Risk Management Reports

Over the past eight years I’ve commented frequently on the development of “standards” for application to the discipline of risk management (see in particular RMRs for March 1995, February 1996, September 2000 and October 2003). It all started with the Australian/New Zealand Risk Management Standard 4360, published in November 1995 and revised in 1999. Standards organizations in Canada, UK and Japan followed with their own versions and then ISO (International Organization for Standardization) published a glossary of risk management terms in 2001. The Aussies and Kiwis have just finished their latest modification and they’ve done a superb job again! AS/NZS 4360:2004 was and still remains the clearest and most concise guideline yet published. Its text, only 28 pages, is a model of brevity. It is expressed in simple and basic English, free from business jargon. Because its approach is generic, it applies to all forms of organizations. AS/NZS 4360:2004 will become a handy, notated and dog-eared reference on the desk of anyone who practices this discipline.

Furthermore, as the Standard is generic and requires adaptation to a specific organization, it avoids the complaint that standards are “dangerous” because they can stimulate unneeded legislation and regulations. True, risk management is still evolving, but these guidelines, already in their third evolution, help any organization to begin and modify the process.

The 2004 revision begins with a re-stated section of critical definitions. It goes on to overview and detail the “process,” concluding with a three-page description of how to establish an effective program. As with any generic guide, it requires imagination and modification to a specific organization, but this is its beauty. AS/NZS 4360 doesn’t tell you how, it tells you why.

The definitions cover most of the words and phrases that appear in risk management literature and are based in large measure on the global ISO/IEC Guide 73 of several years ago. The focus on risk now encompasses unexpected consequences, both favorable and unfavorable. “Control,” for example, aims at minimizing negative risk and enhancing positive opportunities. “Risk” is defined as “the chance of something happening that will have an impact on objectives,” followed by several footnotes refining the idea. One notes that risk “may have a positive or negative impact.” Another notes that risk is “measured in terms of a combination of the consequences of an event and their likelihood.” “Risk management” is re-defined as “the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.” This, I’m afraid, remains too broad. Doesn’t this definition apply to all management? I still think my own wording is closer to what we do: “a discipline for dealing with uncertainty.” It’s also shorter and easier to remember!

Another change is the elimination of the old entry of “risk transfer,” substituting instead “risk sharing,” defined as “sharing with another party the burden of loss, or benefit of gain from a particular risk.” Bravo! The unexpected outcomes that derive from your decisions must remain your burden or blessing, and only a portion can or should be “shared” with others. The idea of “transfer” creates a false impression that you can shift responsibility and accountability to others. A good example of this is the recent disclosure in The New York Times of indemnification agreements between Amtrak, the US government-funded passenger rail carrier, and the freight lines over whose tracks Amtrak operates. In order to use those tracks, Amtrak was forced to sign agreements in which it would indemnify the freight lines for any lawsuits, even those alleging the negligence of the freight lines. For 30 years Amtrak has been paying claims arising out of the obvious negligence of the track owners and they, in turn, must have thought that their risk was truly “transferred.” The press disclosure will probably turn the tables and the risk comes back to roost where it belonged in the first place. Risk is never transferred; it is only shared!

Finally, this standard refers to “stakeholders,” recognizing the interests of many persons and organizations “who may affect, be affected by, or perceive themselves to be affected by a decision, activity or risk.” This moves well beyond the restrictive financial focus on “shareholders” or immediate investors, one that has limited the scope of the discipline.

The Standard’s process is most notable for its new first step: “communicate and consult.” It proposes a “dialogue with stakeholders . . . focused on consultation rather than a oneway flow of information from the decision maker to other stakeholders.” I especially like the idea of starting the entire process with this step instead of postponing it until after risks have been analyzed and responses adopted. The Standard acknowledges that stakeholder perceptions are as important as the estimates of experts and insiders. Other steps (seven in all) include “establish the context, identify risks, analyze risks, evaluate risks, treat risks and monitor and review.” I still have some semantic difficulty with the idea of “identifying risk.” What we “identify” are the possible unexpected outcomes to our decisions. Risk then is a measure (quantitative or qualitative) of the probable likelihood and consequences of any unexpected outcome. Risk is therefore analyzed, not identified. Similarly, we do not “treat” risk, we “respond” to it with a variety of mechanisms and further decisions, trying to improve the possibility of more favorable outcomes and reduce the likelihood and consequences of the unfavorable. That’s why I continue to prefer a more simple two-step process: risk analysis and risk response, with communication being involved at every level.

These are but minor caveats for a superb statement of the nature and process of our discipline. As I stated before, this document belongs as a working guide for all practicing risk managers: don’t even think of stuffing it into a bookcase. For a copy of the Standard AS/NZS 4360:2004 and its companion HB 436:2004, a Handbook with more detailed descriptions of applications and approaches, contact Standards Australia at www.standards.com.au, or write to them at GPO Box 5420, Sydney, NSW 2001, Australia, or to Standards New Zealand, Private Bag 2439, Wellington 6020, New Zealand.

The Standard’s process is most notable for its new first step: “communicate and consult.” It proposes a “dialogue with stakeholders . . . focused on consultation rather than a oneway flow of information from the decision maker to other stakeholders.” I especially like the idea of starting the entire process with this step instead of postponing it until after risks have been analyzed and responses adopted. The Standard acknowledges that stakeholder perceptions are as important as the estimates of experts and insiders. Other steps (seven in all) include “establish the context, identify risks, analyze risks, evaluate risks, treat risks and monitor and review.” I still have some semantic difficulty with the idea of “identifying risk.” What we “identify” are the possible unexpected outcomes to our decisions. Risk then is a measure (quantitative or qualitative) of the probable likelihood and consequences of any unexpected outcome. Risk is therefore analyzed, not identified. Similarly, we do not “treat” risk, we “respond” to it with a variety of mechanisms and further decisions, trying to improve the possibility of more favorable outcomes and reduce the likelihood and consequences of the unfavorable. That’s why I continue to prefer a more simple two-step process: risk analysis and risk response, with communication being involved at every level.

These are but minor caveats for a superb statement of the nature and process of our discipline. As I stated before, this document belongs as a working guide for all practicing risk managers: don’t even think of stuffing it into a bookcase. For a copy of the Standard AS/NZS 4360:2004 and its companion HB 436:2004, a Handbook with more detailed descriptions of applications and approaches, contact Standards Australia at www.standards.com.au, or write to them at GPO Box 5420, Sydney, NSW 2001, Australia, or to Standards New Zealand, Private Bag 2439, Wellington 6020, New Zealand.