings…

  2. January 10, 2021 at 2:56 PM

    Hi Norman. I’m afraid your post contains so many examples of the word ‘risk’ having multiple meanings (and, consequently, no useful meaning) that the challenge of pointing them out is a bit too daunting for me to do so!
    But seeing Grant Purdy and I seem to have got a mention in your post, let me comment on the following extract which appears towards the end of your comments: “If you prefer the approach of Estell and Grant, consider the acceptable likelihood of achieving the purpose.” If you are referring to our book “Deciding” (Estall and Purdy, 2000, Amazon) I would firstly note the spelling of our names in case anyone is searching for us, and secondly note that you appear to have misunderstood what we have said. We do not say that the task when making a decision is to ‘consider the acceptable likelihood of achieving the purpose’. Rather, we point out that decisions are made to take advantage of opportunities that can contribute to pursuing the organisation’s purpose. While that is the broad reason for making decisions, specific decisions are taken in anticipation of achieving a specific outcome – i.e. what is intended to happen when the decision is implemented.
    We explain that because of inherent uncertainties – particularly, but not only, in relation to the assumptions that underpin most decisions – there can never be absolute certainty about the outcome that will result from each decision. Hence the decision-maker is left with making the decision so as to achieve ‘sufficient certainty’ regarding the outcomes. We also explain the numerous techniques for adjusting the degree of certainty about the outcomes but point out that as a general rule, there is often a trade off between the benefits of achieving more certainty and the costs of doing so (costs which can take many forms). Readers interested in what we have said can visit https://sufficientcertainty.com/

    • Norman Marks
      January 10, 2021 at 3:04 PM

      My apologies for misspelling your name. However, I have not misunderstood your book or its message. It is worth reading and I have said so in this blog. But, it is not the end of the discussion and I continue to believe that what I have described as risk management for success (really, success management) is a more practical approach.

      Just because a word has multiple meanings doesn’t mean it is not understood. For example, I think we know what a blue sky looks like.

      • January 11, 2021 at 1:31 AM

        Thanks Norman for both the correction and for your encouragement to your readers to read our book ‘Deciding’. However. I’m not to sure that you can say you have not misunderstood what we said given (as I pointed out) you have incorrectly quoted what we said!
        Anyway, as to your statement that when you say ‘risk management’ you actually mean ‘success management’ then at least you have replaced a piece of jargon that has no ordinary meaning (and why would you if its meaning was clear?) with two words that at least have a more or less comprehensible meaning. (So why not take the suggestion in our book and shed yourself of the “RM” millstone?)
        Why use an expression that you then have to substitute with a different expression (success management) which you say is what you meant all along, in order for your meaning to be understood.
        But even ‘success management’ suffers the common problem of confected compound nouns. What does this mean? Is there anyone who manages to fail (even though some do fail, it’s never their intention). So really, when it comes down to it, you are really just talking about ‘managing’ except, and this is where our paths could cross, the only way to manage is to make decisions and so the only way to have good management outcomes, is to make decisions that deliver sufficient certainty about the outcomes and those outcomes are anchored to the organisation’s purpose.
        So, why complicate things and introduce more jargon? Given that what managers are actually doing is deciding, why not just help them do that well? And best of all, it’s all achievable using plain language ….. indeed, I would contend that its probably NOT achievable if you don’t use plain language! As Grant and I contend in our book, the lack of plain language is at the heart of why organisations either don’t head down the “RM” path, lose themselves on the way, or simply give up! The old adage about sows’ ears and silk purses comes to mind.

    • January 10, 2021 at 3:11 PM

      Roger in our Complex System of Systems world, we “mandate” margin for risk created by Aleatory uncertainties and “Plan B, Plan C, Plan N,” for risk created by Epistemic uncertainty.
      And since uncertainty is ever-present, our management processes mandate Tim Lister’s quote
      “Risk Management is How Adults Manage Projects”

      • January 10, 2021 at 8:03 PM

        🙂 “Risk Management is How Adults Manage Projects”…i.e. somewhere on the continuum of chaos/failure to coherence/success.
        Further reinforcement of my point, I think, that expression ‘risk management’ has no practical meaning or utility.

        • January 10, 2021 at 9:06 PM

          How about “managing in the presence of uncertainty that creates risk to cost, schedule, technical, and operational performance of your efforts” ??

          • January 11, 2021 at 5:44 AM

            Back in the (bad) days when I had a lot of involvement in drafting standards and similar documents, there was often a great enthusiasm by some on the drafting committee to start with Section 2 because as a general practice, this contained definitions of certain words or expressions and some people were very keen to have their meaning of a word written into history. (Incidentally, we mention the very instructive Humpty Dumpty story about the meaning of words in our book “Deciding”.)
            There was a test that responsible committees would apply to each use in the document of a defined word/expression. This was called the ‘substitution rule’ whereby the adequacy of both the definition and the suitability of the word or expression being defined could be tested by exactly substituting the defined meaning in the place of the defined word wherever it appeared in the document (i.e. no changing of tense or adding the definite or indefinite article etc).
            It occurred to me as I read your proposed definition Glen, that you might like to test it by applying the substitution rule to everywhere the word ‘risk’ appears in Norman’s post including in those compound words where it acts as either noun or adjective.

          • Norman Marks
            January 11, 2021 at 7:21 AM

            Glen, why include only the downside?

    • January 13, 2021 at 10:11 AM

      Roger here’s a quick Root Cause Analysis of the OP

      There are multiple problems that need to be overcome, including:

      ■ It is a static list of risks, updated occasionally ― this is bad risk management. Where’s the Risk Management Plan stating how often the RR is updated? What event would trigger an update?

      ■ Managing a list of what could go wrong is not the same as considering how best to achieve objectives. That requires understanding what might happen as part of every decision and that changes often – requiring more than a periodic discussion. However, there is a measure of value in the periodic review of those sources of potential harm that need to be addressed, typically monitored, on a continuing basis. I will come back to that.

      ■ These are risks to what and what the devil does a “high” rating mean? It doesn’t help us understand how an adverse event would affect the objectives of the organization. That is not addressed at all, potentially leading those who review a risk register to note it with interest but not know how important the issues are, especially when compared to other matters needing their time and money. ― Correct, this is why the “qualitative” RR is not allowed in many domains. Quantitive RR’s are, where “ratings” of the risk contents are collected with tangible measures of Effectiveness and Performance in units meaningful to the decision makers.

      ■ A risk register leads to managing and mitigating individual risks in silos instead of considering all the things that might happen, the big picture, to determine the best cause of action and how much to take of which risks. ― don’t d this. Build a “model” of the risk’s and their interactions, Design Structure Matrix is one approach https://en.wikipedia.org/wiki/Design_structure_matrix is how it is done in high-risk domains.

      ■ A list of risks focuses only on what might go wrong, ignoring the possibilities of things going well. For example, excellent performance by the project team might lead to the early completion of the project. ― take care here Opportunity is not “positive risk,” start with Ed’s paper http://www.risk-services.com/conr_ma08.pdf which guides how we “manage in the PRESENCE of risk” in our domain

  3. January 10, 2021 at 2:57 PM

    I good start for “what’s wrong with Risk Matrix” is Tony Cox’s work starting with a paper of the same title https://inlac.org.ve/wp-content/uploads/2020/08/riskmatrices.pdf
    and some analysis of that paper https://www.researchgate.net/publication/310802191_What's_Wrong_with_Risk_Matrices_Decoding_a_Louis_Anthony_Cox_paper

  4. January 10, 2021 at 3:07 PM

    As well, Roger Estall does bring up question of the meaning of “risk.”
    One good place to look in a domain of “bending metal into money” is NASA’s “risk-informed decision-Making Handbook” https://ntrs.nasa.gov/citations/20100021361

    In that book and in our domain All risk comes from uncertainty. Uncertainty comes from two primary sources – Epistemic Uncertainty which is “reducible” and Aleatory Uncertainty which is “irreducible.” These are the basis of seismic research and underwriting. Ontological uncertainty is the 3rd, but not useful in projects. But likely useful in insurance underwriting.
    We use the example of Rumsfeld’s “There were unknown unknowns” which of course is a fallacy because he never read Herodotus’ The History where he warned Alexander The Great to “Not Go There!”
    Here’s a compendium of risk resources we use in our domain https://herdingcats.typepad.com/my_weblog/2019/05/a-compendium-of-risk-management-resources-1.html

  5. Kathryn M Tominey
    January 10, 2021 at 6:07 PM

    Test this model with Boeing MCAS project 2010-2018) , Boeing Dreamliner Project (2000’s); Boeing decision not to automate the manufacturing tracking system (1990-1998). Or, Kobe Steel decision to send fraudulent test data to customers – GE, Lockheed Martin, Boeing Aircraft, etc – lasting for years by the way.

    GE’s CEO Immelt’s decision to spend $40+ billion of $50 Billion cash raised by selling assets for stock buybacks and leaving Employee Pension $32 Billion underfunded. Immelt put GE on trajectory to be removed from the DJIA where it had resided for over a century.

    Solar…. what’s its name software firm decision to send sensitive development work to eastern European countries with Russian ties. Decision by critical government agencies not to forbid (in contracts) any foreign outsourcing of software development without Agency national security review and authorization.

    Johnson & Johnson decision to send metal on metal hip replacement systems to overseas markets once they were banned in US.

    Arthur Anderson decision to kick Bass off of the audit project oversight team because he kept raising the Enron audit mgt ignoring gross violations of GAAP.


    • January 10, 2021 at 6:41 PM

      What was the Root Cause of each examples you provide?
      Without finding the root cause, the conditions and actions that create the “effect” no corrective or preventive actions can be found or discussed
      Only with the Root Cause can Risk be “handled”

    • Norman Marks
      January 11, 2021 at 7:18 AM

      All of these turned out to be bad decisions. But we don’t have sufficient information to understand what happened and why.

  6. Grant Purdy
    January 10, 2021 at 6:45 PM

    Just a little context and history. Risk registers came into being during the 1970s. In the UK under successive editions of the Factories (including the 1961 version that I enforced) there was a requirement for a factory occupier to maintain a ‘general register’. This was standard form that contained information such as when the walls were last painted, a list of lifting tackle, steam boilers and air receivers together, in some cases with list of women whom the factory owner had “good reason to believe” were pregnant!

    When the UK moved to ‘enabling legislation’ in 1974 and later adopted the European safety requirements, the general register was also used to list ‘hazards’.

    In all cases, its purpose was to demonstrate that the factory occupier had thought about how his employees could be injured and also, their well-being. It was also supposed to help the Factories Inspector (of which I was one) do his or her job by giving them a ‘heads up’ what to look for on their inspection.

    Of course, what was a list of hazards eventually morphed into a list of risks (because a lot of people could not tell the difference) and with the advent of spreadsheets (I first used VisiCalc) we could then play tunes on them by ascribing ratings, conducting arithmetic and sorting and ranking and even drawing graphs.

    This was all well and good, but these registers were never intended to be used in any form of decision making and, as we now know, they have taken on a life of their own such that, for many organisations, ‘risk management’ (whatever that means – and I don’t know), merely involves the updating of this spreadsheet, normally on an annual basis.

    The inescapable truth is that there is simply no way you can help people make a better decision by giving them a ‘risk register’. I must have worked with many 100’s of mostly large organisations over the last 30 years and I have yet to find one where senior management or a board considered and took into account the information in a risk register when faced with a decision. For one thing, as we know, generating this hallowed document is largely guesswork and invariably relates to some overall assessment of the ‘things that might happen’ to the organisation at some time in the past. Risk registers are never generated in support of individual decisions and, even if they are, never involve a proper consideration of context, assumptions or the opportunity the organisation is seeking to exploit in order for it to achieved its purpose. Presenting people with am incomplete list of thing that might happen, even if there are many colours columns and ratings does not help them at all!

    That is not to say that risk registers don’t have some value though. When my children were little and we maintained a menagerie of rabbits and guinea pigs, I found that when they are shredded, risk registers make excellent bedding. And moreover, once the little animals had used them as their toilet, the resulting mess acted wonderful as the base for a compost heap.

    It seems to me that that neatly summarises the value of a risk register.

    • January 10, 2021 at 7:04 PM

      Love that example of the use of a RR
      RR can be “collection” devices, but what goes in them has to have several attributes
      – Classification of the uncertainty that creates the risk – aleatory (irreducible) or epistemic (reducible)
      – For irreducible – what are the cost, schedule and technical “margins” to protect the project, project, system from the risk?
      – For reducible – what are the “buy down” activities the reduce the uncertainty
      – What are the Root Causes of the uncertainties? What are the conditions and action that create the Root Cause?
      – Assure the RR only contains risks, not hazards
      – What are the propagation paths for the risks? These are usually modeled with Design Structure Matrices. We use the Arena tool for this
      – What are the formal process of “managing in the presence of Risk?” Here’s an unpublished paper for the Joint Space Cost Council the speaks to the “continue risk management process” https://www.slideshare.net/galleman/increasing-the-probability-of-success-with-continuous-risk-management that turned into two chapters in the book https://www.amazon.com/Practitioners-Handbook-Project-Performance-Practitioner/dp/1138288225
      – There are many, maybe dozens – of Risk Management guides, ours usually have a Federal Agency Logo in the upper left hand corner USAF, NASA, DOE, NNSA, google will find them. Each one is based on “all risk comes from uncertainty and Managing in the Presence of Uncertainty” is the foundation of all risk management

    • January 10, 2021 at 7:11 PM

      And just one more item
      Here’s the ever-growing collection of “risk management” resources in our Complex Adaptive Software Intensive System of Systems Domain
      Where Risk management (programmatic and technical) is mandated by acquisition regulations at NASA, DOE, DOD, Intel Agencies, DHS, FAA, and other clients

      • kathryntominey
        January 10, 2021 at 9:12 PM

        Each very high level topic must be based on an orderly decomposition to show all of the attributes that roll up. Having sat in many many project meetings with program & project mgrs they never ever actually pay attention to is it really needed, Consider MCAS system at Boeing. The 737 is an old old body design. MCAS was actually very poorly implemented – it needed three independent attitude sensor tubes with a computer for each and a 4th to integrate three results. Boeing decided to eliminate one and charge extra to activate the second leaving one device enabled and these devices are notoriously unreliable. And they decided to charge extra to activate the instrument panel alert to turnoff MCAS. Airbus did not make those mistakes. And they decided to lie to the FAA about what was done – since they were actually regulating themselves – why not.

        Bonuses for Executives, Senioe mgt, Program & Project Mgrs are a fundamental risk to any enterprise.

        • January 11, 2021 at 10:23 AM

          All your observations are good questions but without the root causes of your observations there can be no corrective or preventive actions to remove the conditions and / or actions that created the “effect” (crashed 737-Max)

          ■ Why was Boeing allowed to eliminate a redundant sensor?
          ■ Why did AB “not” make those mistakes?
          ■ Why were non-US pilots allowed to transition to that airframe without “full” flight simulator” certification where they would have “hands-on” experience with the upset condition? We had a phrase in Vietnam for the safety of our CH-47’s – It’s very safe if you keep it away from the ground”

          So the BIG question with Boeing from the incident is fundamentally – “were the risk to the safe operation KNOWABLE?”

          Here’s one start to answering those questions complex systems risk management questions

          In our domain, the term “risk management” is replaced with “risk handling” since “managing Uncertainties – reducible (epistemic) and irreducible (aleatory) cannot make the risk Zero.

          • Norman Marks
            January 11, 2021 at 10:30 AM

            While I strongly encourage root cause analysis, multiple things can result in the same effect. Consider the effect first (such as the loss of a data center) and then the causes (flood, fire, earthquake, loss of power, terrorist attack, etc.) as you determine the gradations of effect and the likelihood of each.

            RCA is an excellent tool to ASSIST in informed decision-making but it is not my initial focus.

            In addition, we need to consider whether the risk should be taken.

            Risk management should NOT be about “risk handling”. It should be about whether there is an acceptable likelihood of achieving objectives considering everything that might happen – and that may require taking MORE risk!

            • January 11, 2021 at 11:01 AM

              Yes, there is rarely if ever a single “cause” – a condition or action. This is the foundation of Apollo Root Cause Analysis, developed by the Gano’s at a DOE NNSA (nuke weapons) that is now applied in several A&D firms as well as DOE. In the Apollo method, there is an “infinite” chain of conditions and actions.


              Now the question may be is Apollo applicable in the domain your write about (it’s my understanding it’s Corporate ERM and “the boardroom” ? I’m on the “programmatic and technical success side – literally making it to the launch pad on time, on budget, with the needed capabilities to have the highest probability of success.

              I’d never suggest “one size fits all”, but there are likely a few immutable principles of “risk management” https://herdingcats.typepad.com/my_weblog/2016/10/without-a-root-cause-analysis-no-suggested-fix-can-be-effective.html

              In our domain, the primary immutable principle is

              “All risk is created by 2 types of uncertainty”
              There is a 3rd type Ontological, but not applicable

              These principles come from seismic modeling and the insurance underwriting from those epistemic and aleatory sources.
              The Ontological uncertainty means it’s Unknowable – the Rumsfeld UnkUnk which was a fallacy since he failed to read Herodotus histories 😈

              One “risk handling strategy” is the determination of what is the acceptable likelihood of achieving objectives considering everything (knowable) that might happen

              As well in the Apollo method, it is the uncertainty that creates risk, and Aleatory uncertainty cannot be “managed” only “handled” with “margin” (cost, schedule, technical and operational margin) since it is irreducible from the naturally occurring random processes and unless you’re a deity you’re not going to reduce or manage the source of the risk

  7. Anonymous
    January 11, 2021 at 5:57 AM

    Norman’s basic issues (static and lack of an understanding of “risk”) are spot-on. However, the title “Risk Register” promotes these issues. Originally a “risk register” was just that – a listing of organizational risks. Sometimes without location and context (basically a list of risks without meaningful discussion. It was nothing but cover in case of a loss where an insurer would balk at a claim payment by claiming they were not told of the risk.

    Risk Matrix which involves inter and intra-connected risks requires collaboration with all interested groups by definition. It is up to the Board of Directors/Owner(s) to agree on a review schedule as they are the group that is ultimately responsible for approving the risk management program.

    • January 11, 2021 at 9:38 AM

      The core foundation of Risk Management in our Complex System of Systems domain is Root Cause Analysis. What is the Root Cause of that Effect
      As well, in reading Norman’s book, the “risk” he speaks to is focused on Corporate risk, and it appears not Program and Project risk where RCA is mandated for any corrective or preventative action(s) taken for the Handling Strategies for the reducible (epistemic) and irreducible (aleatory) uncertainties that create risk(s).

  8. January 11, 2021 at 6:04 AM

    I think Mr. Purdy’s ecologically sound disposal of heat maps is admirable. I’d also point out that the examples listed are in fact what COSO correctly considers as root causes of most losses and catastrophic decisions, including airplanes that can’t fly, drugs that kill people, data brokers that lose data etc. Fortunately SOX doesn’t seem to consider these Material Weaknesses. No harm done.

    • January 11, 2021 at 10:05 AM

      The Root Causes of “airplanes” that can’t fly are will known – see Aviation Week & Space Technology and FAA reports, don’t know anything about drug development, data loss Root Causes well documents – see CISA and NIST SP 800 series reports
      In our Nuclear Weapons plant operations and decommissioning domain, where “risk management” is the foundation of “not killing people” we call those incidents “doing stupid things on purpose”
      Here’s a growing list of resources in our SW Intensive System of Systems world, where products are embedded in airplanes, power systems, and SW Intensive Systems


      In this paradigm, uncertainty is the sources of all risk

      But it may be that the risk management topic in the book is applicable in the board room, but may not be applicable in “bending metal into money” in our aerospace and defense domain with it Enterprise and embedded systems for flight, ground, manufacturing, and operations of systems we all depend in daily, GPS III, 737 MCAS, the electric power grid, banking, medical, and any other “software or hardware” based product or service.

      Incidents like the recent cyber attack on Solar winds based networking was easily seen as a “risk” but not corrective action taken and the update to the SW ingested another Trojan – see CISA report. Same for power grid attacks. Chase as of this day has NO Two-Factor Authentication and uses a Cookie to detect you’re new user to ask for a confirmation!! This risk is the willful ignorance of cyber risk. USAA has 3 factor authentication on a new machine and 2FA as mandatory.

      So speaking about the problems with the RR, are weak when the core risk management processes are inadequate for even simple risk

      The Root Cause Analysis of the Root Causes doesn’t start with the use or misuse of a Risk Register – it starts with a phrase we use in our Federal Acquisition World when we’re called to “put the program back on schedule – “willful ignorance” of established processes.

      This is a critically important topic and Norm’s book is a valuable contribution. But we need to make sure we have the domain and context as well

      • Bruce McCuaig
        January 15, 2021 at 6:05 AM

        In my experience risk and audit practices from COSO and the IIA implicitly consider incidents or failures to be random and spontaneous. There are few better examples of what “risk management” could be than the aviation industry. You will struggle to find, in any Sox required disclosure ofMaterial Weakness in financial reporting, any description of cause of failure, let alone what happened. The NTSB in the US, as I suspect you know, tracks and categorizes every incident in exquisite detail. Human failure is usually involved. Most catastrophic failures in corporations are entirely predictable. If huge incentives exist to sell opioids, to take shortcuts in designing and building aircraft and to overstate profits, then those things will occur predictable. The necessary practices used elsewhere don’t seem to permeate traditional risk and audit practices. I think we are largely in agreement. Let me know if I misunderstand. And thanks for your thoughts.

        • January 15, 2021 at 1:32 PM

          Bruce, the terms “random” and “spontaneous” are sources from Epistemic and Aleatory Uncertainties
          – Epistemic being “lack of knowledge” which can be random
          – Aleatory being – “naturally occurring” which can be spontaneous

          Epistemic Uncertainty creates a risk that is “reducible” by acquiring more knowledge, running tests, buying two in case one breaks, have a Plan B, C, D …. So your words “Most catastrophic failures in corporations are entirely predictable” put those uncertainties in the

          Epistemic uncertainties – when you hear “they never saw it coming” really means is “they weren’t looking”

          Aleatory Uncertainties creates a risk that is “Irreducible” (unless you’re a Diety). The only protection for aleatory uncertainty is “margin.” Cost, schedule, technical, operational margin, business plans, response plans, …

          The incentive to sell opioids and resell them (Walmart) is an Epistemic Uncertainty. If they had looked closer, gained more “knowledge,” Purdue and Walmart would have seen what would happen since there are “reference class databases” from past performances of the same problem and outcomes

          The only uncertainty that cannot be addressed with “more knowledge” or “margin” is Ontological – that’s the definition of Unkown Unknowns.
          “Unknowable” is a class of UNKUNK. Rumsfeld’s quote of There were unknowns is nonsense, and it appears he never read “The Histories” Herodotus. where he told SAlexander the Great “Don’t Go There,” you’ll get your ass kicked 😈

          • Bruce McCuaig
            January 16, 2021 at 3:51 AM

            I’m pretty sure I’m smarter now (seriously) after reading your response. I had not made those distinctions and I admit they are useful. But what kind of risk is “ I didn’t see it coming” if audit and regulatory standards tell us not to look?

            • January 16, 2021 at 1:34 PM

              I learned those approaches just a few years ago, when working for a client who is NASA contractor
              Here’s the book we were headed when we walked in the door https://tinyurl.com/y5zpl69g

              The “they didn’t see it coming” first has to answer the question “could they have seen it coming?” if NOT, that was an Ontological Uncertainty, and there are those of course.
              Bit Unknowable may also mean “we can’t afford to know that, we didn’t have time to know that.

              Here’s the ever-growing collection of resources we use in “narrow” field of complex SW Intensive System of Systems which include just about everything built in today’s world that has some capability enabled by SW https://tinyurl.com/y5jjrpkl

  9. Grant Purdy
    January 11, 2021 at 4:08 PM

    If someone told you to spend days and weeks of your time compiling a list of things that might happen, but there was no systematic or recognised method to do that that ensured it was current, correct and comprehensive; and if they also told you to use a scoring or rating system for these that had no valid or agreed scientific basis; and if all of this was described using highly ambiguous words for which there was no generally accepted meanings and which, on examination did not really mean anything much at all; and once you had produced this list you had to update it once a year but that no one really wanted to come to the meeting where you tried to do that because they could not see its relevance to what they do; and then, no one really used this list for anything important – like making decisions…

    You might conclude the whole exercise was a futile waste of time!

    In fact, unless you were a devout member of a perverse cult, where pointing out such facts is considered a heresy, you might quickly realise you could do something more worthwhile with your time and your life.

    So how did we end up here? And who are the suckers?

    • January 15, 2021 at 10:55 AM

      Then we’d call that in our high-risk / high-reward domain doing stud things on purpose

  10. January 13, 2021 at 7:17 AM

    I think risk registers have their place. In the example you have given, Norman, I agree there are serious faults:

    1. No objectives are set and if there are no objectives, there are no risks. Without knowing the objective it is impossible to estimate the impact of the risk, should it occur. (e.g. Objective: To deliver the benefits identified in the approval document).
    2. The risk descriptions are poorly worded. If a risk occurs, it results in a loss and this should be made clear in the description. The first risk is really the absence of a control. (Risk: Benefits are not achieved because they are not clearly identified).
    3. The Likelihood, Impact and Severity columns could really be made one titled, ‘Are we worried about this risk?’
    4. There should be other columns, ‘Current status’ showing what has actually been achieved to meet the mitigating action and ‘Action necessary’ particularly to highlight urgent action.
    5. I would see the Project Manager updating the register as it changes, and the project team to review it at least monthly, with senior management being informed of any serious problems. (Your recommendations 2 and 3).

    I think asking those people involved in the project for their ‘risk assessment’ is unnecessary. What is important are the facts impacting on the objectives (costs vs budget and actual achievements vs plan). Their opinions are important in deciding how to address current problems (or seize current opportunities) and what problems/opportunities are coming up. I don’t see any point in agonising over the percentage probability that something will go wrong and how much it will cost. It will go wrong (Murphy’s Law). What’s important is having the procedures in place to spot problems/opportunities as soon as they occur and deal with them.

    David Griffiths


    • January 13, 2021 at 1:58 PM

      David, having read your comment, I think it further illustrates the problem of the word ‘risk’ as having no settled meaning. Can you tell us (precisely) what meaning you have attached to the word risk please.

      • January 13, 2021 at 3:36 PM

        If I may jump in here’s some definitions of risk we use

        – Risk is a measure of future uncertainties in achieving program performance goals and objectives within defined cost, schedule and performance constraints. … Risk addresses the potential variation in the planned approach and its expected outcome.
        – The definition of risk for this guide is a factor, element, constraint, or course of action that introduces an uncertainty of outcome that could impact project objectives.
        – risk is the potential for shortfalls, which may be realized in the future, with respect to achieving explicitly-stated performance commitments. The performance shortfalls may be related to institutional support for mission execution, or related to any one or more of the following mission execution domains: safety, technical, cost, schedule.
        – “the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”
        – An uncertain event or condition, that if it occurs, has a positive or negative effect on a project’s objective. The key element of this definition is that the effect of the uncertainty, if it occurs, may be positive or negative on the objectives of the planned endeavor.
        – risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected.
        – Risk is defined as the probability and possible severity of accident or loss from exposure to various hazards, including injury to people and loss of resources.
        – Risk is an objective quantity applied to describe the degree of harm to a specific system of many activities and technologies.
        – potential (future) events that may negatively impact individuals, assets, and/or the environment

        And many more, from commercial and governmental glossaries

        So perhaps when people use the term “risk” a reference to the glossary they’re using would help. Those definitions about come from engineering, government agencies

        • Grant Purdy
          January 13, 2021 at 4:28 PM


          Thank you! I think you have just proved the point that Roger and I have been making here and for some time.

          As you have elegantly demonstrated, no one can agree on what the ‘r’ word means – and it is used variously as a noun, verb and adjective – with none of the uses consistent.

          In fact, the word ‘risk’ has become a nonsense as, of course are any compounds like ‘risk management’ that are based on it.

          If I was facetious, I might suggest that it’s just too risky to use the word ‘risk’. But I wouldn’t say that, because that statement would mean nothing sensible at all.

          • January 14, 2021 at 1:37 AM

            I accept that the word ‘risk’ has many definitions and that, in the case of standards and regulations, it is important to define the word. However, this is a blog and I believe the meaning of the word ‘risk’ is clear from its context, which is not an unusual situation in the English language. If that were not the case, Norman’s blog would be completely meaningless and we wouldn’t be spending any time writing comments.
            If a weather forecaster tells me that there is a risk of rain, I don’t ignore the threat of getting wet because of the imprecise use of the word ‘risk’, I take an umbrella.

            • January 14, 2021 at 6:05 AM

              Separating the “mathematical” probability of Rain (an Aleatory uncertainty) from the probability of the failure of a bridge (an Epistemic uncertainty) from flood water is critical to having a discussion about risk.

              Risk is created by uncertainties, this is the principle of risk management where we work. Those risks start by placing them in the Risk Register. Norm makes the point (I hope he does) the Risk Register is misused, abused, misunderstood, etc. BUT that does not mean you abandon the Risk Register, else where do you record the risks in preparation for the analysis of the “Risk Impacts”

              When NOAA here in Boulder, says there is a “Risk” of rain will have different meanings in different contexts.
              For the Colorado golf course we live on, for the players, it means no round today. For the groundskeeper and our own lawns, it means free water.

              For the construction manager on I-70 to Denver, it means a delay in work and she needs “schedule margin” to protect the delivery date for the completion of the re-paving project. For the Park Manager in Estes Park, it means there is a possibility to damage to the flood plain since the absorption of the last heavy rain is not complete. For the residents of Lyons (entrance to the park), it means there is hope it’s not a “heavy rain” like there was in 2013 that destroyed 1/2 the town.

              The “risk” of rain starts with NOAA’s “probability” forecast, which is an Aleatory Uncertainty. The listeners to NOAA’s “forecast” will assign different meanings to that “probability of precipitation in the forecast area”

              Once again here’s the resources for the Principles and Practices we use to “manage in the presence of uncertainty that creates risk” https://herdingcats.typepad.com/my_weblog/2019/05/a-compendium-of-risk-management-resources-1.html

              But as Yogi Berra tells us
              “In Principle, there is no difference between Principle and Practice. In Practice there is”

              So start with the Principle of a properly formed and applied Risk Management Process, which includes capturing and recording risks in a Risk Register (or whatever you want to call it). And applying the Proper Practices to create “risk-informed decisions” and don’t fall into a phrase we use in our High Risk, High Reward domain of

              “Doing Stupid Things on Purpose”

              as described in the Book

              where Risk Management was how “adults” managed the project.

  11. January 14, 2021 at 2:31 AM

    Why, exactly, is rain a “threat” Glen? A year ago in vast tracts of Australia, rain was a dream, not a threat.
    In pointing this out, I am not nit-picking. I am demonstrating the fundamental truth of what Grant says. And while you say a word can have many meanings, such a word cannot credibly be the foundation of either a belief system or a body of knowledge. Imagine if the element Hydrogen could have a wide range of protons and yet still claim to be Hydrogen. Chemistry would mean nothing, and Humpty Dumpty’s words would reign. Why, for example, would anyone use the word in a contract?
    While you offer lines and lines of text to create diverse meanings that you wish to label with the word ‘risk’ the point is, surely, that it becomes axiomatic that the label with its variable meanings (and yours are just the start of it) not only means nothing, but demonstrates that you have no need to use it in any particular situation. You have the option of just writing what you mean in plain words that everyone will understand. If a label cannot convey knowledge or precision without copious footnotes and explanations which in the end will only be applicable to the situation under consideration, why use it? It adds nothing (except confusion). And yes indeed, that is indeed Norman’s challenge.

    • January 14, 2021 at 3:08 AM

      It’s late evening down under and I realise that I have inadvertently provided an omnibus reply to both you Glen and David. Hope it’s helpful all the same. Cheers Roger

    January 14, 2021 at 4:03 AM

    Interesting discussion from my esteemed colleagues. I have worked with dozens of companies over the years implementing risk management frameworks etc mainly within the insurance industry. Unfortunately I continue to see the use of risk registers that have no context, no understanding of the key risk drivers and its effect. As a result, the only place it gets reviewed is the risk committee and its every quarter. These registers have no connection to any key decisions and therefore fail to generate meaningful conversation by the CEO or the C-Suite. How can you assign a single likelihood and impact value when you can have multiple ranges?
    Now some of the more mature financial institutions have moved away from risk registers and started to use risk scenarios whereby a what if approach is used and tested against the assumptions underlying the objectives. The focus is on the effect on the objective and the size defined in monetary terms. The monetary impact is calculated against a series of likelihood ranges from 12 months to Once very 25 years. So you end up with an expected frequency (Less than a year), unexpected frequency from 1:7, 1: 10, 1:25 etc and extreme frequency 1:50 etc.
    Risk Registers do have a role to play but risk managers need to treat them as much more than a list of risks. Certainly at an operational level, bottom up risk registers if done properly could add value.

    • January 14, 2021 at 5:33 AM

      But here’s the thing Syed. If ‘risk registers’ are not a ‘list of risks’ (which apparently, according to what you say, most ‘risk managers’ believe them to be) what are they? But whatever ‘they’ are, why do ‘they’ need a label, and why choose a label which is so disputed? As Grant and I say in our book “Deciding” (n pointing out the futility and redundancy of jargon) “let’s face it, the human race functions very successfully communicating in its normal languages”. There is no need to invent a label for whatever it is that you (or others) are referring to ….even more so when dozens of other people want to use the same label for something else.

  13. January 14, 2021 at 9:37 AM

    I’m a retired internal auditor and look at the above comments with a mixture of bemusement and bafflement. I don’t ever remember agonising about controls in the same way, although many definitions exist. OK, you have to understand the relationship with objectives and risks but this broadly followed the line:
    Objective: something to be achieved to get a pay increase.
    Risks: nasty events which might prevent the achievement of an objective.
    Controls: processes which lessen the likelihood and impact of risks and thus contribute to a pay increase.

    Maybe auditors don’t have enough imagination.

    • January 14, 2021 at 3:08 PM

      David, One of the realizations I made here is “risk” has not only different meanings to different people here – and I’m stretching – but “risk” in the internal audit world is not the same as “risk” in the Manned Space Flight lunch vehicle business.
      Norm’s first post didn’t seem to define the specific context and domain
      The Safety and Mission Assurance (S&MA) guys are the owners of Risk Management in one of our domains and agonize over things like this https://www.military.com/video/explosions/blast/titan-iv-explosion-at-cape-canaveral/1137853205001
      Or the Prorgam Management and Program Performance Staff (like me) have a risk register for problems like this https://cradpdf.drdc-rddc.gc.ca/PDFS/unc298/p806254_A1b.pdf
      And another domain I work where the Risk Register is explicitly defined and audited for National Nuclear Security Agency programs using this in Attachment 5https://www.directives.doe.gov/directives-documents/400-series/0413.3-EGuide-07a-admchg1/@@images/file

      So one learned in our domain, which I failed to clarify is “in what domain and context are your Principles and Practices applicable?”

      I’d suggest there are only a few principles of risk management no matter the domain
      1. All risk comes from uncertainty – reducible risk created by Epistemic uncertainty. You can “buy down” this risk by taking specific actions. Irreducible risk coming from Aleatory uncertainty. You can’t “buy down” this risk, you can only “handle” it with margin. BTW “handling is one of several strategies.
      2. Capturing the risk can be done in many ways, but must include subject matter experts. There are several ways of “assessing” the severity and impact of the risk, depending ont he domain. Some examples in one domain we work are shown here https://ntrs.nasa.gov/citations/20100021361
      3. The efficacy of the handling strategies needs to be modeled to increase the probability of showing up on time, on budget, with something that work. In other domains the efficacy of the handling strategies needs to show “reduction of risk” – Cyber Security, Fraud Waster and Abuse, Banking security (Chase still doesn’t have two factor authentication for the risk of someone stealing your name and password). And others
      4. Continuous Risk Management is built into many domains. Another example from our domain https://www.slideshare.net/galleman/continuous-risk-management

      So without a domains and context, it leaves a gapping void to “argue” about the meaning of a simple word – “what is risk?”

    • Grant Purdy
      January 14, 2021 at 6:00 PM


      While this blog has clearly demonstrated that what you say about risks (or is it ‘risk’?) and objectives is not accepted by most the rest of the people who have commented here, my understanding is that even the IAA have not yet agreed whether a ‘control’ is a ‘thing’ or a process.

      However, I have to agree with your last comment!

      • Grant Purdy
        January 14, 2021 at 6:01 PM

        Sorry, it should be IIA, not IAA!

    • January 14, 2021 at 6:11 PM

      I like your words
      Risks: nasty events which might prevent the achievement of an objective.
      Controls: processes which lessen the likelihood and impact of risks and thus contribute to a pay increase.

      Our domain calls “controls” “handling strategies” which is a “process” for “handling” the risk produced by the Uncertainties (epistemic or aleatory) that produces a risk.

      • Gerry Ortnr
        May 2, 2021 at 8:43 PM

        I have never come across a post so full of wind.
        I looked up “Risk Register” because there is a very annoying wind bag at my place of work that is making a good living wasting company resources just to to hear himself talk. It’s now very apparent to me that this is a wide spread problem. I’m a professional engineer and a very good one. I’m an absolute fantastic problem solver. I could do more for my company if I didn’t have to deal with the bullshit that you people are going on about. You get in my way. You are a problem not the solution you claim to be. The proof is right there above my take on this. You all have too much time on your hands. A good engineer would not spend any more time on this bullshit than I just did.

  14. January 14, 2021 at 8:23 PM

    “Risks: nasty events which might prevent the achievement of an objective.” Yet another demonstration of the fundamental problem I’m afraid as this version establishes ‘risks’ as events that are certain. Novel, but hey, why not? Join the queue, it’s a free for all after all. It makes even less sense to talk about the ‘definition’ of ‘risk’ when a word can have an unconstrained number of meanings. Which is why the word ‘risk’ is never ever more than a ‘label’ for a particular idea in the head of the user which in turn raises the question (as I have above) as why use the label when, to convey what you mean when you use it, you have to explain what lies beneath the label. In which case, why use the label? Just say what you mean eg “it could rain tomorrow”.
    The label is therefore meaningless unless we know what it is labelling in the specific instance. In other words, as a form of communication to convey what is meant, ‘risk’ is both useless and unnecessary. But it’s worse than that because at very least it cannot avoid creating uncertainty (ooops! ….now where have we heard that before? and how would that help?) and at worse confuse or mislead.

    • January 14, 2021 at 10:09 PM

      The event has a Probability of occurrence, due to Epistemic uncertainty
      This approach does not establish the “event” as certain but as a “probability of occurring”
      There is a “no -zero” probability a world will end with an event that will occur through a collision between the Earth and a Large Celestial Body


      These are “probabilistic events” not certain to happen, but also certain to not happen

      Epistemic Uncertainties are “probabilistic events in the future

      ALL risk can ONLY come from 3 types of uncertainty:

      – Epistemic Uncertainty – is an uncertainty that comes from the lack of knowledge. This lack of knowledge comes from many sources. Inadequate understanding of the underlying processes, incomplete knowledge of the phenomena, or imprecise evaluation of the related characteristics are common sources of epistemic uncertainty. In other words, we don’t know how this thing works so there is uncertainty about its operation.

      – Aleatory uncertainty – is an uncertainty that comes from a random process. Flipping a coin and predicting either HEADS or TAILS is aleatory uncertainty. In other words, the uncertainty we are observing is random, it is part of the natural processes of what we are observing.

      – Ontological uncertainty – is an uncertainty that represents a state of complete ignorance. Not only do we not know, but we don’t even know what we don’t know.

      These are three Immutable definitions of uncertainty that create risk, independent of context, domain definitions

      Start with Principles, and then you can turn those into practices for your domain.
      Here’s some background, starting with Aleatory Variability and Epistemic Uncertainty

      Click to access C05.pdf

      Again these may not be terms used in your “corporate finance risk or auditing” world, but they are the mathematical basis of Risk Management as a “Principle” that is “localized” into a “Practice” in many different domains


    • January 15, 2021 at 1:52 AM

      Roger, we have a fundamental problem which comes from using the English language. You use the phrase above, ‘ it could rain tomorrow’. This is subtlety different from, ‘ it may rain tomorrow’ or ‘there is a risk it will rain tomorrow’. ‘It could rain’ implies that rain is not impossible but gives no indication as to whether rain is likely. The other phrases imply that there is a probability of rain, however small.
      This is why I believe that there is no point in ditching the words ‘risk’ ‘control’ etc. Any other words used are just as likely to be open to many definitions. We should be concerned about the concepts behind the words. Just because we can’t agree on the definition of the word ‘risk’ doesn’t mean we don’t have anti-virus software on our computers because of the risk/threat/chance/possibility of data corruption from a virus.

      • January 15, 2021 at 10:36 AM

        Standard forecasts in the US from NOAA given a “probability of rain over the forecast area” https://weather.com/weather/tenday/l/Boulder+CO with a percentage chance of rain
        The probability of rain is an Aleaory Uncertainty, creating the “risk” of rain in the forecast area
        Aleatory uncertainty is “naturally” occurring and unless you’re a Deity you’re not going to be able to “remove” that probability, so bring an umbrella

        • Norman Marks
          January 15, 2021 at 10:41 AM

          The probability of rain is for even a trace. But there is a range of levels of rainfall, from trace to downpour – and each has a different likelihood.

          That is important

          • January 15, 2021 at 12:08 PM

            Yes, and that’s explicitly defined by NOAA
            But those measures are not “subjective” – from a little to downpour, they’re definitive numbers over the forecast area https://www.weather.gov/ffc/pop

            • Norman Marks
              January 15, 2021 at 12:23 PM

              But what is important is to understand how the different levels of rainfall might affect your business

              • January 15, 2021 at 12:34 PM

                Yes, and those are defined by those “accountable” for the success of whatever the rainfall impacts
                – If that’s a project manager on a highway project she’ll have a definitive assessment of the schedule delay for rain delays using the NOAA historical database and build that into the schedule margin. The rain delay is carried in the Risk Register, with the probabilities model from NOAA and the probabilistic impact assess, using a Monte Carlo Simulation in the scheduling and cost tool
                – If that’s the launch manager (USAF) at Vandenburg on the possibility of launching in rain modeling by the Vehicle engineers (Lockheed Atlas V Heavy, where I work sometimes) on the probability that the flight will not perform properly.

                Remember Rain is an Aleatory uncertainty, which can ONLY have margin has a risk handling strategy.. For the Epistemic uncertainty, “risk buy down” activity can be used to “reduce the probability of occurrence” and “reduce the impact of the risk were it to turn into an Issue.

                • Norman Marks
                  January 15, 2021 at 12:38 PM

                  …and how would a project delay affect the business? What objectives might be affected and by how much? What is the range of delays?

                  • January 15, 2021 at 12:58 PM

                    Yes, that starts with the “cost of delay” a definitized measure of cost and schedule, tied to revenue or contractual performance
                    “Theory of Constraints” is one framework for that, as is “Real Options” connected to “Value at Risk”

                    We we work, all those assessments, their impacts – Epistemic and Aleatory impacts – are usually contained and modeled in an Integrated Program Performance Management System, the Supply Chain Management System, or some ERP based model of the business process.

                    E.G. at GE Aircraft Engines, any and all the risks starting with the Risk Register (one compliant with FAA Risk Management Handbook and DO-178D, trace the lowest level risk to the Balance Sheet of the business division, so “risk informed decision making” is performed every single day of the design, development, deployment, operation, through retirement for all their products.

                    This approach was instituted after the United Airline crash traceable to the faulty Aluminum raw billet for the center engine, where GE could only trace the source and processes of that raw materials. I was a team member of a vendor that installed a fully electronic system to trace from the mine in Tobago to McDonnell Douglas (then Boeing) to SAP and the balanced sheet.

                    As well MD installed an end-to-end risk management system, since the “fault” was a design flaw of a hydraulic line running through a single point of failure channel in the vertical stabilizer.

                    We had “all hands on deck” for tend-to-end risk management assessment process from engineers all the way to the CFO of GE ACE Cincinnati.

                    All risk captured in a Risk Register complaint with DO-178 and other safety and safeguard regulations – ISO 15845:2014 which define the PROPER formations of Risk Registers, not “willfully ignorant” use of the RR.

                    What you describe in your examples of a bad RR use, we’d label as Willful Ignorance and we’d conduct a Root Cause Analysis of what you’ve observed.

                    And then require Corrective and Preventive actions to remove the “condition” and “actions” to eliminate the results you describe

                    • Norman Marks
                      January 15, 2021 at 1:51 PM

                      Very interesting and I thank you for sharing.

                      How do you aggregate multiple sources of risk to a single objective so you can see the big picture – not forgetting that you also have to weigh in the rewards of taking risk?

                  • January 15, 2021 at 2:04 PM

                    For some reason there was no way to reply to this…

                    Very interesting and I thank you for sharing.

                    “How do you aggregate multiple sources of risk to a single objective so you can see the big picture – not forgetting that you also have to weigh in the rewards of taking risk?”

                    The answer is we use Design Structure Matrix which is called a Risk Structure Matrix. Here’s an example in our domain

                    The Arena tool provides modeling capabilities for both risk and reward. But Ed Conrow cautions about “opportunity management” as part of Risk Management http://www.risk-services.com/conr_ma08.pdf

                    But there are tools (some free) for modeling risk their interactions, propagation, loops.

                    Risk propagation is a critical concept in our domain, since NO risk stands alone in anything other than a trivial system, for example


  15. January 15, 2021 at 5:50 AM

    Oh dear.
    David, you say the following: ” ‘ it could rain tomorrow’. This is subtlety different from, ‘ it may rain tomorrow’.” There is a VAST difference. The first speaks of the possibility of rain whereas the second gives permission for it to rain which of course is absurd unless you are the big guy upstairs. Perhaps you are unaware of the fundamental differences in the two words ‘may’ and ‘might’ with ‘may’ relating to permission/entitlement and ‘might’ to possibility. So assuming you did not intend to say something absurd, I guess you meant ‘might’ in which case there is no difference, subtle or otherwise. All of this is normal English with words carrying their distinctive meaning.
    If one wanted to give some indication of the likelihood of rain, then one would add some qualifying words either of a numerical or relative nature – but again, using ordinary words having their ordinary and distinctive meaning so that everyone knows what is meant. Hence one could say ‘it is likely that it will rain tomorrow’ or ‘there is a 30% chance of rain tomorrow ‘.
    And if it was desired or required to convey some understanding of when in the day tomorrow it might rain, then again some ordinary words would be added such as ‘in the morning’.
    In sharp contrast to the clear expressions above, the expression ‘there is a risk of rain tomorrow’ conveys nothing in particular because as has been explained ad nauseum, ‘risk’ is a word that is used to label a very wide range of ideas. Why would one do that? What is the extra idea that you think you are conveying?
    And as to your claim that – “Any other words used are just as likely to be open to many definitions.” there is simply no truth to that claim – as demonstrated above. But even more importantly, there is no point in using a word that then has to be explained in order to convey the intended meaning. As I explained yesterday, using such words achieves and adds nothing of a positive nature but is quite likely to cause confusion when confusion is either required or helpful.

    • January 15, 2021 at 10:45 AM

      Roger, this is back to a fundamental issue with the thread

      ALL risk comes from uncertainty
      There are ONLY three types of uncertainty
      – Epistemic
      – Aleatory
      – Ontological

      “The risk of rain tomorrow” requires a probability of occurrence of that rain as examples here https://weather.com/weather/tenday/l/Boulder+CO

      This probability comes from the NOAA risk modeling software in the same as the Golden Colorado Earth Quake prediction models of Aleatory Uncertainties from earthquakes.

      The Epistemic uncertainties of building damage “when” the earthquake occurs is part of their model as well

      This thread fails to define the immutable sources of risk – Aleatory, Epistemic, and Ontological https://criticaluncertainties.com/2009/10/11/epistemic-and-aleatory-risk/

      Click to access 084379.pdf

      The gap seems to be how to apply these Principles to the Corporate Risk World that started this thread. THEN questions of Risk Registers and decision making might be the next step. By the OP failed in acknowledging the immutable sources of risk. This is common in domains outside science and engineering

      • January 16, 2021 at 4:44 PM

        Glen, you commence by saying: “Roger, this is back to a fundamental issue with the thread. ALL risk comes from uncertainty..” whereafter you share pages and pages of cut and pasted material about forms of uncertainty as if (it seems) that either explains or is meant to explain the meaning of risk.
        While your words ‘comes from’ are rather imprecise (and certainly don’t mean ‘is a synonym for’ and can’t mean ‘is etymologically derived from’) it’s hardly revelatory that if pressed, many who talk about ‘risk’ would acknowledge some connection with being uncertain. But that doesn’t explain what risk means. Certainly if anyone wants to talk about uncertainty, that is what they should do and can, if necessary, draw on the interesting material you have provided. But a discussion of uncertainty is not helped by framing it (or polluting it) with a word of near infinite meaning. Interestingly, this is immediately evident from the excellent first paragraph of the Introduction in the Skandia paper.
        I guess this is one of my key points. Whatever risk is thought to mean, we don’t need it.

        • January 16, 2021 at 5:26 PM

          Roger, what domain do you work in?
          Can I assume in Australia you’re applying ISO 31000?

          Are the “risk management” guides in your domain beyond 31000, from professional orgs, government agencies, or certifying agencies
          If so, use their definitions,

          Your definitions of “uncertainty” may well have no connection with ours, or 31000

          But start with ISO 31000 definitions and use this as a framework https://tinyurl.com/y2nd3ss3

          So are you a frequentist or a Bayesian?
          Your basis of definitions may be different, so please provide some background if you can

          • January 17, 2021 at 3:34 PM

            The most accurate description of my ‘domain’, is life. As with everyone else, I make decisions and thus, as with everyone else must deal with uncertainty in the guises that manifest in the activities of the day. You can get a whiff of what I’ve got up to on our website https://sufficientcertainty.com/what-people-have-said-about-deciding/ .
            You seem to enjoy silos and labels in my experience, real life doesn’t work that way. We mainly use our available vocabularies rather than labels to make decisions. Hence, while you seem to want to treat uncertainty as a label so that some contrived meaning can then replace its ordinary meaning, I see no need at all to do so. Nor will it be successful because people understand and use its ordinary meaning.
            While uncertainty manifests in many shades some of which you have discussed, in the end all falls within the umbrella of its ordinary and universal meaning – i.e. ‘not certain’.
            To answer your question about Australia and ISO 31000, Australia is a country of 25 million with over 8.5m organisations with a legally registered Australian Business Number. Only a very small fraction of those 8.5m organisations will have heard of, much less use, ISO 31000 (even though it has been formally adopted as AS/ISO 31000) or any other codified document about ‘risk management’. That is also the case with the adult population – i.e. it is not used in personal decision making. Despite that, most decisions are reasonably successful.
            This non-use is not surprising as it is also the case in all countries due, I suspect to the inherent shortcomings and irrelevance of RM generally to the daily challenge of decision-making (Grant Purdy and I discuss this in our book “Deciding”).
            That said, there is engagement with ISO 31000 in some of the larger commercial organisations in Australia and in government and some of the larger NFP organisations however Grant and I know from our direct experience (and as active participants/authors in the original development of that document) that it is inevitably applied in the breach (which is also not surprising) and has at best sporadic day to day relevance to the few organisations that use it despite the RM edifices that many of their consultants encourage them to build (which is why in “Deciding”, we describe RM and its paraphernalia – such as described in 31000 – as a dispensable ‘millstone’). It has only got worse with its revision.
            As to your (rather odd) suggestion that I “start with ISO 31000 definitions” I am reminded of the story that we have repeated in our book of the lost traveller asking an Irish farmer for the way to Dublin to which the farmer replied “If you’d be going to Dublin Sir, oid not be starting from here”. So if you don’t mind, I won’t!

            • Norman Marks
              January 17, 2021 at 3:52 PM

              Yes, agree that practice is hugely imperfect

            • January 17, 2021 at 4:22 PM

              What’s the largest project, program, business in what domains you’ve been personally accountable for the success of with these profoundly interesting, and perhaps heretical ideas?

              • Norman Marks
                January 17, 2021 at 4:27 PM

                Glen, I was a senior executive of a $50bn corporation.

                • January 17, 2021 at 4:49 PM

                  OK, but I’d suggest your “risk” is not my “risk” and I have come to understand that too late.

                  I work large manned space flight, nuclear power, nuclear weapons, petrochemical, INTEL, ship building, aircraft building, and enterprise IT Projects and Program, where risk management guided by acquisition regulation, ISO 31000, ISO 26262, OSHA 1910.119, European versions of those with the Risk Register definitely specified along with the processes and practices for the RR’s use.

                  That risk management is 100% focused on showing up on-time, on-budget, with 100% contract complaint capabilities. And that management process starts with the risk register as the “document of record” for the Risk Management Process

                  The misuse of the RR happens, but not for long, since compliance with the Risk Management in accordance with the regulatory guidance process is “surveilled” monthly with the submission of the integrated program performance management report (audit is not a politically correct term where we work 😈)

                  Your risk management unlikely my risk management

                  My mistake

                  Thanks for the conversation

              • January 17, 2021 at 4:44 PM


                See my comment to you below. I helped organisations I worked for and with often make decision involving over $10b and and in saving 100,000’s of lives.

                • January 17, 2021 at 5:07 PM

                  What domain, in what role, what domain?
                  I work “Acquisition Category 1 (>$5B US) development programs.

                  • Norman Marks
                    January 17, 2021 at 5:24 PM

                    VP Internal audit and CRO, involved in many huge projects and participant in top executive strategy, planning, and other meetings. Also a VP in IT responsible for building two data centers.

                    • January 17, 2021 at 5:48 PM

                      OK, but not on the program delivery side, but on the Corporate side
                      Had I realized that with the first response I’d not posted

                      So in your datacenter build out (I’ve done those) did you have a risk register for all the work that had at least those 12 columns I posted earlier?

                      Because ITIL tells us the objective of Risk Management is to identify, assess and control risks, including analyzing value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.

                      And in the IT Datacenter world – if your subject to ITIL through SarBox

                      “Risk can be defined as “the potential for damage, loss or destruction of an asset as a result of a threat exploiting a vulnerability.”

                      In ITIL books, risk is defined as “a possible event that could cause loss/ harm or affect the ability to achieve objectives.”

                      And ITIL tells us…

                      Risk Register: is the database which keeps track of identified risks and subsequent counter-

                      In BAI01,10 of COBIT V5 (the last time I worked an enterprise IT project – at Big name Health insurance provider here in Denver) tells us…

                      “Manage programme and project risk. Eliminate or minimise specific risk associated with programmes and projects through a systematic process of planning, identifying, analysing, responding to, and monitoring and controlling the areas or events that have the potential to cause unwanted change.

                      Risk faced by programme and project management should be established and centrally recorded” in the Risk Register (as stated in the output section on page 125 of V5

                    • Norman Marks
                      January 18, 2021 at 7:50 AM

                      Glen, I was on the corporate side and that included being on the board for projects like yours.

                      Why do you keep focusing on the weeds instead of the big picture? Those in the weeds need to try to see the world from the perspective of the decision-makers and provide them with the information they need.

                      ITIL is a decent guide, but it is not the law.

                      Even ISACA’s COBIT5 (and its predecessor RiskIT) tells us to look at everything as a risk to the business, not just to the project.

                      Why would I impose a detailed list of risks requirement like your 12 columns? We identified the risks, for sure, but in terms of how they would impact the project and rated each based on their potential effect on the business. When there was a more than remote likelihood of a serious impact, we would understand why in order to determine the action to take.

                      We managed the big picture and brought in both data centers on time, on budget, and with the desired quality.

                      May I ask that you set aside this focus on the weeds and try to understand what everybody is telling you?

                      Do you run your personal life based on a risk register? Do you have a list of risks when you are thinking about going to the grocery store?

  16. January 16, 2021 at 4:00 AM

    Norman, you ask in your original question, ‘What’s wrong with a typical risk register?’. The above comments indicate there is quite a lot wrong but there is one aspect which is right – it exists. Isn’t that better than nothing? There is the argument that it is a complete waste of time, especially as no-one can agree on the definition of a risk but I would argue that the concept of a risk is sufficiently understood to make the compilation of a register and its regular update in project team meetings better than nothing. At worst, it should promote a structured discussion about problems and opportunities, both current and future.It’s danger is that everyone believes that it lists all the possible benefits and problems – which is where good project management comes in.
    Roger has asked above, ‘Can you tell us (precisely) what meaning you have attached to the word risk please.’ What’s the need? Surely I need only to outline the concept in order for people to recognise circumstances which impact on objectives. I don’t see the need to produce a definition which only a few understand (and which would be subject to much disagreement).
    As an internal auditor I found I could check the proper operation of controls required to ensure the achievement of the company’s objectives without the need to precisely define any terms.

    • Norman Marks
      January 16, 2021 at 6:25 AM

      David, sometimes a bad risk register can do more harm than good. For example, if the list of risks is given some level of attention and then putting that in the past and turning to discussions about the project or strategy. In other words, if risk is discussed as a topic distinct from performance – considering it because you have to rather than want to.

      But a list of risks (and opportunities) that links to performance and objectives (not Purpose, as I will share in a new post) and provides actionable information has great value.

      I wouldn’t throw the baby out with the bath water, I would fix the bath and care for the baby.

      • January 16, 2021 at 7:33 AM

        Nicely put!

      • January 16, 2021 at 9:03 AM

        Norm, Bad Risk registers cause problems. But that’s NOT the fault of the Risk Register in Principle or in Practice
        “It’s poor workman that blames his tools”
        What missing here and many places we work starts with the confusion between Symptom and Cause
        – What the “cause” of Bad Risk Registers?
        – What are the “conditions” that create the Symptoms of the example you describe?
        – What are the “actions” that create the Symptoms of the example you describe?

        Without finding those Conditions and Actions, no Corrective or Preventive actions are going to be effective

        I’d suggest these principles are applicable in all domains from the corporate governance risk to flying to Mars https://tinyurl.com/y6dbaohj

        So the core issue with the Original Post seems to be missing the Root Cause Analysis.

        And since RCA is the foundation of all risk management – “why does this condition and/or action create the Epistemic or Aleatory uncertainty that creates risk” without the RCA there is little chance of having a good RR or any of the handling strategies needed to reduce or eliminate the sources of risk

        • Norman Marks
          January 16, 2021 at 9:25 AM

          Glen, I appreciate the value of root cause analysis. But the “core of the problem” is that people are overly focused on the roots of a tree and not the health of the planet.

          • January 16, 2021 at 4:10 PM

            That one got me flummoxed Norman! Last I recall from when I briefly taught biology (admittedly a while ago), the roots are an intrinsic part of the plant and have a very great deal to do with its health. But what you say has a familiar ring as, even in these columns, many who talk about ‘risks’ do so as if said risks are externalities.

  17. January 16, 2021 at 6:09 AM

    I was just thinking about how the world would be if it could only communicate in ‘concepts’. Imagine a contract written in ‘concepts’. Imagine news reports written in ‘concepts’. Imagine an engineering design specified in concepts. In any case why would anyone communicate in concepts if they had the option of using ordinary words with their ordinary meanings? None of the many things you have written here explain why we are not able to communicate without using the word ‘risk’ – especially when, according to what you say, it is apparently no more than a concept, of which, apparently, there are many that qualify for that label. Even concepts need to be able to be articulated…..which is rather tricky, I would have thought, if both the concepts and their meanings are fluid.
    As to risk registers being ‘right’ just because they exist (if I read you correctly) what does that say about the flat earth ‘concept’. There was a long period of historu in which it reigned supreme.
    And its not just that the problem with risk registers is that there is no agreement about the meaning of the vital adjective that makes these ‘registers’ distinctive from, say, the register or births, deaths and marriages or the register of members at the local tennis club. The problem is – as Grant Purdy explained at length earlier in this blog (which you may have missed) – is that there is no clarity whatsoever about what is being ‘registered’! Furthermore, as Grant points out (and in fact, anyone who thinks about these things for a moment or two will soon conclude) there is invariably no clarity about the organisation’s purpose to which the entries in the register relate, or the prevailing conditions both within and external to the organisation and in the wider world that prevailed at the time each entry was compiled, no record of the underlying assumptions, no validation of the (apparent) mathematical manipulations used in their compilation, rarely details of those who participated in compiling the register or who were consulted (or what they were told) and most of all, no validated and coherent statement of purpose and method of development. And as Grant has said, the problems only start there! Which of course is why few bother to refer to them when they make decisions. They are either not accessible anyway to those who make decisions, or, axiomatically (even in the absence of all the other problems) once completed, they are immediately become a relic.
    Finally, in relation to your statement “As an internal auditor I found I could check the proper operation of controls required to ensure the achievement of the company’s objectives without the need to precisely define any terms.” I can only say that anyone can do anything but if it is to be of value to others, whatever it is, must be clear. Btw, I can’t imagine any external auditor having the same view ….. unless they were indifferent to the views (and premiums) of their PI insurer!!

    • Norman Marks
      January 16, 2021 at 6:27 AM

      Roger, Mr. Kettle. I will just say one word: Purpose. I will share my views on that in a new post and look forward to your response and comments.

      • January 16, 2021 at 4:18 PM

        That one’s a bit cryptic for me Norman! However, as always, I will look forward to your views about Purpose (of course, in the end, the purpose is the purpose). As you know, Grant Purdy and I have quite a bit to say in our book “Deciding” about Purpose in relation to making decisions (see: https://sufficientcertainty.com/.) I have only one request however and that is that if you refer to what we say about Purpose, we are quoted accurately as you will recall there was a problem with that in earlier blogs. Cheers Roger

        • Norman Marks
          January 16, 2021 at 4:22 PM

          Roger, since I have as yet not quoted from your book, your comment about accuracy is inaccurate. I have, indeed, said something about your message in the book but you won’t see any quote marks. I am similarly not going to quote from your book in my next post – I will leave that to you.

          BTW, I strongly doubt that you have read my book, and perhaps if you did you would understand more about my ideas and messages.

          • January 17, 2021 at 3:46 PM

            Norman, I am happy to alleviate your concern by pointing out (as you will be able to confirm if you re-read my comment) that I did NOT say that you have quoted from our book (a courtesy copy of which, as you know, we managed to send to you despite these Covid times!). What I asked was that if you CHOOSE to quote from it, it be accurate. I felt justified in making that request as some references to what we say in “Deciding” that have been made previously in these blogs have, as you know, (no doubt inadvertently) misrepresented what we said (as has again happened in this instance concerning my previous post).
            As to my familiarity with your own book, I would simply note that (quite properly) any comments I make about what you say in your blogs are just that (to the extent that ….as per your previous cryptic comment…. I am able understand the point!).However, if you would like me to read and comment on your book, you are welcome to reciprocate our gesture and send me a courtesy copy (which I will share with Grant if you would wish).
            Best regards

            • Norman Marks
              January 17, 2021 at 3:54 PM

              Roger, I am sure Grant would be only too happy to share his PDF copy

    • January 16, 2021 at 12:29 PM

      Roger, external auditors might not have the same view as me but they also don’t seem to have the same view as you. Extract from ‘Audit Methodology’ at Grant Thornton Australia:

      ‘Step two: Risk assessment
      Next we use this knowledge to assess your financial reporting risk – particularly in business-critical areas. We identify issues early to allow time for thorough investigation and resolution.’

      I didn’t manage to find a definition of risk on their site, although I did find many occurrences of the word ‘risk’, which seems to indicate that they expect their readers to understand the concept.


  18. January 16, 2021 at 3:47 PM

    Don’t worry David. I’ve never said you are alone in seeing significance in a word that unlike almost every word in our language, has no coherent or widely shared meaning. (As I mentioned above with respect to the flat earth concept, “There was a long period of historu (sic) in which it reigned supreme.”) I think we can anticipate that the reign of the risk concept will be shorter……but it certainly has provided opportunities to many of its adherents to illustrate their affection for another concept ….. that of the eternally shifting argument!

    • Norman Marks
      January 17, 2021 at 6:37 AM

      Glen, thank you for sharing.

      I have a serious problem with the article. For a start, action items need to be tracked and the risk register is a poor place to do that. Then, it remains a list of stuff that can go wrong without any context.


      BTW, my name is Norman

      • January 17, 2021 at 2:41 PM

        Norman, Then I’d suggest you’re misusing the RR.
        – No credible risk management processes “makes lists of what can go wrong and ignores them
        – Any action item must be traced in the source document it is created

        Read Attachment 5 of https://tinyurl.com/y3wm4txa

        and the starting with section

        “Risk Handling Strategy: Step-by-step (similar to a project plan) approach to eliminating or
        reducing the risk if no avoidance strategy is immediately available; includes the dates for completion. Include the probability of success for the risk handling strategy and consider
        probabilistic branching to account for the handling strategy failing.”

        That’s direct actionable outcomes recorded in the RR and reflected in the Corrective Action Plan, with assigned resources and funding in the Integrated Master Schedule, defining the work needed to increase the probability of success in the Integrated Master Plan, directly traceable to the business strategy

        We apply 6 to 8 similar guides to manage in the presence of uncertainty at the corporate, portfolio, or program level that creates the risk to business or project success completion.

        You may not work in such an environment, but your claims about “bad risk registers” and the “buzz words” tells me you have little interest in learning how others have successfully applied RR, Risk Management, and Strategic management.

        • Norman Marks
          January 17, 2021 at 2:55 PM

          Glen, I think you are missing the point: a list of risks (RR) does not help you decide how much to invest in addressing them, whether to take more risk, or which risk to take.

          • January 17, 2021 at 3:57 PM

            I’m not missing any point Norman, the RR captures the risks and the data associated with them.

            Making decisions about “investments” to increase the probability of success USES the Risk Register as the document to capture information to be used as input to the “risk informed decision making” processes. as defined in all the processes we use

            Here’s one example, of many in our domain of product and services inside business governance processes https://tinyurl.com/y5zpl69g

            Again the RR is the captured document, used by many other processes in “risk informed decision making”

            – Investment decisions
            – Cost and schedule forecasting
            – Customer strategy plans
            – ROI for any expenditures – internal or external funding

            and the biggest one of all, that is asked every week at the status standup

            “What your probability of success for the work we’re paying you to deliver in exchange for the money we’re paying you?”

            EVERY SINGLE risk (reducible and irreducible) impacting that Probability of Business, Technical, Customer, Operation, Compliance Success is held in the Risk Register. The RR is the single source of truth for all we do, all our suppliers do, all our customer partners do that impact that probability of success.

            If it’s not in the Risk Register, it’s not a risk. What you write about is the MISUSE of the Risk Register having nothing to do with the need or usefulness of the Risk Register, so perhaps you’re missing the point

            The Risk Register is the “document of record” for capture risks to your success, as stated in our regulations

            “… the risk register is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g. nature of the risk, reference and owner, mitigation measures.

            “The risk register includes all information about each identified risk, such as the nature of that risk, level of risk, who owns it and what are the mitigation measures in place to respond to it.”

            And that risk register has – as a minimum – 12 key elements
            1. Risk Category – scope. time, cost, resources, environmental health and safety, regulatory, any internal or external attribute
            2. Risk Description of the potential risk
            3. Risk Unique ID used to track risk
            4. Risk Impact on any process, product, staff, anything considered to impact probability of success
            5. Likelihood of occurrence to Reducible Risk, Probability Disribtuin Function for Irreducible Risk
            6. Consequence of the Risk if it becomes an issue
            7. Risk Rank using some analysis process – Monte Carlo, Method of Moments, ROAM
            8. Risk Trigger – the external or internal activist or condition that “triggers” the risk
            9. Risk Handling Plan – the action plan for Correction, Prevention, alternative plans in the event the risk turns into an issue or the margin assigned to naturally occurring uncertainties creating risk is exhausted
            10. Contingency Plan when the handling strategy fails to correct or prevent the issue
            11. Risk Owner – the person accountable for making the risk and implementing the prevention, correction, or contingency plan
            12. Residual risk after handling plans applied with success

            Your domain may be different, but our domain is not Wrong

            • Norman Marks
              January 17, 2021 at 4:26 PM

              Glen, as I understand it, your RR only captures downsides and not upsides. My view is that this may be part of the information required but is at best insufficient.

              • January 17, 2021 at 4:57 PM

                Yes and No

                We don’t include “opportunities” in the Risk Register
                Those are held in a separate database per advice and oversight of “Our” thought leader and the firm hired to oversee acquisition performance Aerospace Corporation https://tinyurl.com/y366t74d

                with this guidance – “opportunity is not a positive risk” since they don’t have the same “units of measure.”

                This is the Flaw of Averages (Savage) fallacy. Ed tells us


                Again you’re likely in a different domain

            • January 17, 2021 at 4:40 PM


              Just a bit of background. Norman, Roger and I have, collectively, well over 100 years of practical experience in helping organisations make better decisions. We have all struggled to help organisations implement a useful form of what is generally (and misleadingly) called risk management which invariably has involved a list of what they think are ‘risks’.

              Now, in my case (and I suspect this is also almost certainly the experience of Roger and Norman), these ‘lists of risks’, however many columns they have and whatever is the description of those column, have invariably not been developed using any process that ensures they are coherent, comprehensive, current and correct.

              Despite what you might believe, just because something appears in a risk register does not mean it’s a ‘risk’ (whatever that term means) and vice versa.

              The other fact I can relate after working with literally 100’s of organisations (for profit, not for profit and government in over 30 countries) over the last 30+ years, is that rarely, if ever, are these documents respected by senior management and used in any form of decision making. Now this may be because decision makers intuitively realise that the list they are being provided with is not coherent, comprehensive, current and correct. However, on discussing this fact with numerous senior managers and board members, the simple reason given is that they don’t see the information listed there as particularly relevant to a particular decision they face. Simple as that!

              They see the whole risk register creation exercise as a sideline to the normal running of the business – an encumbrance that is tolerated because some regulator or code requires it. Often, to be frank, organisations just do it for virtue signalling reasons only.

              The other fact is that, as Roger has said in this blog, even in the most regulated countries in the world, the majority of organisations do not do any of this or at best, jut pay it lip service.

              Now that has not prevented many regulators and others insisting that lists of risks be created and maintained, normally as a result of a process that involved:
              1) a genuine wish by organisations to be well governed and avoid mistakes;
              2) consultants and specialists who set up claims that following the cult (with its own language, symbols and artefacts – like risk registers) would ensure success and would aid decision making, even though there is no evidence for that;
              3) the codification of all that by those consultants and specialists to give the impression of creating knowledge;
              4) the setting of compliance obligations by governments and other bodies or setting requirements in contracts that mandate the adoption of a particular code – almost without justification.

              As you can imagine, all this has generated a lot of revenue for consultants and software manufactures, training course providers, auditors etc. And this fact alone, seems to ensure that ‘risk management’ edifices are continually created and continually change with their accompanying complex and inconsistent language and definitions. The end result is that some organisations, like those in your domain, continue to be deluded into thinking that all this ‘stuff’ is essential and based, somehow on a scientific body of knowledge – which it isn’t.

              In the end of the day, the test of all this is to see if any of the paraphernalia, jargon and convoluted thinking actually helps people make better decisions. And the simple truth seems to be that it does not (and cannot) and, of course, decision makers vote with their feet!

              • Norman Marks
                January 17, 2021 at 4:50 PM

                I agree with Grant, with the exception being that I still believe the investment of people and resources into risk management can be turned around. It can be changed to an activity that helps people make quality decisions. For example, by using their sophisticated tools and techniques and their facilitation tools to understand all the things that might happen so that decisions can be made based on a reliable, current, and timely big picture.

                There are a number of steps to achieving this. One is to stop using risk technobabble and instead use the language of the business executive. If we can stop using the R word, that is great.

                Another is to change the mindset from managing a list of risks to helping people make the informed and intelligent decisions necessary for success – and that includes understand when to take what level of risk, which may be more than the current level because the reward is greater.

                There is so much to this shift to what is really effective management (how can you be an effective manager if you don’t consider all the things that might happen and be willing to take the right risks) that my last book ballooned far more than I anticipated, both in scope and length.

                The RR may be an element in effective management, but its best to design the staircase after you have designed the house and know what you need.

                Glen, I appreciate and value your contribution to this discussion and hope to see more in time.

                • January 17, 2021 at 5:16 PM

                  We’re back to different domains, different vocabulary
                  The “client” of our Risk Management process doesn’t start with the business executive. It starts and many times ends with the Customer (Government or Commerical) Program Manager
                  For example the NASA Program Manager for Orion (Manned Spaceflight vehicle) has a critical need to know the probability of launching “on or before” the need date.

                  The answer to that is a “risk adjusted Estimate to Complete” in accordance with the Government Risk Informed Decision handbook

                  NO ONE on either side of the contract (Government or Contractor) sees the words in that book as “risk technobabble” rather those words are clear, concise, with definitive definitions, processes, and procedure.
                  Your claim of that misses a domain and context. You technobabble is our definitive immutable definition

                  Again, it’s becoming clear to me, we’re not in the same domain or context – my mistake

                • January 17, 2021 at 5:33 PM

                  That staircase you mention IS designed, it’s called Profession Systems Engineering, with staff possessing “Certification” https://tinyurl.com/y2onqv3n in the same way a “professional engineering” certification is held by structural engineers who designed the office building you likely work in

                  The claim “words are technobabble” is context sensitive. Having written several books on Program Performance Management with Risk Management Chapter, I learned from my publisher and editor –

                  “For your readers DEFINE the domain in which the words in the book are applicable.”

                  My mistake was to not ask you “in what domain are your words applicable” in my first response – my mistake.

                  It may well be we’re in completely different worlds where the Risk Register is misused and abused. In our domain that is NOT allowed by Federal Acquisition Regulation and if done, is cause for removal of the person, all the way to cancellation of the contract.

                  We have a phrase we use in our development world, “Follow the Program Performance Management Process Directive” written by “corporate” when there is a suggestion someone needs to do something different than what’s in the PPMPD and the PPMPD mandates a “well formed” RR updated, verified, and validated in accordance with the 12 to 18 columns, at close of business every Thursday.

                  Is that approach appropriate in your domain? I can’t say. But your suggestion it’s not appropriate in ours is puzzling, without you stating the “domain and context” first

                  • Norman Marks
                    January 17, 2021 at 5:40 PM

                    Glen, my “domain” is helping individuals and their organizations make the quality decisions necessary for success. That includes ensuring individuals’ safety; completing projects on time, within budget, and with desired quality; hiring the best people for the job; ensuring appropriate information security; determining which acquisitions to make and how; deciding when to take a product to market; setting prices for products and services; and ad infinitum.

                    • January 17, 2021 at 6:06 PM

                      So can I assume those decisions are made in the presence of uncertainties that create risk?

                      And that to answer all those questions you mentions those individuals and their organization benefit to having those uncertainties “recorded” some place that can be used to help them make decisions, with some attributes of the risk to their success?

                      Where would you advise them to record that information and what information, that can be shared by all the participates in the decision making process as well as those effected and affected by the risk and the handling strategies for said risk?

                      And what in your practice do you call that “place”?

                    • Norman Marks
                      January 18, 2021 at 8:02 AM

                      Certainly, everything that might happen and would have a significant effect is recorded in some fashion – in a way that enables an informed and intelligent decision. I would not call that a Risk Register.

                      It would also be in plain English rather than technobabble like “uncertainties” and “risk”.

                      The news today says Biden is telling his aides to read what they want to tell him to their mother. If she understands it, then they can tell him using those words.

                      That’s a great test for practitioners. Consider what they want to report or communicate; imagine telling it to their mother.

              • January 17, 2021 at 5:04 PM

                OK, but just a comment

                “In the end of the day, the test of all this is to see if any of the paraphernalia, jargon, and convoluted thinking actually helps people make better decisions.”

                We have definitive, assessed, monitored, principles, processes, and procedures for managing risk created by uncertainty – baked into the acquisition regulations.

                The original conjecture that started this informative thread by “Norman” was RR’s are flawed “in principle”

                That statement describes a Symptom of a Root Cause of “bad execution of a proper management process”

                Blaming the undesirable result on the existence of the RR is a fallacy

                • January 17, 2021 at 5:16 PM

                  But Glen,

                  Risk registers don’t contain the information anyone need to help them make a decision. That is what we have been saying all along.

                  They don’t normally say what the opportunity to be exploited by the decision is and how this relates to the organisation’s purpose (or even what that purpose is).

                  They don’t say what is the desired outcome from the decision and how that relates to the organisation’s purpose.

                  They don’t express the context for the decision (internal, external or wider).

                  They don’t examine options (tentative decisions) and the assumptions involved with each.
                  They don’t say why with the go ahead option the desired outcome is sufficiently certain and what the the secondary elements of the decision are.

                  They don’t show what monitoring is required to ensure the desired outcomes are being achieved and that any variance in the assumptions (or context) will be detected so that the decision can be revisited.

                  In truth, they are just paperwork that is required by some code or other to be generated that, sometimes, is stapled to the back of some papers that might or might not contain the information above that might be provided to decision makers.

                  • January 17, 2021 at 5:56 PM

                    So your RR doesn’t contain:

                    – probability of occurrence?
                    – probability of impact?
                    – handling strategy?
                    – whose accountable for risk handling?
                    – funding needed to handle the risk?
                    – and all other contents defined in numerous Risk Management Guides, either regulatory or professional orgs?

                    Then you statement
                    “In truth, they are just paperwork that is required by some code or other to be generated that, sometimes, is stapled to the back of some papers that might or might not contain the information above that might be provided to decision makers.”

                    Described a dysfunctional org, doing as we say on a crass manner “doing stupid things on purpose”

                    Don’t blame the RR, go find the Root Cause of why they are ignoring good management practices while spending other people’s money

                    • Norman Marks
                      January 18, 2021 at 7:56 AM

                      Glen, doing more than is needed to be successful is wasting money.

                      Find out what decision-makers need and deliver it.

                      There is no need to develop and report a ton of detail on issues that are not significant.

                      Just because there is a ton of guidance out there doesn’t mean it is good guidance. Survey after survey show us that current practices are failing – so why keep going with them?

                      Now let me challenge you: when you look at impact and probability, are you identifying a single likelihood and impact or a range?

          • January 17, 2021 at 4:19 PM

            Along with the 12 Minimum contents of a RR here are risk management tools we’ve used, many we dropped, and a few that “manage the risk on the programs we work.
            Each tool starts with a Risk Register with those 12 minimal contents

            Arena Simulation https://www.arenasimulation.com/
            Arena Risk https://arenariskmanagement.com/risk-management
            Agena Risk https://www.agenarisk.com/
            Risky Project http://intaver.com/products/riskyproject-professional/
            Palisades https://www.palisade.com/
            RiskNav® https://www.thegibsonedge.com/risknav
            Risk Radar http://www2.mitre.org/work/sepo/toolkits/risk/ToolsTechniques/RiskRadar.html
            Active Risk Manager https://sword-grc.com/sword-active-risk-manager/
            Acumen Risk https://www.deltek.com/en/products/project-and-portfolio-management/acumen/modules/acumen-risk
            @RISK for Microsoft Project http://www.palisade.com
            Active Risk Manager http://www.sword-grc.com
            Analytica http://www.lumina.com
            CRIMS http://www.expertchoice.com
            CRYSTAL BALL http://www.oracle.com/applications/crystalball/
            Designsafe http://www.designsafe.com
            DMT http://www.dependency.com
            DPL http://www.adainc.com
            Goldsim http://www.goldsim.com
            Monte Carlo http://www.primavera.com
            OpenPlan Professional http://www.deltek.com/en/products/project-and-portfolio-management/open-plan
            PANDORA http://www.bmtrcl.com
            Panorama PSA http://www.panorama.com
            Pertmaster Professional + Risk http://www.prcsoftware.com/category/knowledge-base/pertmaster
            PHA-Pro 5 http://www.sphera.com/pha-pro-software/
            Powersim Solver http://www.powersim.com
            Precision Tree http://www.palisade.com/precisiontree/
            Predict Risk Analyser http://www.riskdecisions.com
            Predict Risk Controller http://www.riskdecision.com
            ProAct http://www.protectbenefitrisk.eu/PrOACT-URL.html
            Risk in Action http://www.adacel.co.uk
            Risk Matrix http://www.mitre.org
            Risk Maturity Model http://www.hvr-csl.co.uk
            Risk Radar http://www.spmn.com
            Risk Com http://www.ciria.org.uk
            RiskEZ http://www.pinyonsoftware.com
            RiskFolio http://www.pypi.org/project/Riskfolio-Lib/
            Risk Tools http://www.risk-reward.com
            Risk Trak http://www.risktrak.com
            SCRAM http://www.redbay.com.au/products/scram
            STRAD http://www.stradspan.com/products.htm

            Anyone can misuse any tool, procedure, process, or principle. But that misuse does not negate the value of the Risk Register

  19. Michael Jensen
    January 17, 2021 at 4:58 PM

    Ok, I completely get that risk registers, heat maps, and qualitative assessment are artefacts of a risk management system that isn’t particularly effective. And I also get that risk management is much more about decision making and decision science. That all makes sense to me. And after reading some of the work by many of the people in the above comments, some of the things I’ve believed about risk management for the better part of the last two decades are now quite comical.

    But I think I’m missing a piece of the puzzle. What happens to all the data that we’ve accumulated in our risk registers? How do we ensure compliance and inform internal audit? I know a few of you have said that we should just remove them and a few of you have said to fix them. But what does that really look like?

    Lets say out of a business unit risk register with around 20 risks on it, I have an identified risk event with 10 potential cause factors, 5 likely consequences and 50 internal controls. I have assessed the criticality of each of the controls and determined that out of the 50, 10 are essential to maintaining my low level of probability that the risk will occur. Those 10 things form part of my internal audit program.

    So if I’m getting rid of my risk register, how does all of the control and IA stuff happen? Should I be recording that elsewhere? What am I missing?

    • Norman Marks
      January 17, 2021 at 5:20 PM

      Great question.

      I would retain what is necessary to pass a regulator’s review – any compliance requirement. I might modify it to focus on those sources of risk that require continuing attention because of their potential effect on he business.

      Then I would move to understanding what decision-makers really need and see what I can do to provide them that information and support.

      One of the comments I received on a post some time back was from a CRO who had changed the name of his function from Risk Management to Decision Support. He found management eager, for a change, to open the door and use his services.

      • Michael Jensen
        January 17, 2021 at 5:50 PM

        What if I’m the regulator and I want to change the world?

        • January 17, 2021 at 6:52 PM

          Nice one Michael. By now I trust you know the answer and that “it’s easy if you try”! Our book will help with that as well.

          Best wishes

        • Norman Marks
          January 18, 2021 at 7:53 AM

          I would say to read my book rather than Grant and Roger’s, but then I am biased.

      • January 17, 2021 at 7:06 PM

        Your CRO might be right about ‘Decision Support’ but as always with labels, it depends what is meant. In our book, we discuss the possible need for an organisation to provide decision-making coaching which I suppose could be called Decision Support. BUT this should not be provided by re-badging people hitherto called ‘RM support’. It is very unlikely that there will be a match between the skill sets and thought processes required to lift the decision-making game, and those available in the RM ivory tower, but the troops on the ground will see through it (pigs and lipstick, etc) for what it is …. window dressing. New positions need to be created with a first principles definition of skills and recruitment done on that basis alone.

        • Norman Marks
          January 18, 2021 at 8:05 AM

          You are so wrong!!

          Are you saying that Grant is not a great decision-making coach?

          I do agree that many practitioners need to change their mindset, but they have tools and techniques that can be invaluable in understanding everything that might happen (against a backdrop of what has happened and is happening) and helping the decision-maker make an informed and intelligent decision.

    • January 17, 2021 at 5:58 PM

      Michael, good on you for asking the questions that are on your mind. As I read them, an adaptation of John Lennon’s wonderful song springs to mind:”Imagine there’s no risk registers/It’s easy if you try/no hell below us/just a Risk-free sky/ …….”
      In fact, it IS easy if you recognise that all you are trying to do (and only do) is to make a decision about which you have sufficient certainty in terms of the outcome that it will deliver. Therefore, in the course of deciding, you will have had to do the things Grant refers to in his very recent post in this thread (i.e. consider Purpose, the opportunity, options, assumptions, context, uncertainties etc). Almost inevitably, you will need to expand the decision with sufficient secondary elements to achieve sufficient certainty.
      This is not a commercial, but all I can do to help you with the ‘how’ – which includes realising your Imagination of an RR free life – is to suggest that you read our book “Deciding” – maybe after you have read some of its reviews at [https:/ sufficientcertainty.com/] . Good luck.

      • Norman Marks
        January 18, 2021 at 7:58 AM

        Roger, I have recommended your book but it will not address everything Michael needs. Of course, I think mine will help him more.

        I also recommend other books on decision making, such as the one by Hans Laessoe.

  20. January 17, 2021 at 5:31 PM

    Norman, as you might imagine, I noted the excellent focus in your first para on making decisions as that is the only mechanism organisations have (and in fact, use) to purse their Purpose.
    I was even more enthused with your following para: “There are a number of steps to achieving this. One is to stop using risk technobabble and instead use the language of the business executive. If we can stop using the R word, that is great.”
    Problem was, you then used said word as the central theme in your following paras saying that THE issue for decision makers is deciding how much R to take and ‘to take the right RISKS’. I’m not sure you can have it both ways!
    The actual challenge for Deciders is to make decisions which, on an informed basis, provide sufficient certainty about the actual outcomes. That seems to me to be a matter of fact because, whether they say it that way or not, it is what every Decider is trying to do (with varying degrees of success). Not only is there no need to use the R word (or its related mumbo jumbo) but doing so detracts from the task.It is wholly superfluous.
    That is why in our book “Deciding” Grant Purdy and I provide readers with what one reviewer described as “a priceless and practical, step-by-step guide on ‘shedding the risk management millstone.’ [and] …. an actual checklist on how a company can move from old fashioned, and ineffective, ‘risk management’ into the ‘deciding’ model presented in the book.”

    • Norman Marks
      January 17, 2021 at 5:35 PM

      Roger, I wish you well with your book and am looking forward to your rebuttal to today’s post.

  21. Norman Marks
    January 18, 2021 at 9:04 AM


    You have identified one of the trademark issues with a Risk Register in one of your comments.

    You said that potential harms are in your Risk Register, but potential benefits are in a separate database, presumably maintained by a different function and probably measured in a different way.

    This makes it almost impossible for a leader to see the big picture and weigh the pros and cons of any decision.

    Give leaders and decision-makers the information they need, not what the books and standards tell you to do.

    • January 18, 2021 at 10:01 AM

      The separation of Risk and Opportunities does NOT mean separation of “management” of those risks and opportunities

      Your presumptions they are maintained by separate people is naive at best. NO risk management guide, book, journal paper, or risk management tool allows that, use done with Intent to do it wrong.

      Placing both in the same “register” allows the “masking” of the probability of success with the simple “flaw of averages” calculation where the impacts may be matched with benefits to result in a Net Impact masking success killing risks.
      This is basic data analytics, so take a look at Savage’s “Flaw of Averages” text

      “It makes it impossible for the leader” is true if the leader willfully ignores the principles of risk management and the data analytics of the information produced by the risks and the opportunities.

      If the information those leaders need is not based in principles of probabilistic decision making in the presence of uncertainty, start with https://tinyurl.com/y2qlyn9z then those decisions have no credible basis for success

      Your problem with risk registers is that they are not properly used, either from lack of understanding, or a willful manipulation. That is a symptom, not a cause, and definitely not a wrong principle.

      All risk management starts with Root Cause Analysis, for without finding the condition and actions that create the behaviors you describe in your original post, no correct or preventive actions can be successful.

      If you claim the leader can’t see the “big picture” then they’re not using the RR properly. Both risks and opportunities are part of their decision-making process, but putting both in the same register and using qualitative and quantitative measures wipes out the visibility to individual risk, their propagation, and corrective or preventive actions.

      Your conjecture that “leaders and decision-makers the information they need, not what the books and standards tell you to do” ignores the Principles of Corporate Governance. Why would any credible leader develop a risk management process for her corporation without external guidance, in any domain, starting with IT (COBIT, ITIL), to Finance https://tinyurl.com/y3fp97zn to product and service development https://tinyurl.com/yyeep2a2

      What kind of leader willfully ignores established principles known to have success in managing in the presence of uncertainty

    • January 18, 2021 at 10:30 AM

      WordPress stops replays after a certain level

      N: “doing more than is needed to be successful is wasting money”

      G: You’re restating the obvious, but Who gets to decide what is needed and what is waste?

      N: “Find out what decision-makers need and deliver it.”

      G: And who are those decision-makers – internal audit? External government agencies? Governance compliance?

      N: “There is no need to develop and report a ton of detail on issues that are not significant”

      G: Who gets to decide what is significant or what is not?

      N: “Just because there is a ton of guidance out there doesn’t mean it is good guidance. Survey after survey shows us that current practices are failing – so why keep going with them?”

      G: You’ve failed again to apply root cause analysis and identify the conditions and actions that crate the outcomes of your anecdotes. Freshman Data Analytics majors know better than to say “studies show” What studies, what statistical confidence?

      N: “Now let me challenge you: when you look at impact and probability, are you identifying a single likelihood and impact or a range?”

      G: No credible decision can be made on a point estimate without know the variance and standard deviation of that number. This is freshman data analytics

      I concluded we’re in different worlds and you’re in “selling mode” for your services and books.

      So I’ll say goodbye and drop my following of your blog

      Stay Safe

  22. Norman Marks
    January 18, 2021 at 10:32 AM

    Glen, I am sorry to see you leave. I welcome your challenge, although I fear your mind is closed.

    • January 18, 2021 at 10:39 AM

      I fear you’ve got a message to sell based on your books and consulting, that I have no interest in listening to without established principles outside your opinions.

      Even though you claim to welcome challenges – your behavior does not confirm that belief

      • Norman Marks
        January 18, 2021 at 10:47 AM

        I’m retired. My aim is to help people improve their practices – and selling my books gives me a little income, sure, but I am rewarded by people who listen and benefit from my thoughts.

        • January 18, 2021 at 11:00 AM

          OK, I’m semi-retired but still work because I stood up the original programs and still have clearance access

          Do those people who listen to you follow principles of risk management established by external entities?

          Your comment about

          “Just because there is a ton of guidance out there doesn’t mean it is good guidance. Survey after survey shows us that current practices are failing – so why keep going with them?”

          Is nonsense in our domain, that’s where I end the conversation.

          And your failure to ask “why” (root cause) tells me you don’t understand that RCA is the Imuttable foundation of ALL successful risk management processes no matter the domain and that missing understanding leads you to make anecdotes about the failings of RR’s that are missing the first step of “why” are you seeing those issues?

          Along with “surveys” say – what surveys, are they statistical sound. Since you were in the IT business, the classic survey fallacy is the Standish Report stating the failure rates of Enterprise IT failures – long ago debunked but still referenced by many “selling” solutions to enterprise IT problems

          • Norman Marks
            January 18, 2021 at 11:27 AM

            Glen, you believe you have all the answers and are closed to new thinking. I wish you well in your retirement and hope you don’t make life decisions based on a risk register, no matter how comprehensive and sound. It’s only a part of decision-making. It is NOT effective risk management

            • January 18, 2021 at 12:41 PM

              No, you’re putting words in my mouth and arguing with them, please stop.

              I “believe” there is a set of Immutable Principles for Managing Risk that are applied across all the domains we work in that have been shown to work and be the basis of the processes and practices for success:

              – All risk comes from uncertainty
              — Epistemic uncertainty is reducible
              — Aleatory uncertainty is irreducible
              — Ontology uncertainty is not allowed in our domain, if it there, you’ve failed before the start
              – Using the “words” which you object to and are their units of measure to communicate the type and handling strategies is the basis of our risk management framework, and if not used in their definitive forms the handling strategy will fail
              – Only a Qualitative assessment of risk is of value to the decision-maker
              – Opportunity is NOT a positive risk and must be separated into its own register
              – The dozen or so “Risk Management Handbooks” and the regulatory flows down from them are the starting point for successful risk management in our domain, not personal opinions of what to do best

              And using those immutable principles when we encounter something that doesn’t work – as exampled in your opening materials about the RR – without the root cause analysis of the misfunction, as the starting point correcting or preventing that misfunction.

              And starting with those principles as framing assumptions (another set of immutable principles) https://tinyurl.com/y4pdu9ng you can prevent individuals from making up their own procedures and process in the absence of principles – which requires every process and procedure to be directly traceable to a principle, and the formal guidance that established it.

              To end, I’m not speaking about life decisions, but about risk decisions while spending other people’s money on “must succeed” projects.

              It’s your style to expand the discussion (life decisions) outside the interest of the listener, to fit your agenda, please stop.

              • Norman Marks
                January 19, 2021 at 7:09 AM


                We may be closer than it appears on the surface.

                – We agree that what might happen (which includes both risk and opportunity) needs to be considered in decision-making. I prefer not to talk about ‘uncertainty’ as that is not well-understood. Some in ISO think its the absence of information; others think it is a way of described potential events (some of which are unknown). So I try, without total success, to stay with plain English.

                – We agree that what has been identified as a risk or opportunity must be captured somewhere. You have risks in a risk register and opportunities in a different database. However, I am unclear whether they are comparable so that they can be weighed against each other in an intelligent fashion (not a simple netting or average process).

                – We agree that if the effect could be significant, then you need to establish the likelihood or probability of that significant effect. That requires root cause analysis.

                – We agree that there has to be ownership of any and all corrective actions. You have a risk owner; I assert that the owner of the objective should have at least joint ownership.

                Where we disagree is in the level of detail and effort. That probably comes from our different perspectives (or domains). Many executives and boards complain that they are provided so much detail they are unable to see that big picture. I want to help practitioners try to see the world from the perspective of the people who will make business decisions that require information about what might happen. That would include project oversight board members, executive management, and so on.

                I do not view published standards, frameworks, or even regulatory guidance like Basel, as the final word. I look always to what the organization needs if it is to succeed – and the regulators, especially, are focused on avoiding failure rather than optimizing the likelihood of success.

                I appreciate your commitment to the effective management of the organization and to the practice of risk management.

                Thank you for your comments.

  23. January 18, 2021 at 1:29 PM

    Err hello Glen!! I think the answer might be that if you don’t like what you hear, don’t ‘listen’ (as you put it). In any event, I wouldn’t have thought it is for anyone choosing to participate in an on discussion such as this to presume to tell anyone else what they can and can’t do – much less the proprietor of the blog. Retired and cleared or not (by the way, is it allowed to publicise clearances?) I think that some respect is warranted.
    And for others, that really is my last word on this post.

  24. January 19, 2021 at 1:50 AM

    Norman, you ask above whether a life is run with a risk register. I think to that question is ‘yes’. When I go to to the pharmacy, I consider the risk of catching Covid, so I take a mask and keep 6ft away from anyone I meet. I consider the likelihood and impact of rain. I consider the benefit of going out, can I take the opportunity of going to to the nearby post office, or take a short walk?
    I think we are constantly analysing risk and opportunities – or whatever you decide to call them.

    • Norman Marks
      January 19, 2021 at 6:25 AM

      But your risk register includes benefits!

      • January 19, 2021 at 8:11 AM

        OK, so it’s a Risk and Benefits Register but that doesn’t remove many of the other problems highlighted in this blog, many of which, I believe, don’t stop it being useful.

        • Norman Marks
          January 19, 2021 at 8:15 AM


          It all depends on how it is used – plus it is only part of an effective risk management program. It remains periodic while decisions are every day.

          • January 19, 2021 at 9:34 AM

            The risk register must reflect the project, business, or operations status so managers can be assured they’re accounting for the latest risks.

            Risks do not just manifest before the work begins; they can appear at any point during operations or projects.

            That’s why keeping track of the risk register on a regular basis is the baseline, but also when a new risk is discovered. If risk come every day, the RR is assessed every day for new, changed, or “handled” risks — it’s this simple, using words from our risk management guide

            “Task 4: Update the risk register and risk response plan when new risks are identified, reassessing old risks, and determining and implementing appropriate response strategies for new risks, in order to manage the impact of risks on the project.”

            • Norman Marks
              January 19, 2021 at 10:39 AM

              I agree.

              One of the areas that is often missed is that while the project is ongoing, the environment is changing. The way in which the system or asset being developed will be used is changing.

              At one of my companies, a major capital unit was being built to expand the capabilities of our New Jersey refinery. The cost was close to a hundred millions and the benefits projected in the tens of millions per year.

              It was completed on time, on spec, and within budget.

              But the environment had changed.

              The value of its different product streams had changed such that its design was no longer ideal.

              If this had been watched during the course of the project, the design might have been changed.

              • January 19, 2021 at 10:57 AM

                Norman, for that project to have come in on-time-, on-budget, on-spec the project management process must have included
                – Schedule Margin
                – Cost Margin (management reserve)
                – Technical margin (for variances in equipment performance, fit and finish)

                I was at Flour E&C on Sasol (South Africa) and SW Dev Manager for a Triple Redundant Fault-Tolerant process control firm that sold our equipment through Honeywell, I’ve been on many Petro-Chem projects in US and Europe.
                Then consultant with a Process Safety Management firm (OSHA 1910,119) where “all projects” operate in the presence of uncertainties mandate risk buydown activities and margins if there is ever hope of “showing up on-time. on-budget, on-spec”

                All Risk Comes From Uncertainty, reducible (Epistemic) and irreducible (Aleatory) and those are captured and recorded Differently in the Risk Register
                – Epistemic risk handling has “risk buydown” activities, funded on the project to “reduce” or “eliminate” or “protect” from the risk if it becomes an issue
                – Aleatory risk handling is ONLY done with “margin” since aleatory is irreducible. Cost margin, schedule margin, technical margin.

                I some here object to “fancy” words, but those words are straughyt out of standards and guides we use e.g.

                and even in finance and business operations

                So those here claiming these “words” are confusing and not needed, don’t likely manage non-deminimis projects

  25. Gøril Elisabeth Onarheim
    January 29, 2021 at 6:12 AM

    Totally agree. Much too often im my professional life I have heard reporting like “the risk is high”. When I look for information or ask “the risk for what?”, most often than not the answer is something like: “What do you mean “. Often asked in a tone of voice to indicate that I cannot know much about risk management. While I think risk must relate to objectives. I am near my retirement, but hope to see improved risk analysis and reporting in this respect.

  26. John Fraser
    May 3, 2021 at 4:54 AM

    Thanks for all the advice. I just went for my annual physical exam and the doctor started to tell me about the various sources of risks to my health and well-being. He started to say how I was in danger of diabetes and a heart attack and he was going to continue. But after reading this blog, I stopped him right there. I told him I was not interested in a list of risks; all I wanted was to know how my objectives in life would be impacted. Boy, I’m glad that I did. He then told me that I would not be able to play tennis any more or travel, and I should ensure my insurance premiums are paid up. Now I don’t worry about managing a list of silly old risks now that I can focus on objectives only. Thanks again.

  1. January 10, 2021 at 2:47 PM
  2. January 10, 2021 at 10:42 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: