Home > Risk > Life and risk management are both complicated.

Life and risk management are both complicated.

September 12, 2022 Leave a comment Go to comments

The world in which we live is turbulent, with so much happening all the time.

That applies to our business as well as our personal lives.

Naturally, we try to simplify the complex. Hard to survive otherwise!

Our brains are (at least for most of us) unable to fully grasp everything that is happening, so when we make decisions we often set aside some things and focus more on others. Maybe we then cross our fingers and hope those things we set aside don’t come back to hurt us.

Understanding risk, with all the interconnectivity and complexity it demands, so that you can make an intelligent and informed decision, is not easy.

Risk practitioners can help us see the big picture, all the things that might happen with a significant effect, both positive and negative.

But even risk practitioners simplify – whether deliberately or not. They may:

  • Forget that there is a range of potential effects of both a risk and an opportunity, each with its own likelihood. Instead, they represent the level of risk as a point.
  • Assess risks singly, ignoring the fact that multiple things can and do happen.
  • Think it’s about minimizing risk instead of taking the right level of the right risks.
  • Leave the assessment of upsides to others (undefined and often non-existent).
  • Ignore the fact that some risks can happen multiple times each year, not just once, and with different effects.
  • Ignore the risk that risk data and/or assessments may be incorrect.
  • Fail to understand and take bias into account.
  • Provide one report to management, even though different decision-makers require different data.
  • Ignore the fact that risks and their levels change frequently, yet they assess them monthly or less frequently.
  • Only consider a tiny percentage of all the risks that might have a significant effect on objectives. This is because management says they only want to review the top ten or twenty risks, or because they simply don’t have the bandwidth to do more.
  • Don’t consider whether information needed to assess and respond to new risks will be sufficiently timely (the “risk clockspeed” issue, as explained by Keith Smith).
  • Don’t give sufficient consideration to issues like the duration of any effects of an incident, or how extensive reputation damage may be.

A recent publication by software vendor Origami Risk, 2022 Mid-Year State of Risk Report, talked about both risk complexity and risk velocity. (Risk velocity is the speed of onset of a risk event, and risk clockspeed is the time that it will take to get the information you need.)

So, risk is complicated. But the human brain doesn’t always work well with complexity.

We don’t want to overcomplicate things, because:

  • The extra analysis takes time, and sometimes the information is needed at speed.
  • It may actually make the information harder to digest and apply to the situation, for example if an aggregation of multiple risks comes up with a single number or assessment.
  • Sometimes, simpler information is enough.

You also don’t want to oversimplify things, because:

  • You might miss some important information.
  • The information might be misunderstood.
  • People can get into the habit of seeking easy answers to complex situations.

Where is the balance?

I suggest that we always ask whether the decision-makers have sufficient and reliable information to make a quality and timely decision, given time, cost, and other constraints.

I also suggest that practitioners don’t fall in love with their own tools and black magic, making a simple situation complex.

I welcome your thoughts.

Advertisement
  1. September 12, 2022 at 3:31 PM

    Back tests :)) The easiest way to find out if risk analysis was ok, bad, too simple or too complex. Back test everything

  2. Morgan Cooper
    September 14, 2022 at 8:38 AM

    I’m surprised there’s not more discussion about this. While humans use their frontal lobe to process information about risk, the kind a risk practitioner tries to make plain (even when it is not), ultimately (the moment of) the decision is a gut-check animal brain activity. So, have we done enough to keep the animal brain in check? And that’s pertinent because of the human inability to handle huge amounts of complexity (specifically, the unknowns) which pushes the use of the animal decision making. While I haven’t been able to put it into motion, I’ve thought about how Complexity Theory could be applied in this space, especially Cynefin https://en.wikipedia.org/wiki/Cynefin_framework. Perhaps the type of output risk practitioners produce should be based on the complexity of factors that can influence an outcome, because it really affects how knowable an outcome is. Make simple environment risk decisions rote and routine. But “Complex” situations need a different kind of decision, and risk should be able to guide that process.

  1. September 12, 2022 at 4:30 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: