nspn risk mgmt

8/3/2019 NSPN Risk Mgmt

1/4

September 2005

Advancing domestic and national security practice

Page 1 www.homelandsecurity.org.au September 2005

TTTTThe beginning of the end for risk management?he beginning of the end for risk management?he beginning of the end for risk management?he beginning of the end for risk management?he beginning of the end for risk management?

Has risk management been over-hyped and is it duefor a backlash? This question has enormoussignificance for national security as risk management

is the basis for the nations response to the threat ofterrorism. (See Panel 1: Risk management at thecentre of national security)

All management techniques during their lifecycle willhit a peak of interest before declining rapidly. Thisoccurred with management by objectives,benchmarking and quality management. And it willoccur with risk management its just a question ofwhen.

Considering this issue in such a blunt way should notbe misconstrued as questioning risk managementsvalidity. Risk management can deliver enormousbenefits in certain situations, but will not live up toexpectations when applied inappropriately. One onlyhas to review recent investigative reports ofgovernment programs to see the frequency withwhich problems with the implementation of riskmanagement processes are identified.

The best way to determine where risk managementlies on its lifecycle curve is to compare it with the

fate of quality management. Quality managementoffers an ideal comparison because of its similaritieswith risk management.

Both started out as technical disciplines focused onoperational effectiveness quality control inmanufacturing and risk identification in insuranceand safety. Both morphed into generalised

National Security Practice Notesis a publication seriesthat covers topical issues which are of critical

importance to building national and domestic securitycapability. They are aimed at practitioners in theintelligence, security, law enforcement, emergencyservices and related national security areas.

management philosophies encompassing the entireorganisation quality becoming Total QualityManagement (TQM) and risk became Enterprise

Risk Management. Both had undisputed success intechnical areas like statistical quality control orproject risk assessment but both lacked solid cost-benefit evidence to prove their effectiveness at anorganisation level.

Both seem to follow the typical five stage lifecycle formanagement techniques. See Panel 2- The lifecycleof quality and risk management.

The apex of success for quality management wasabout 15 years ago. This was when it had become aworldwide phenomenon. The Australian Organisationfor Quality chapters boasted thousands of members,

Panel 1: Risk management at the centre ofPanel 1: Risk management at the centre ofPanel 1: Risk management at the centre ofPanel 1: Risk management at the centre ofPanel 1: Risk management at the centre of

national securitynational securitynational securitynational securitynational securityThe importance of risk management for the nationsnational security posture is reflected in its centrality invarious government strategic documents.

For example, the publicationProtecting AustraliaAgainst Terrorismwhich sets out the elements of

Australias national counter-terrorism policy andarrangements, states that one of five key principlesunderpinning the governments counter-terrorismplanning is sound risk management approaches thatdeliver the maximum level of security while making bestuse of the resources available to us.

The Critical Infrastructure Protection National Strategywhich sets out an overarching statement of principlesfor critical infrastructure protection in Australia, statesthat by applying risk management techniques,attention can be focused on areas of greatest risk,taking into account the threat, relative criticality, theexisting level of protective security and theeffectiveness of available mitigation strategies forbusiness .


2/4

NANANANANATITITITITIOOOOONAL SNAL SNAL SNAL SNAL SEEEEECCCCCUUUUURRRRRITY PITY PITY PITY PITY PRARARARARACCCCCTITITITITICCCCCE NE NE NE NE NOOOOOTETETETETES: TS: TS: TS: TS: The beginning of the end for risk management?he beginning of the end for risk management?he beginning of the end for risk management?he beginning of the end for risk management?he beginning of the end for risk management?


hundreds of Australian organisations had theirmanagement systems certified to ISO qualitystandards, and hundreds of articles appeared everyyear praising TQM. Today little is heard of qualitymanagement, and when it is mentioned in themainstream media it is often as the butt ofDilbertesque jokes.

Identifying the current position of risk managementalong its lifecycle is difficult without the benefit ofhindsight.1 However, the frequency which it is

mentioned in the media provides an indication. Thisplaces its creation phase in the late 1990s with theevolution phase around the early 2000s. Theevolution phase was relatively short as the shocks ofglobal terrorism and other uncertainties all requiredimmediate action which meant that the case forchange did not have to be argued.

It appears we are now in the time lag phase wherethe technique is being implemented throughoutAustralian governments and businesses. Itspenetration is no better illustrated than in the centralrole it plays in the Australian Governments strategyfor national security. Risk management features asone of just four key principles in the strategy. It statesthat sound risk management will deliver themaximum level of security while making best use ofthe resources available. Its dominance in thecorporate world is also apparent for risk has becomethe filter through which all board and seniormanagement decisions pass, at least at a rhetoricallevel.

The similarity between quality management and riskmanagement also provides an indication of theproblems that will lead to dissatisfaction with risk.These include that in many of the organisations in

which it is implemented: It is inordinately resource intensive. This is not only

during the risk identification period but also in theongoing maintenance of risk registers andimplementation of risk treatments.

It is too heavily focused on documentation which isdriven by (misunderstood) auditing requirements.

It provides little usable information at the corporategovernance level.2

Risk management also faces several other significantproblems which are contributing to scepticismtowards its universality. For example, the majority ofits focus is on preventing an unwanted event fromoccurring such as toxic gas leaks. Littlecorresponding effort is given to exploiting upside riskssuch as capturing new market opportunities. Another

example is that the risk formula of likelihood andconsequences does not allow for the easycomparison with non-probabilistic risks such asterrorist attacks.

ConclusionConclusionConclusionConclusionConclusionWhile it is too early to claim that the honeymoon withrisk management is over, its universal acclaim isbound to decline over the next few years as we moveinto the scepticism phase of its lifecycle.

What this means for those involved in riskmanagement is that they need to be sensitive to thesigns of a shift in acceptability for the tool. Whatneeds to be looked for is the tipping point whichmarks the point at which risk management goes fromde rigueur to pass.

This point may be easy to spot, for example when areview of a major failure finds that risk managementarrangements were a root cause of the problem.However, the point may be much harder to identify as

the cause is an accumulation of discontentmentwhich builds up glacially slowly and mostly unnoticeduntil suddenly faith in risk management collapses.Another sign of an impending change is increasingemphasis on undertaking activities because it isprudent rather than because of an identified threat,and spending more on designing out risks rather thanrelying on the more cost effective operational securityactivities, because of a loss of faith in the latters on-going effectiveness.

A future National Security Practice Note will look atthe systems that could be put in place in anticipationof a decline in support for the then current form ofrisk management practice.

National Security PracticeNational Security PracticeNational Security PracticeNational Security PracticeNational Security Practiceis a publication series that coverstopical issues which are of critical importance to building nationaland domestic security capability.

National Security Practiceis part of the research program of theAustralian Homeland Security Research Centre.Australian Homeland Security Research CentreTel 02 6161 5143, Fax 02 6161 5144PO Box 295, Curtin ACT 2605info@HomelandSecurity.org.auwww.HomelandSecurity.org.auCopyright 2005. All rights reserved.

Au stra l ia n

H o m e l a n dSe cu r i t yRese a rc h Ce ntr e

The Australian HomelandSecurity Research Centreundertakes independent,evidence-based analysis ofdomestic security issues.


3/4



Panel 2- The lifecycle of quality and riskPanel 2- The lifecycle of quality and riskPanel 2- The lifecycle of quality and riskPanel 2- The lifecycle of quality and riskPanel 2- The lifecycle of quality and risk

managementmanagementmanagementmanagementmanagementMost management techniques follow a five stagelifecycle.

The first phase is creation.The first phase is creation.The first phase is creation.The first phase is creation.The first phase is creation. This is where a crisis isclaimed and a solution identified which offers to bringorganisations away from the brink. The crisis whichboosted quality from a practice backwater to internationalprominence was the lack of competitiveness of USmanufacturing. The quality solution was claimed to beable to reshape an organisation, making it customerfocused while lowing costs. The crisis which underpinnedthe popularity of risk management was massiveuncertainty caused by globalisation, the tech-wreck of thelate 1990s, the September 11 2001 attacks, SARS andcorporate malfeasance. The risk solution was claimed to

fundamentally change the way challenges were dealt withby an organisation, offering more certainty and continuity.

The second phase is evolution.The second phase is evolution.The second phase is evolution.The second phase is evolution.The second phase is evolut ion. This is where numerousstories about the techniques success are promulgated.Invariably these stories have the following components.The technique is universally applicable, it should not beenseen as a quick fix, it requires substantial managementsupport, and it is based on rational decision makingemphasising goals and causality. During the evolutionphase, the promotion of the technique becomesincreasingly evangelistic and penetrates the mainstream

media. Catchy and simplistic rhetoric dominates, such asquality is free or risk optimisation not minimisation.

The third phase is the honeymoon period.The third phase is the honeymoon period.The third phase is the honeymoon period.The third phase is the honeymoon period.The third phase is the honeymoon period. This is thehoneymoon period in which the new technique becomeswidely implemented before user reaction and measurableoutcomes appear. It is also the time in which standardsfor the technique are formalised - the ISO 9000 series

for quality and AS/NZS 4360 for risk. Interestingly, thesestandards are performance based and deliberately avoida prescriptive approach. However, users invariablydemand much more explicit guidance on implementation,leading to the popularity of tools which allow people tofollow a formulaic approach, based on ticking boxes.

The fourth phase is scepticism.The fourth phase is scepticism.The fourth phase is scepticism.The fourth phase is scepticism.The fourth phase is sceptic ism. At the beginning of thisphase, revisionist tales appear about the limitations ofthe approach, warning that it has become a managementfad. By the phases end, detailed accounts appear,proving that the technique has not lived up to

expectations.

The final phase is justification.The final phase is justification.The final phase is justification.The final phase is justification.The final phase is justif ication. This period is when theinitiatives champions, who are witnessing its demise,protect their status by attributing the blame for its failure.Responsibility is commonly laid at the feet ofmanagement for its lack of leadership, or inappropriateimplementation. Other commonly claimed causes are alack of resources, insufficient time, and recalcitrant staff.

Just as each technique had a life before it wasdiscovered, it will continue to have one after it has lostits mass appeal. Invariably, it will return to its technical

base as well as being absorbed into other approaches.

Interest in a

managementtechnique

Time

Lifecycle of a management technique

CreationEvolution

Honeymoon

Scepticism

Justification

Location ofquality

managementtoday

Possible location ofrisk managementtoday

Technique limited totechnical areas &

integrated into otherapproaches


4/4



Panel 3 - Potential problems with riskPanel 3 - Potential problems with riskPanel 3 - Potential problems with riskPanel 3 - Potential problems with riskPanel 3 - Potential problems with risk

managementmanagementmanagementmanagementmanagementAlmost every report on major incidents contains somecommentary on risk management failures. Examples are thePalmer Inquiry into Cornelia Rau Matter, the Report of the

Inquiry into the Australian Intelligence Agencies, andANAOs Protecting Australian Missions and StaffOverseas.

Below is a list of common problems with risk management. As managing risks is an exercise in professionalAs managing risks is an exercise in professionalAs managing risks is an exercise in professionalAs managing risks is an exercise in professionalAs managing risks is an exercise in professional

opinion, the judgements may be incorrect.opinion, the judgements may be incorrect.opinion, the judgements may be incorrect.opinion, the judgements may be incorrect.opinion, the judgements may be incorrect . The threemain reasons for incorrect judgements are: Lack of skillLack of skillLack of skillLack of skillLack of skill..... Risk management requires subject

matter expertise, experience in the risk managementprocess and other skills. A lack of any of these canundermine the risk management outputs by

confusing problems with risks, not correctlyidentifying relevant risks or even failing to managerisks.

LacLacLacLacLack of information required to identifyk of information required to identifyk of information required to identifyk of information required to identifyk of information required to identify, analyse, analyse, analyse, analyse, analyse

and evaluate risks.and evaluate risks.and evaluate risks.and evaluate risks.and evaluate risks. Risk management is predicatedon having relevant information, whether it isobjective or subjective, certain or uncertain. Withoutrelevant information, it can result in fundamentalmis-assessment such as likelihoods being wronglyidentified, impact categories being determined aslinear when they are not, or even risks being treatedas independent when in fact they are dependant.Knowing when all the relevant information is

available can be extremely difficult in highly complexsystems such as land transport.3

Bias.Bias.Bias.Bias.Bias. Risk management requires that analysts besensitive to different risk perceptions rather thaninternalising them as bias. By being overly sensitiveor second-guessing certain risk perspectives, suchas political risk, the risk management outcomes maynot be optimal. Other bias can occur due toselective attention to certain kinds of hazards andgiving undue influence to the most vocal interestgroups. This is because risk perceptions areinfluenced by the point of reference of the

assessor.

A focus on elements within a system may overlookA focus on elements within a system may overlookA focus on elements within a system may overlookA focus on elements within a system may overlookA focus on elements within a system may overlook

systemic risks.systemic risks.systemic risks.systemic risks.systemic risks. There is a natural tendency to breakdown a system into elements of a manageable size. Thistendency is reinforced when the system contains someelements that are within one organisations control and

the rest outside it. Consequently, an organisation willinevitably focus more on the elements that are under itsdirect control and focus less on areas where it has lesscontrol. This can lead to risk treatments that are optimalfrom an element perspective, but have little impact onsystemic weaknesses. As systemic weaknesses are oftennot in any one organisations control, these issues canoften be ignored. Factors preventing a holistic viewbeing taken include organisational priorities andresponsibilities, jurisdictional specialisations, and a lackof system understanding, and a reliance on softwaretools without a feel for the accuracy of their outputs.

The context statement may be inadequate.The context statement may be inadequate.The context statement may be inadequate.The context statement may be inadequate.The context statement may be inadequate. Risk

management is dependant on having a sound context, asit defines the environment, the stakeholders, the riskcriteria, level of acceptable risks, resource availabilityand the cost of doing nothing, amongst other factors.

WWWWWhile a mitigation action may result in a reduction inhile a mitigation action may result in a reduct ion inhile a mitigation action may result in a reduction inhile a mitigation action may result in a reduct ion inhile a mitigation action may result in a reduct ion in

target risks, it may at the same time increasetarget risks, it may at the same time increasetarget risks, it may at the same time increasetarget risks, it may at the same time increasetarget risks, it may at the same time increase

countervailing risks.countervailing risks.countervailing risks.countervailing risks.countervailing risks. For example, increasing accesscontrol will reduce the risk of criminals entering abuilding but it may increase the risk of staff beingtrapped in the building if a fire occurs.

There is a natural reluctance by organisations toThere is a natural reluctance by organisations toThere is a natural reluctance by organisations toThere is a natural reluctance by organisations toThere is a natural reluctance by organisations to

document all their risks as others can use it againstdocument all their risks as others can use it againstdocument all their risks as others can use it againstdocument all their risks as others can use it againstdocument all their risks as others can use it against

them.them.them.them.them. For example, terrorists could use the informationfor physical destruction, corporate competitors could usethe information for commercial destruction byhighlighting weaknesses to gain market share, andgovernments could use the information for politicaladvantage by shifting blame in the event of an incident.

Organisations may have a culture that does not dealOrganisations may have a culture that does not dealOrganisations may have a culture that does not dealOrganisations may have a culture that does not dealOrganisations may have a culture that does not deal

constructively with negative information.constructively with negative information.constructively with negative information.constructively with negative information.constructively with negative information. Risks are aboutnegative events (failures or losses). Many organisationalcultures attempt to be optimistic, and tag pessimisticassessments as not in line with corporate values. Thiscan inhibit the identification and mitigation of risks, andresult in the risk managers task being perceived as anecessary evil, which is tolerated but not supported.

Footnotes1 However some would contend that by using the Capability Maturity Model Integration(CMMI), the position of the Australian Government is about level 2 of the 5 levels.2 The Australian Stock Exchange Corporate Governance Guidelines provide an

example of how risk management information can provide valuable information thatinforms the company board.3 Qualitative and semi-quantitative risk management is at best a best guess. The bestguess will always be limited by the quality and completeness of available information.

nspn risk mgmt

Documents