Taking risks with risk

Deborah Ritchie speaks to Dr John Arthur, an expert in the design of applied risk reasoning systems for complex industries. He is currently director of his own consulting company which specialises in addressing the organisational psychology of risk reasoning, its impact on competitive strategic decision making and on operational development.

For the past 12 years John has worked in a number of international roles at Unilever, including global resilience director and global lead for crisis prevention and response. Prior to this he was responsible for building the company’s issues prioritisation system. Before his roles in public affairs he was the resident Psychologist in the Decision Analysis Group of Unilever’s Safety and Environmental Assurance Centre.

How would you define risk?

Human beings believe they are dealing with risk all the time. But, any scholarly look at this diverse area shows that there is no such ‘thing’ as risk – there is simply no unitary, agreed definition. Risk is the phenomenological realisation of probability, always referring to the future, and yet always about our inability to predict or control that future because we lack the knowledge or power to do so.

The definition of risk significantly changed over the latter half of the 20th century. There was an optimism that its ‘scientific truth’ could be measured – surgical outcomes were determined by empirical trials, planes were kept apart by physics; flood defences were planned by the statistics of 1 in 100 year floods (that didn’t happen every 100 years) and insurance identified objective hazards and quantified their intolerability…

Bitter experience of (un)predictable scientific risk gave way to perceived risk, science gave way to social policy. One too many operative deaths, the filling of the skies with cheap flights, too many people flooded unexpectedly; these and other phenomena took risk firmly into the arena of belief. Insurers themselves moved the goalposts. Industrial, commercial, clinical and domestic customers were no longer required to accept odds around hazards, losses and recompense. They had to demonstrate control through beliefs around tolerability.

How do you define risk tolerance?

Not easy. Take the natural expansion of social policy risk into geo-political. Compare the tolerance for loss of life in high poverty countries with affluent countries, there’s an obvious (and immoral) imbalance. Compare densely populated Asia reacting to SARS and avian flu with Europe. There were massive cultural differences. What happens if you are an organisation who operates in both cultures but wants to have unitary, risk-based, policies? How will you when the ‘statistical value of human life’ varies according to mind-set and experience even within industries?

So should we define risk in a local or global setting?

Both. Risk will always operate as an individual emotive and cognitive reality, even if it is clearly defined in a global abstract for an organisation. It retains numerous and variable simultaneous meanings and this is why it causes so much trouble! The trick is to respect that complexity, not simplify it with rhetoric. You need to make a stipulative definition of risk rather than acting as if any kind of normative one exists.

Try to answer five questions with brutal honestly: 1. Risk of what? What are you conceptualising: abstract fears; outcomes; the status of a flow of events? 2. Risk to whom? What’s the exact arena; who are phenomena benefitting or harming? 3. Risk measured how? Are your metrics judgement criteria based or perceptual; do they lend themselves to truly formal comparison and prioritisation or just consensus based simplification. 4. Risk controlled by what criteria? Much work in risk is actually list writing, this is identification not implication. 5. Risk tolerated by whom? Who is making the decisions and allocating the control resources, the fact that these are usually not the same people as those in question 2 has moral and psychological implications.

Can risk reasonably be evaluated in the professional setting?

Risk simply is a very complex subject. It has been quite strenuously dumbed down in industry. The purpose of risk is good reasoning to control that which is controllable about risk. If you work in high hazard industry such as mining, aviation, then you need loss prevention. Through a business lens, risk can be about competitive advantage. In a campaigning organisation, risk is about rights and equality. The tools, measurements and appetite for risk are completely different for the different endgames. Without definition, risk reasoning is pointlessly abstract.

And it has to be OK for this to be a complex process. Risk is fundamentally ambiguous, capricious and it is about control, not rhetoric. Your ‘risk construct’ must be purposefully defined, and its utility to the organisation consciously understood. Otherwise you are just window dressing your conscience and placating your stakeholders. In today’s hard-pressed and cost-conscious industry this reasoning is hard because tolerance for complexity is running at an all-time low; as is a tolerance for ambiguity. Effective risk reasoning needs to be a chromosome in the DNA of strategy but we are happier with engineering metaphors, like fluid in a pipe, because that is simpler and quicker.

How do senior decision makers create better risk reasoning in their organisations?

This, too, is complex. We need to do the best we can to harness a utilitarian rationality. Your board has to first recognise that they speak a different dialect of risk to the one needed by the operational teams. Nonetheless it’s their worldview that determines risk reasoning in operational practice. They give the mandate, create the authority and hopefully provide the budget for risk as a business capability. If they get that right, great, but they also have to then agree to display some other behaviours which are tougher for them. Resist the arbitrary mind-set: risk reasoning should never be an arbitrary desire for a ‘top ten’ risk audit – risk that serves this objective is meaningless; avoid the reassurance mind-set; repel ‘one size fits all’ consultants – the very best risk tools are always purpose built; renounce the RAG system, which creates stupidly arbitrary reasoning; recognise the impossibility of a common language for risk for all risk types, and respect the risk control systems you have underwritten with your behaviours.

Senior leaders need to allow risk to be a critical function in the business not an assurance exercise. Risk, and all of its siblings, must become mature, validated, competitive business tools. These must be just as complex and influential as the other tools in your value and supply chains and create the same cost benefit business cases as those do.

Risk in industry, ultimately, is the “reasoning chain”, and senior leaders must intelligently design, validate and respond to that. Anything else is just dancing round the handbag.

This interview was published in the January 2015 issue of CIR Magazine.

Download in PDF format

Click here for more interviews and analysis

Contact the editor

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.