They got it wrong. Internal Auditor published an article by Neil Baker “Managing the Complexity of Risk” claiming that “The ISO 31000 framework aims to provide a foundation for effective risk management within the organization.” Well….not so fast.
“Complexity” has become something of a buzz word in today’s business culture. But I think our understanding of the word is vague. Naming something is not the same as actually knowing anything about what you just named (see “The Red Wagon Principal: Knowing Is Better Than Naming”). The misappropriation of a concept is always done with the best intentions. The problem with Neil’s article is that it sets false expectations for the reader: “Well, you know, we risk experts are on top of this ‘complexity thing’ and we’ve got these magic bullets, checklists and procedures that “we’ll show Mr. Complexity who’s boss.”
Let me be perfectly clear: ISO 31000 (and COSO for that matter) has absolutely nothing to do with managing complexity or uncertainty – regarding risk or otherwise. In simple terms: no matter how thinly you slice it, it’s still baloney.
I am not so much worried about “new” risks – there is not much new under the sun. I am, however, worried about certain types of risks, especially those we’re confident about understanding. It is always a mistake to get cocky when it comes to risk. A little ‘bump’ here and a little ‘change’ there and before you know it, what we thought we knew all about is cloaked in fog and uncertainty. All of a sudden our historic data and expert opinions no longer hold water. By the way, have you heard what happened to Amanda the Risk Expert?
Vacation at Amity Goes Wrong! Risk Consultant Eaten by Bruce-the-Shark
Amanda was an ERM professional looking forward to a vacation at the seaside community of Amity. She elicited expert opinions and facilitated a risk self-assessment with the Mayor, several Aldermen, and the Amity Chamber of Commerce , all of which assured her – they were experts, you know – that she would enjoy a safe, quiet and relaxing stay at their little piece of heaven. If nothing else, Amanda knew her ISO 31000.
Unfortunately, she was promptly eaten by Bruce-The-Shark the first evening of her arrival as she went for a midnight swim.
I won’t bother to comment on how self-interest can cloud “expert” assessments. As for predictive analytics? She didn’t have any data suggesting a history of shark attacks at or around Amity. Now that may suggest crummy data, or it may mean that sharks seldom frequented the Atlantic waters around Amity. But the lack of data suggesting shark attacks around Amity did not mean it was safe to go into the water! Remember the story about the turkey who gets a nice breakfast of corn every morning except for that one morning right before Thanksgiving. And then whack! That, by the way, is called “the problem of induction.” The world is a very dynamical place.
Amanda should have focused on “consequence” rather than “threat.” Lots of things can go wrong when you’re swimming by yourself, at night, in the Atlantic. The threat could be a shark, or a cramp, or you could get run over by a speed boat. Who knows? And that’s my point. The threat is not predictable but the consequences of any of a multitude of “bad things happening’ are. In Amanda’s case the consequence was existential.
The biggest problem for Amanda was her mind-set. She was using an epistemologically faulted paradigm, i.e. her professional approach didn’t hold water. The late Thomas Kuhn would have called it “received knowledge” i.e. the insights we acquire through school and in our profession which are seldom challenged. The paradigm the “late” Amanda used was retrospective and opinion based. She assumed that today is pretty much like yesterday and will be pretty much like tomorrow. She assumed stability and continuity, or what economists call “equilibrium.” Truly complex adaptive systems, like sharks, have one characteristic that both economists and ocean swimmers hate: surprise.
Who would have predicted:
- The S&P downgrade of United States to “AA” status?
- The Macarena
Nobody saw the demise of poor Amanda coming, right? Remember these two points, if nothing else….
Complexity = Surprise
Wrong Paradigm = Fish Bait
“You’re gonna need a bigger boat.” Chief Brody
Great White sharks, like deep drilling oil spills, financial meltdowns, and terrorist attacks are non-predictable, surprise events with significant consequences for us all.
“You’re gonna need a bigger paradigm.”
While ISO3100 and COSO are more than adequate frameworks for well-behaved randomness, and for simple systems characterized by linearity, equilibrium and stability. But not so much for higher levels of randomness and complexity. Like Chief Brody, we need a bigger and more expansive paradigm that can deal with non-linear operating far from equilibrium and exhibiting wild randomness. And, of course, surprises like Bruce-The-Shark.
Amanda would have been better off going to Las Vegas. At least predictive modeling works there – the House always comes out on top.