Risk-based working in practice by Martin van Staveren
Of this book I only found a Dutch version. But the ideas are too important not to share.
Within Risk-based working in practice, the author wants to show that there is another way to risk management than looking away from risks, or creating false security with a paper tiger that is supposed to represent risk management.
The book provides a different approach than conventional risk management, by integrating Risk Management into the operation of the organization. The author explains what is involved in four chapters. What did I remember?
Contents
- Today’s Organizational Landscape
- The what and how of risk-based working.
- Conditions for risk-based working
- 10 Tips for risk-based working
Today’s Organizational Landscape
Chapter 1 begins with a description of the contemporary organizational landscape, with its changes, uncertainties and lack of time. These three factors have an impact on everyone’s working life in organizations. Despite this, they want to achieve the objectives.
There are relationships between organizational change and uncertainty due to the reasons for the change and the outcomes of the change.
Uncertainties are the cause of why organizations change. Changes lead to new uncertainties. This often leads to gathering more and more information, collecting and researching and intensive meetings/coordination. As a result, there is a lack of time. Just going to work more is not a solution.
Dealing with uncertainties
Dealing with uncertainties in order to achieve objectives sometimes means limiting risks, sometimes doing something else, but often also taking risks consciously. In a professional manner with the correct use of tools. And that leads to the question “What is the current reality of (risk) management in organizations in relation to dealing with uncertainties?”.
Or: does the usual way of managing help in dealing with the uncertainties of change or does it work against it? Does it reduce time pressure or does it all take more time?
One of the conclusions is that risk management appears to be necessary to achieve the objectives, but is often not applied broadly, in-depth or effectively. Despite the fact that organizations are increasingly faced with complexity, conflicting interests, calls for more and more frequent accountability, and an ongoing difficult economic situation that require change, risk management is rarely enthusiastically welcomed. This is the risk paradox.
To this end, it is necessary to move from conventional (risk) management to innovative management. According to Wouter Hart, this means the following:
| Characteristics of conventional mngt. | Features of Innovative mngt. |
| Method is leading | Goals are leading |
| A Goal | Some of the goals |
| Money is dominant | Value is dominant |
| Standardization | Variation |
| Minimizing variation | Harnessing Variation |
| Expropriate | Ownership |
| Scaling | Functional scope |
| Low trust – High tolerance | High trust – Low tolerance |
| Enforce | Invite |
| Want to know for sure | Allowing uncertainty |
| Wanting to be complete | Daring to make choices |
| More research questions | Indicate research limitations |
| Linear only | Linear and cyclical |
| Design | Develop |
| Static | Dynamic |
| Cause-effect | Interaction |
| Eliminating waste | Accepting small waste |
| Exclude errors | Catching errors early |
| Reducing the risk of risk | Reducing the impact of risks |
| Providing answers | Asking questions |
Five principles
Furthermore, this chapter provides five principles with which High Reliability Organizations (HROs) deal with the uncertain and the unexpected:
- Focusing on disruptions: mistakes are normal. However, avoid escallation of it.
- Reluctance to simplify: not everything on an A4 sheet of paper.
- Sensitivity to execution: Focus on the primary work process.
- Commitment to resilience: no ‘anorexia organisations’. In that case, a single case of illness causes major problems.
- Respect for expertise: decision-making by the subject matter experts instead of managers.
The what and how of risk-based working.
Chapter 2 is about the what and how of risk-based working. This must be integrated into the existing processes.
First, the chapter discusses these four key concepts as foundations:
Uncertainty
- Uncertainty is incomplete certainty caused by unavoidable variation and/or lack of information.
There are seven sources of uncertainty due to lack of information (Van Asselt and Rotmans)
| Sources of uncertainty due to a lack of information | |
| Incalculable uncertainty | Uncertainty that can be reduced |
| Unknown uncertainty: you don’t know what you don’t know | Lack of observations: too little data |
| Unpredictability | Inaccuracy |
| Immeasurability | Contradictory results: illogical |
| Known ignorance: you know what you don’t know | |
Risk
- Risk is an uncertain event with causes, a probability of occurrence and effects on objectives.
A practical classification of causes in “Understanding industrial crises by Shrivastava: HOT-RIP
| Human | Organizational | Technological |
| Regulations | Industry (Sector) | Politics (Politics, Press, Public) |
An important note is that a risk is not just a chance times a consequence.
Risk perception
- Risk perception is the unique way in which a person perceives a risk.
It is not a question of right or wrong, but of different.
Important concepts for risk perceptions are availability bias, optimism bias, and confirmation bias. Diversity in vision is a solution. Different risk attitudes are possible: risk paranoid, risk aversive, risk tolerant and risk-seeking.
Risk management
- Risk management is goal-oriented, explicit, structured, communicative and continuously dealing with risks.
There are the following misunderstandings about this:
- ‘Risk management offers 100% certainty, from now on everything will go well.’
- ‘Risk management is difficult.’
- ‘Risk management is about predicting the future.’
- ‘Risk management is only about avoiding risks and is therefore only for risk-averse and anxious people.’
- ‘Risk management is just about filling in lists.’
- ‘Risk management is expensive.’
Six risk process steps
In doing so, these six risk process steps come to the fore:
- Setting goals.
- Identify risks.
- Classify risks.
- Managing risks.
- Evaluate risk measures.
- Transfer of risk file
These six steps can be found in frameworks such as ISO 31000, COSO ERM, RISMAN.
All six can be used in any of the six usual project phases:
- Exploration phase
- Preliminary design phase
- Tendering phase
- Final design phase
- Implementation
- Usage Phase
Set of tools
The chapter then discusses these eight commonly used tools: these are also not unique to risk-based working and can be found in the literature in one form or another:
- The risk file
- Risk sessions
- Scenario analyses
- Risk-based research
- Risk-based monitoring
- Herringbone method with cross table
- Contractual risk allocations
- Risk scans
The working definition of risk-based working then becomes:
‘Risk-based working is the application of the six generic risk process steps in work processes.’
In doing so, the 20 characteristics from the first chapter are explained.
Conditions for risk-based working
Chapter 3 presents the most important conditions that must be present in organizations in order to actually be able to implement risk-based working. After all, there are obstacles, such as:
- Lack of time.
- Subjectivity of the risk assessments.
- Fear of Gray Rhinos emerging from the fog of false security.
- Difficulty in choosing control measures.
- Not wanting to deviate from existing working methods.
- Don’t want to see risks. (“I have a CRO for that.”)
So how can risk management be implemented in organizations?
There are four general things to say about it:
- The form, function and meaning of risk management are largely intangible and subjective, which complicates effective, efficient and sustainable implementation.
- Specific attention to the implementation of risk management is underdeveloped.
- The implementation of risk management requires a combination approach of risk management, innovation management and change management.
- Risk management methodologies must be adapted to the structure and culture of the organization and the different types of intended users.
Points 1 and 2 are bottlenecks, points 3 and 4 are solutions.
15 conditions of support
There are a total of fifteen conditions that support the embedding of risk-based working in organizations. These can be grouped as follows:
- Conditions for the organizational structure:
- Roles, tasks and responsibilities have been formally agreed upon.
- Dealing with risks has been formally delegated to people who do it as part of their day-to-day duties.
- The handling of risks in relation to the objectives is formally reported to managers and supervisors.
- Formal agreements have been made to adjust the work process of risk management on the basis of advancing insight.
- It has been formally agreed that the external environment of the organisation will be involved in risk-based working.
- Prerequisites for the organizational culture:
- Unambiguous working definitions for risk-based working are used throughout the organisation.
- Throughout the organization, it is realized that risk assessments are partly subjective.
- Differences in risk perception and risk attitude are explicitly expressed and discussed throughout the organization.
- Risk-based working is carried out through collaboration in multidisciplinary teams with members from inside and outside the organization.
- The exchange of risk information is a matter of course throughout the organization.
- Conditions for the method:
- The method is available and accessible to all intended users.
- The intended users perceive the method as user-friendly.
- Use of the method provides relative benefit to the intended users.
- The method fits seamlessly with the work processes of the intended users.
- The costs for purchasing, developing and using the method are acceptable.
10 Tips for risk-based working
Finally, in the fourth chapter, the author explains ten tips for risk-based working:
- Risk-based working is not a guarantee of success.
- Risk-based working is more than a risk analysis.
- Instruments are supportive, not leading.
- Courses are just the beginning and often the end.
- Do a baseline measurement of the conditions.
- Create a flexible deployment plan.
- Managers need to create conditions.
- Differentiate in applicators of risk-based working.
- The step from early birds to followers is a leap.
- Monitor the progress of risk-based working.
Title: Risicogestuurd werken in de praktijk, Author: Martin van Staveren, Publisher: Vakmedianet, ISBN: 9789462760202