Risk Management Is Not Scientific; It Is Political
Risk management is, or should be, informed by STEM, but it is political.
Why might a Daily Kos audience be interested in a risk management discussion? What is the purpose of a modern state? It is to manage risk for a nation.
I realize this notion that risk management is political may go over like a dookie in the urinal but it is true. Consider what is risk. It is cost unrealized. It may be realized soon, it may be realized later, it may never occur. But risk, like a square belongs in the land of rectangle on the continent of quadrangle on the world of polygon, it is a type of cost. What happens with risk management? We try to lessen the cost though ultimately we’re making a cost benefit analysis. “Is the juice worth the squeeze?” What is a cost benefit analysis? It is a decision as to what benefits we want and what we’re willing to accept in order to pursue them. This isn’t science. It is politics.
With this in mind, I invite you to a recent conversation I had, ok I hijacked and monopolized, yesterday on LinkedIn. I realize I speak with disdain here on DK regarding screen shots of social media being given as stories deemed worthy of reading though I think this an exception as I wrote most the comments and they're more than mere meme. To set the frame, the subject at hand is the utility of Risk Matrices. A Risk Matrix, often called a “cube” is a two dimensional representation usually making a square to illustrate level of risk. Why a cube and not a square, I don't know. The risk matrix includes the two portions important to risk, probability or likelihood, and consequence should it occur. A proper matrix should have an initial score then consider whatever mitigating actions will be imposed so as to provide a residual score. Decisions are made as to cost of those actions relative to original risk, and to acceptability of either original or residual risk. — This is politics, not science.
A key concern here is that planning or design should be iterative. The risk mitigation measures need to be folded back into the primary plan. They need to be verified as being executed during actual operations. They need to be assessed for effectiveness while probabilities and consequences get re-evaluated and updated. Adjustments should be made as needed. Like any planning process, feedback is important, we're really creating another OODA loop.
A matrix serves two purposes:
1. It helps provide an initial structure for conversation towards risk discussion. In this way, we get to the important parts, is it worth it, what are we going to do to mitigate, is it now worth it after applying mitigation. In this sense, if the matrix should be inadequate, we can change the matrix to suit our situation. A common problem is persons using a matrix seem unwilling to adapt it to needs. Do yourself a favor and make your tools better to your needs. Adapt as necessary.
2. It provides a means for quick communication to those outside the risk working group. Communication is important as we want to create common understanding. How we display information in order to achieve a more common understanding is important. Again, we can adapt a given matrix to better serve our needs. (for a discussion regarding display of information, see the back half of A Critique of Military Operational Assessment.)
Another key is that The Matrix is not the end product. It is a tool, a catalyst, that drives what is important, discussion about risk. It is the discussion and any decisions regarding mitigating measures that is important.
With this, I now turn to the discussion that recently inflamed me. It started with a paper from several years ago casually dismissing risk matrices as useless. I say casual as despite the twelve page volume of writing, casual matches the level of thought the authors put to the topic. I’ve found the paper though it hides behind either paywall or registration requirements. Here and here. Fortunately for me though not you, a PDF copy was included in the LinkedIn posting. Note that when we get to snapshots of it, the highlighting was in the posting and is not mine.
I need to make a correction here. It wasn't James Reason via Carter Mecher, it was Dave Snowden via Carter Mecher though Dr. Mecher also references James Reason. As the links in the picture aren't actual links, here’s Carter Mecher and here's Theodore Kinni. While not included as a picture in the LinkedIn monologue, below is a picture of Snowden’s model. Some of you may recognize it from previous commenting in DK as I’m a big fan of this.
I’d like to note Carter’s writing at this model:
Dave Snowden developed a framework for decision-making and sense-making. Snowden’s model for decision-making includes four domains: (1) known; (2) knowable; (3) complex; and (4) chaos. Over the years, he has changed the names of the known and knowable domains to clear and complicated and identifies the central area as disorder.
The Knowable: This is the domain of good practice. As Snowden notes, "We do not yet know all the linkages, but they can be discovered. This is the domain of experts, whose expertise enables us to manage by delegation without the need for categorization."…
Causality isn't known but it is knowable—if we have enough resources, capability and time. In this realm we sense, analyze and respond. Our process of analyzing is at its very core, reductionist. It is the very basis for much of our scientific work—we reduce the problems (or linkages of cause and effect) to smaller more narrowly confined areas. We control conditions (context) and reduce as many of the confounding variables as we can think of.
The Knowable: … It is the very basis for much of our scientific work.
The Complex: This is the domain where patterns emerge. Snowden notes, "We need to identify the early signs of a pattern forming and disrupt those we find undesirable while stabilizing those we want. By increasing information flow, variety and connectiveness either singly or in combination we can break down existing patterns and create the conditions under which new patterns will emerge, although the nature of emergence is not predictable."
Identify the early signs of a pattern forming and disrupt those we find undesirable while stabilizing those we want… reads like managing risk to me.
The Chaotic: This is the environment lacking any order. No patterns emerge. As Snowden remarks, "Chaos represents the consequence of excessive structure or massive change." This is the domain that requires crisis management. In this realm the most important thing to do is act.
Crisis management another piece of risk management particularly in being prepared for such crises.
Back to my hijacked monologue
Yes, Ive written about risk on DK before. Two of these times are here and here.
In continuing the discussion, we should note the dubious paper referenced uses a risk matrix in which oil drilling risks are compared. This example is used as a skeleton for the entire paper.
The paper calls out this particular risk matrix for scoring “blowout” as less than “severe losses” with “well control” in between the two. A problem here is the authors are looking backwards after a major blowout had occurred. In other words, probability was now one. In addition to this, they weren’t looking at all leaks. Severe losses = major leaks. Moderate and minor leaks weren't included. They should be though we should also note all severities of leaks are not independent. If you're working to reduce small and moderate leaks, chances are you’re also reducing the likelihood of severe leaks. If you’re trying to reduce likelihood of severe leaks, a part of that is probably fixing moderate and small leaks as these have a habit to grow into severe leaks. That’s how corrosion works.
So, a thought for you. Let’s say you have a one percent chance of losing a hundred dollars. Your expected losses are one dollar. That’s it. If you realize that loss, your cost has now increased by a Benjamin. The expected loss feels far less significant than the punch of the loss realized. This is a function of the lizard portion of our brains. There’s no tool that is going to properly convey the gut punch of low probability high consequence risks. This is a feeling issue not an intellectual one. If you don't believe me on this, look at all the Covid anti-mask, anti-vax and all around nay-sayers.
When something is low probability high consequence, unless you yourself experience the consequence, you won’t get it viscerally. The authors of the paper were correct to say that risk matrices have a hard time showing this. It is not impossible, however. They were also correct to state that in regards to the right most column, we become unbounded. They were correct that having only a few columns plus this un-bounding creates “range compression.” You can add columns to show increased scale of consequence. You can add rows and columns to gain precision. This fixes both the unbounded problem and helps illustrate severity of consequence. It decompresses the compression. If doing so might make your “cube” square appear ungainly, you can use the mathematicians tools of “~” or “...” so as only to need to display the columns of significance. Is such a bit unexpected? Yes. Guess what, it will create discussion. What’s important? The matrix or the discussion? Planning is everything. The plan is nothing.
Another point the paper raises is that risk matrices have a “center bias” in that persons writing them don't want to put things in the outermost columns and rows. Adding rows and columns solves this too. The paper, and the commenters supporting the paper, note we often waste time discussing where to bin things. “Is it a three or a four?” “Is it red or really yellow?” I've discussed the human tendency to want to bin or think discreetly before. We want to bin, yet life is analog. There’s an easy solution here. Instead of taking excess time attempting to properly place a dot, an impossible task, draw a circle. Consider it as you would error bars. You can overlap multiple bins. Instead of quibbling over red or yellow, make it orange. “Orange isn't defined” you say. Trust your people will understand the interpolation knowing you’ve defined yellow and red. Better, orange and circle, they're a touch unexpected. Again, these will generate discussion. What is the goal? A pretty matrix? Or discussion, decision, and implementation of mitigating measures?
I’d like to pause here a moment and remind ourselves via Aaron Carroll, risks are cummulative. As are mitigations. Often you only need one mitigation to work but as no mitigation always works, you want multiples so as to have increased opportunity to remove any of the causal links.
Too many view protective measures as all or nothing: Either we do everything, or we might as well do none. That’s wrong. Instead, we need to see that all our behavior adds up.
Ed Yong hit this too.
Many Americans trusted intuition to help guide them through this disaster. They grabbed onto whatever solution was most prominent in the moment, and bounced from one (often false) hope to the next…
The spiral begins when people forget that controlling the pandemic means doing many things at once. The virus can spread before symptoms appear, and does so most easily through five P’s: people in prolonged, poorly ventilated, protection-free proximity. To stop that spread, this country could use measures that other nations did, to great effect: close nonessential businesses and spaces that allow crowds to congregate indoors; improve ventilation; encourage mask use; test widely to identify contagious people; trace their contacts; help them isolate themselves; and provide a social safety net so that people can protect others without sacrificing their livelihood. None of these other nations did everything, but all did enough things right—and did them simultaneously. By contrast, the U.S. engaged in …
A risk matrix is to drive discussion. This discussion should result in drafting mitigations. These mitigations should include preventative measures that either reduce likelihood and/or reduce consequence should the hazard matriculate. They should also include corrective actions for after a risk occurs so as to reduce consequence. As these measures often incur their own costs, matrices also serve as a means to prioritize. A blowout is a large consequence event that is much less likely to happen though requires more effort to prevent it. Leaks happen all the time while in aggregate are more consequential. We’ll never solve all leaks to fixing many can be cheap and easy to do. As Dr. Carroll would say, this helps the pile. Though the more wells we drill, the worse the pile in both cases. Pandemic was an extremely remote event yet it was also a certainty. How? Every day it was extremely remote yet add all the days you get certain.
As for accounting for this cumulative nature of risk, we can readily count for this by doing two matrices side by side. One would be for individual event while the other would be for all events expected to occur in a given time. Using the oil example, the cumulative would show blowout as more likely moving it up into the red while it would move severe losses rightwards accounting for multiple instances of severe loss. Really severe losses would move up and right as more chances make them a certainty, thus up, while additive losses make more damaging hence rightward.
Here was my closeout to that discussion:
You dear reader get a bit more discussion. "The criticism isn't about it being scientific or not per se,” hmmm…. Here’s the opening of the paper. Again, highlighting was in his posting and is not mine. Note the red and green highlighted lines.
The paper even ends on this green line thought with this last sentence,
Instead of RMs, the O&G industry should rely on risk-and decision-analytic procedures that rest on more than 250 years of scientific development and understanding.
Meanwhile, in the middle they have the audacity to say,
Our pointing out that RMs produce arbitrary rankings does not require us to provide another method in their place, anymore than we would be required to suggest new medical treatments to argue against the once popular practice of bloodletting. The arbitrariness of RMs is not conditional on whether or not other alternatives exist.
They also say,
RM rankings are arbitrary; whether something is ranked first or last, for example, depends on whether or not one creates an increasing or a decreasing scale.
Duh! That’s how math works. That’s not inconsistency. What’s inconsistent is expecting a scientific answer to a decision making aka political problem.
Risk management is fundamentally about decision making. The objective of the risk-management process is to identify, assess, rank, and inform management decisions to mitigate risks. Risks can only be managed through our decisions, and the risk-management objectives are best achieved with processes and tools that support high-quality decision-making in complex and uncertain situations.
Agreed. Remember science works in the knowable not the complex nor chaotic and it tries to reduce uncertainty though offers nothing for functioning in uncertainty. Science can't tell you how to do this.
I’ll refer back to the initial posting comment,
For instance there was a serious risk that came true a few months back. This had been fed into risk management, watered down by stakeholders in the process (“doesn’t feel like a red, I think it should be yellow”), and ultimately drowned out by other “risks”…
That’s a failure of the staff, myself included. Don’t let the ceremony of risk management and risk matrix-based approach distract you from what’s really important.
People like to be able to blame processes for leadership failures. That seems to me to be what's going on here. However, we also forget sometimes bad things happen despite you're doing the correct things. That’s risk; you can never drive risk to zero. Maybe there wasn’t a failure per se, instead you just got bit. It happens. Sometimes you lose. People give more weight to realized risks, now consequences, while forgetting their previous likelihoods. Expected values change upon realization.
Let’s look at the paper again regarding one of their displays trying to show how misleading the risk matrix was.
In this, they're trying to show the unbounded problem as well as clarify the range compression issue. I think they fail. Yes, we’re unbounded, but this display is too. Both can be bounded by expanding rightward. As for range compression, they're trying to show severe losses as not that bad in relative terms. They want you to see this
but the reality is we care about the area under the bars
The original poster made a follow-up posting. I didn't comment to that one. I thought it was complete garbage and didn't want it fouling my wall. Below you can have a look. I’d like to note that while billed as risk management, there isn't a single bit aimed at risks. Further, all I see is a portion of a cost benefit analysis. This showed operational costs from an electric bill yet as a cost benefit, it fails too. It didn't count periodicity of maintenance nor maintenance costs for respective systems. It didn’t include acquisition and installation costs for the new system. It showed nothing for disposal of the old system. It just doesn't hit the mark.
I may not be the most eloquent in countering this paper and its new adherents. I’ve found a nice piece that does so rather well, however. I must admit I’ve only read the first third of it as in that first third, it was adequate in dispelling the above garbage. What's Right with Risk Matrices? by Julian Talbot:
Limitations of the limitations
Of course, all of these points are true, but they omit to mention the following fundamental issues:
-
no tool can consistently correctly and unambiguously compare more than a small fraction of randomly selected pairs of hazards
-
any risk assessment tool can assign identical ratings to quantitatively different risks
-
prioritizing the allocation of resources is not the role of the risk matrix – responsibility for selection of risk treatments belongs to the risk manager
-
risk matrices are still one of the best practical tools that we have
-
“the use of risk matrices is too widespread (and convenient) to make cessation of use an attractive option”
-
risk matrices are designed to provide qualitative or semi-quantitative ordinal information (relative priority) not mathematically precise data
-
if a risk is in the ‘High’ or the ‘Top 10’ list, it requires attention and whether it is third or fourth on the list is not likely to be significant
-
the inherent limitations of decision-making under uncertainty, the nature of political decision-making and the fundamental processes of human risk perception mean that subjective decision-making will always be a part of the risk assessment process no matter what tool is used
-
risk matrices are a tool which supports risk-informed decisions, not a tool for making decisions
-
last but not least, most of the flaws listed above only exist if risk matrices are used in isolation, which is rarely the case
Overcoming the limitations
The last point above is the most significant of all. If you use a risk matrix in conjunction with at least the following tools, they can be effective in supporting quality decision-making:
-
A well-defined risk statement
-
Robust likelihood and consequence definitions
-
A hierarchy of controls to prioritize risk treatments
-
Expected monetary value (EMV) or equivalent cost/benefit of risk treatments
The first two items on this list are the most critical. Precise risk statements and definitions for likelihood and consequence support consistent ratings. If these items are well-defined, you are likely to achieve similar, if not identical, rankings from independent teams. If not, consensus will be unlikely.
It is also important to have a process for considering all risks and risk treatments collectively. Each treatment is likely to mitigate several risks, albeit to differing degrees. The optimal allocation of resources is likely to involve a complex decision-making process. The last two tools on the above list are not specific to risk matrices as they are about prioritizing risk treatments. A hierarchy of controls helps selection of effective controls. It does not, consider cost/benefit. This is a separate although linked process.
Why does this all matter to you.
1. Those mid grade officers and DoD bureaucrats that saw the post were unthinkingly nodding agreement; these are the persons representative of those making acquisitions decisions with your tax dollars while trying to figure which problems are actually important for us.
2. What is the proper role of government? Mitigating risk for society.
Monday, Nov 15, 2021 · 6:17:43 AM +00:00 · Fffflats
A random thought came to me. We should probably make the distinction between the paper’s authors and the matrix authors. Two clearly different groups viewing in two completely different ways. The matrix authors were likely thinking cumulatively over an unspecified to us though known to them period of time and/or over an unspecified to us yet known to them number of events. We can assume this as the risks had such high probabilities. No one would accept the 5%, 10%, and 40% chances for a singular event given respective consequences. The matrix authors correctly put severe loss (leaks) over blowout. It was the paper’s authors that were wrongly thinking discrete event and wrongly wanted blowout over severe losses. They even tell us this. It’s either they were thinking individually or they were disregarding the likelihood side of risk, possibly both. Note the use of the singular. The collective thinker would be worried about the possibility of multiples.
A blowout could be many orders of magnitude worse than a loss of well control. Yet, the RM does not emphasize this in a way that we think is likely to lead to high quality risk-mitigation actions.
Thursday, Dec 2, 2021 · 5:55:56 PM +00:00 · Fffflats
Hmmm… interesting considering lower severity rating though greater likelihood of “severe losses.”
“It’s vital to remember that Chevron does not dispute that its predecessor company Texaco deliberately discharged at least 16 billion gallons of toxic oil drilling waters over the course of decades as a cost-saving measure,” lawmakers wrote in the letter, which was signed by Reps. Rashida Tlaib and Chuy Garcia. “This grave injustice at the hands of a U.S. corporation was premeditated and remains an untreated toxic waste site the size of the island of Manhattan.”
(Jesting aside, in fairness the risk matrix in example was specific to fracking, not traditional drilling. Though that means blowout shouldn’t be shaded by the Macondo Blowout, for which I suspect the matrix critics are confusing.)