During my recent trip to Australia, I had an amazing opportunity to sit down with Grant Purdy to talk about where risk management started in Australia, the origins of the AS/NZS4360 and the ISO31000 and why modern day risk management, as perceived by majority risk managers in non-financial companies, is an embarrassment to the profession.
Grant Purdy has specialised in the practical application of risk management to support decision making for nearly 42 years, working across a wide range of industries and in over 25 countries. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for over 14 years and was its chair for seven. He is co-author of the 2004 version of AS/NZS 4360 and has authored many other risk management handbooks, guides and books. He was also the nominated expert for Australia on the Working Group that wrote ISO 31000 and Guide 73 and later Head of Delegation for Australia on ISO PC 262 that revised ISO 31000.
I am not exaggerating, this is a must listen for all risk managers. Yes, I know, the sound is really bad and I am sorry for the technology. Grow up and endure the pain. This will be the most fulfilling 50 minutes in your professional risk management career.
Turn on captions in Youtube: click settings (low right corner) -> subtitles/cc -> english -> options -> size 400%. Or read the full transcript here: https://www.rev.com/transcript-editor/shared/LZ7RH2yxG2UcBjTiPVwoeE3aSq16INkf1zSTCY-JX2KqdwLjVOM8TFfXoOm3ylCVGYaBrg
You will not regret this.
Alex Sidorenko: Hi, everyone. It’s Alex from RISK-ACADEMY, and, today, I’ve got an amazing opportunity to speak to Grant Purdy, who is, one of the godfathers of Australian risk management. And luckily, Australian school of thought on risk management made it to the global scene, but I think it kind of evaporated since. It’s disintegrated, I should say. So let’s come back to the basics and learn what was the original idea. And, just before we started recording Grant mentioned that he is working on the book with a colleague at the moment. Something that, the risk management standard could have been and I will Grant talk a little bit more about that, because I think that’s fascinating.
Grant Purdy: This is my 42nd year in risk management. It shows as well. And when I originally started in the profession, there wasn’t anything such as risk management. We didn’t need to define all these words because our purpose was only to help people make decisions about, plant items, the siting of houses near to major hazard plants, where goods should be rooted along roads, where our roads should be decided, airlines should be decided. And ultimately, you know, how people make decisions. Taking uncertainty into account.
Grant Purdy: And it was very simple in those days. People would come to me with a problem. For example, I was part of the Health and Safety Executive Team, that joined with the French and the Belgian in terms of the Channel Tunnel. And we were asked, “Was it acceptable not to have ventilation in the tunnel?” Or, “How can we deal with fires in the tunnel?” Or, “Can we transport gas cylinders on caravans as they go through the tunnel?”
Alex Sidorenko: There’s are very operational questions.
Grant Purdy: Absolutely. Because nobody had ever built a tunnel about then before, underneath the ocean. So we had to go away and understand the things that could happen and the chance of them happening, and what we would put in place and test out those things that might modify the uncertainty we faced. That our journeys would be successful. And, and that’s what it was about. It’s only really in the last, I suppose, 15 to 20 years that suddenly it’s become more proceduralized and we’ve almost convinced ourself that it’s not about making decisions, it’s about doing risk management. I’m as guilty as anybody else because I’ve been playing that game for many years, but increasingly with disquiet. And, and concern that we’d lost sense of what we’re here to do achieve. And the ultimate test has been for me to say, as my friend who’s writing the book with me says, if risk management is the answer, what is the question? And you can’t find what the question is. Because how on Earth did we end up with these massive confections? These odd, strange subjects? These bits and pieces that somehow don’t fit together? And we can’t even agree amongst ourselves as a profession what risk is, let alone what risk management is. And if you go outside the profession, you start to know more people who discover they use those words totally interchangeably.
Grant Purdy: Even within the ISO domain. You know, there’s, I think there’s about 40 different definitions of risk in different standards.
Alex Sidorenko: Right. Until recently there was more than 70 or something.
Grant Purdy: So even in an organization that prides itself standardization.
Alex Sidorenko: Yes (laughs). The irony is just ridiculous.
Grant Purdy: It is. And we’ve run standards like ISO 31,000, where we say, you know, the most important principle is one, that should be integrated and, two, there should be supported decision-making. But then the rest of the standard is about a set process. That is not possible to integrate and it in no way relates to decision-making.
Alex Sidorenko: Exactly.
Grant Purdy: I mean, how bizarre? How on Earth can you make a decision with a risk register?
Alex Sidorenko: Yes (laughs).
Grant Purdy: I mean, how can you do that?
Alex Sidorenko: I just want everybody to really listen to those words and hear them again.
Grant Purdy: I mean, how can you use a risk appetite statement to make a decision?
Alex Sidorenko: (laughs).
Grant Purdy: People say it informs decision, but they don’t because in reality, once these documents are written, they’re filed away. Nobody ever consults them. Nobody ever thinks about them. There may be an aroma left in the room once he’s passed through, but that’s all he can say.
Alex Sidorenko: And fascinatingly, the kind of the answer for many risk practitioners to that is that well, we should teach people to better use risk appetite statements and better use risk registers. Which of course is silly.
Grant Purdy: So you say to the, you know, ultimate customer, “Actually, everything you’re doing is wrong. Your language is wrong, your way of thinking is wrong. You have to fit it with my way of thinking.” Even though I’m supposed to be here to serve you. You’ve got the master/servant relationship somehow around the wrong way.
Alex Sidorenko: Exactly. The risk management is supposed to be the support function, yet it constantly demands information from business.
Grant Purdy: It imposes on them a language, which is totally alien to what most normal people do. So my colleague and I, we’re writing a very short, little book, it’s for deciders. It’s not for box tickers. It’s for people like you and me who have to make decisions every day. It’s as simple as that. And when we did that, we realized we can’t use words like appetite and framework and register. We have to … I said, well, we have to use normal language that normal humans would use, to the extent that we don’t have definitions. Because you don’t need definitions if you use normal language.
Alex Sidorenko: That’s right.
Grant Purdy: You’d have to define these special terms, and then incocate them. So thinking about these special terms. You don’t need that. So that’s good. So that’s where we are. Seems to me the game we should be involved in is helping people gain sufficient certainty about when they make a decision, they, that will contribute to the organization’s purpose.
Alex Sidorenko: That’s a very interesting way of putting it. I like the phrase that Hans, the ex-CRO of LEGO uses. He calls it informed risk taking. So executives are going to take some risks. It’s part of their life.
Grant Purdy: Because the word risk is so majoritive I don’t use it. And uncertainty is also getting tricky. But if you think about it, what we all try to do in life, is gain sufficient certainty so we can sleep at night. That our ultimate purpose, however we define that, is going to be achieved. You know whenever we make a decision that, you know, we need certainty that the outcomes that we want will actually occur and that those outcomes will contribute to our purpose. When that ink dries, we know what our purpose is. And you see that I’ve stopped using the word objectives, because again, that’s become so ambiguous. It can be local limited objectives. But ultimately, if you will for an organization, there is only one purpose. What are we here to do? So almost a highest level outcomes. What are we here to create and what’s our mission statement? And all, all decisions have to be framed in terms of that. You can’t decide if you’re, you know, the railway provider in this stake, that someday your purpose is to make better sandwiches on your trains. How does that, how does that fit with being a railway operator? That’s often what happens. So being very clear about your purpose is stage one. And secondly, very clear of the decision you face. And that leads you automatically on to the keyword, which is brought to the assumptions.
Alex Sidorenko: Exactly.
Grant Purdy: Understanding your assumptions and the uncertainties inherent in those assumptions is the key to making good decisions. Ultimately, you just have to make a call. You have to say, I’m willing to go ahead with this decision and I feel sufficiently confident that the outcomes will be as I predict and they will support me in my purpose. If you’re not, you do something about it. You change the decision. You fix everything. So you can see, we don’t need words like control or risk or register.
Alex Sidorenko: Where does risk mitigation plan come in? Because you just change the decision and then it’s, it’s mitigated automatically.
Grant Purdy: You changed the decision. That’s as simple as that.
Alex Sidorenko: Yeah, exactly. It’s interesting you say that, that as soon as you understand what the decision is, you then kind of identify what are the assumptions underlying that decision. Interestingly, that some of the tools that I’ve been talking about for so long, focus tools, are focused on dealing with assumptions. So simulations, scenario analysis, decision trees…
Grant Purdy: Absolutely. Well that’s, that’s where we started. And, if you like, a control is an assumption because you assume since it’s there, it’s working. You know, everything can ultimate … So an assumption. You assume it’s gonna be sunny tomorrow. You assume it’s gonna, you know, competitors are not gonna scrap your market. You’re gonna assume that your staff gonna be happy and work more. They’re all assumptions. And each of them has a level of certainty. Taking those into account when you make a decision. In other words, the proper use of the word context. What is the context for the decision is crucial. What we know of course is that people don’t always think about the internal related assumptions. They think of the external, but then there’s another layer, which is the wider assumptions, the geo-political. The, the global.
Alex Sidorenko: Macro.
Grant Purdy: The macro. And, and we know, we see it all the time, that organizations just don’t think about those wider things. So, you know, certainly in our book we have those three levels of assumptions you have to consider. Internal, which you may feel very uncomfortable about, but the fact is you have to confront the fact that not everybody does everything the way they should, or it doesn’t quite happen the way you’d like it to happen.
Alex Sidorenko: Exactly.
Grant Purdy: Similarly, external to organizations, knowing what the influences and pressures are there. And then thirdly, the, the why the context, because those really big macro changes could really screw up everything. So, I can’t give you the whole book, because it’s still being written, but I can give you on a basis that you cherish it but don’t show it to anybody else for the time being. I can give you chapter one.
Alex Sidorenko: I would read it today.
Grant Purdy: The root of the book, is, is this diagram here, which is how organizations and individuals make decisions. That have clarity of purpose. And then when an opportunity comes along, and I’m using the opportunity in its proper meaning here, not just some sort of positive risk. Whatever that means.
Alex Sidorenko: (laughs). Yeah, whatever that means.
Grant Purdy: An opportunity is just what it is. It’s a, it’s a situation that you could benefit from. If you did the right thing. So an opportunity comes along from your purpose, you have to make a decision and then implement it. And that leads hopefuly to outcome you expect. So there were two things that I haven’t mentioned here. One is that within the decision-making box, you just think of options, tentative decisions. We could do this, we could do that.
Alex Sidorenko: Alternatives.
Grant Purdy: And if we don’t, we must do that. We must always consider one of them could be doing nothing. And then we think about the assumptions associated with each one of those options, and possibly revise those in new light of information. And maybe adjust the decision accordingly.
Alex Sidorenko: Exactly.
Grant Purdy: So that what we go ahead with is something which we feel sufficiently confident will lead to outcomes which are certain, which will support our purpose.
Alex Sidorenko: It’s, it’s almost like a decision adjusted for uncertainty.
Grant Purdy: Spot on. But there’s another element. Of course, that’s all right with new decisions. What about all the ones we make in the past? That we didn’t write down or we’ve forgotten. Because a lot of the way we think is very much influenced by past decisions. So we have to monitor for change. There has to be a regime of monitoring for changes in assumptions of prior decisions. We do that really badly. Incidentally, I was horrified to see the new ISO 31,000 has excluded in monitoring the review of really context type issues of assumptions. Now it only monitors and reviews the process itself, which is sort of self-defeating really. And the fundamental concept of review is that you keep an eye out for change. Change which will affect the decisions you’ve made prior. Now that does imply you know what those decisions are. So one of the things that we do in the book, is we give a methodology. Very simply methodology for actually tracking down prior decisions.
Alex Sidorenko: Yep, Which is already a fascinating fascinating point because if you take an average risk professional in a modern day non-financial company, how aware, how close are they to the decision making process? Well, usually not very.
Grant Purdy: No. Invariably. They’re not involved at all. And, and as I said that earlier, the artifacts in risk management process are not used by normal humans. Even simple humans couldn’t use a risk register to make a decision.
Alex Sidorenko: (laughs).
Grant Purdy: I mean, how on Earth you got multiple columns of unintelligible clap-track with numbers and colors. Can you make a decision with that?
Alex Sidorenko: No.
Grant Purdy: And somebody at the end, you know, says, what does this mean? You can’t, you know?
Alex Sidorenko: I’ve I’ve come across something that just completely blows my mind. I mean, the Russian businesses really, take somethings literally. And I have seen two large corporations that have risk registers with 50 and 60 columns.
Grant Purdy: I have, I’ve been working for clients that had, in one case, it was 73 columns. The risk managers sole role was to complete this spreadsheet, continually we were updating it but it was never used for any other purpose other than, well, we’ve got a risk register.
Alex Sidorenko: (laughs). Which probably took a year.
Grant Purdy: I’ll let you into a little secret. I did find a really good use for risk registers a few years back. My children when they were younger, had guinea pigs and rabbits. And I discovered that if you shred them, they make very good bedding for small furry animals.
Alex Sidorenko: (laughs).
Grant Purdy: Moreover, once they’ve used it for bedding, and I won’t go into too many details over lunch, but the resulting material is really good in a compost heap. You can acquire good vegetables from it. So I’ve actually, you know, I’ve … Risk registers do have value, but only as bedding for animals. And if you think about it, if we’re still talking risk, risk is corrected because there’s a source of uncertainty and we’re faced with a decisions. So we can only possibly do a register, which is really just the minutes of the meeting. That’s all it is, should be just a record of a conversation about the decision we’re facing now. So how would that have relevance for future decisions? Not at all. So how can you possibly have a risk register that you created last year, having any relevance for what you’re doing this year?
Alex Sidorenko: But the key reason for that, is because this register was never created to a specific business situation.
Grant Purdy: No, they’re not.
Alex Sidorenko: They’re just, they’re just generic, catch-all, it’s like risk connected to broad objective of an organization in life in general.
Grant Purdy: One of the root problems, of course, is when you look at them, they don’t actually contain descriptions of risk. It, that’s if we knew what a risk was. Often they’re just winges or they’re just descriptions of sources of uncertainty that organisation faces. So, at the end of the day, you can do as much as you like in volition in your risk register, but you know, apart from bedding for small furry animals, I don’t really see any benefit. I know the history of this thing. I was there. Under the UK Factories Act in 1961 and proceeding acts, people have to have a general register. Which amongst other things, had to be lists of lifting tackle and things that had to be tested and how often the walls of the factory were painted, that sort of thing. Then we thought we’d be clever and in addition to having sort of lift and tackle and power plants and things like that, we’d get people to a list of hazards, you know? Things that could potentially hurt someone in the workplace. So far so good, you know? So far so good. But then we got really cute in part, and in, in the European community in the late 70s, early 80s. We thought why can’t we have this sort of hazards? Why can’t we grow and have some risks? And that’s when it started falling apart, and that’s where the risk register, it used to be a general register, then it was general register of hazards, and that’s when it came about. When I first did risk assessment, risk analysis, Spreadsheets didn’t exist. I was using a ledger. And I used to use columns in that ledger because I’d multiply numbers across the page and I’d lose hour five would go and how many people would be affected, and wind and weather? You, you’d use it. To work out the arithmetic across the page. And I think when we started using Spreadsheets, certainly I was using Spreadsheets very similar, you know? I was using them as a calculation tool. But then I think we got crazy, because we all liked Spreadsheets because we can format them and put numbers in. Actually, they’re bloody awful to record things in. I mean, when I do, when I have had to do sort of Spreadsheets, I’m not sure I would use Word. So I don’t have a limit of 50 words or 50 characters or this incredibly narrow column. I can’t squeeze everything in.
Alex Sidorenko: So if you are gonna talk about source or uncertainty and things that might happen that could affect what we’re trying to achieve, then why don’t we just use, you know, a Word document and, and, you know, just give a paragraph or two so that normal humans can understand the scenarios we’re talking about?
Alex Sidorenko: It’s, no, that’s, that’s amazing. And here we have a whole generation of risk managers who think, you know, in documents and risk register, in Excel is top of the world best practice. But we have also generation of vendors now coming and saying, “Don’t record your risk registers in Excel. Record it in the Cloud.” And that will make everything better.
Grant Purdy: (laughs).
Grant Purdy: Well, you know, it’s the blind leading the blind, as far as I am concerned. I had a conversation yesterday with a lady who said “When you did this in the past, you’d come up with six levels of consequence criteria. I thought it had to be a five by five matrix?”
Alex Sidorenko: (laughs).
Grant Purdy: And I’ve consulted all my colleagues in government in New South Wales, and they’ve all agreed it has to be a five by five matrix. And I said, “Well, no. We don’t even have to have a matrix at all,” you know? It’s just a device for combining consequence and likelihoods. And, and, you know, it surely is an attribute of the organization and the way we make decisions is to how many levels we want to grade these things. And if you want to use some sort of, system that, that had levels in it. We might not box that. In 1995 when we wrote the first Australian/New Zealand standard. We thought we were being really helpful by cutting in an appendix of the standard for indicative purposes only, a five by five matrix. It was the worst decision we ever, ever made. It wasn’t intended to work, it was purely an illustration. It was just sort of this is what a matrix looks. And it wasn’t the rating system, it was just a, a heap numbers, you would call it now, as a way of pictorially representing risk in terms of consequence and liability. But of course, you know it then got transmogrified and turned into, well it’s almost a religion now. And as evidence by this conversation I had yesterday, “It has to be five by five.” Oh, because everybody uses five by five.
Alex Sidorenko: Just to play with human people’s brains, whatever I do … I do a lot of training for the risk managers in Russia, and just to play with them. My first question usually is, what’s, what’s, what’s better, three by three risk matrix or five by five? And 90% of them start seriously debating which one is better. And, and it, are you all insane? It makes no difference, no rubbish.
Grant Purdy: Absolutely. You know, when I’ve, when I’ve had to compromise recently and go back to a risk register, Ihave to admit now, that I no longer discuss consequences and liabilities in, in meetings. I, I’ve been playing a trick on some of my clients for a while now, in that I’ve actually been doing the rating, because they want ratings. I actually do them myself inside the workshop. And you know, not one of the clients has come back and disagreed with anything I’ve ever done. because I don’t want to dilute the quality of the conversation that I have, right, about what are we trying to achieve here? What are the uncertainties? What are the scenarios we could think about what could occur and it could lead to that? And would that be acceptable? So that’s the sort of conversation I want to happen, and that’s what we have. At the end of it, they feel they’re confident to go ahead or they feel they need to make some changes in the decision. A different decision. To lead to a different outcome, which were more, would be more in line with their purpose.
Alex Sidorenko: I mean, I would never do that, wink wink. I actually do exactly the same from time to time.
Grant Purdy: No, and all that means at the end of the day, if they say, “Can you do a risk register?” “Of course.” But more importantly to the conversation we had. And risk registers are only, if you like as I said before, the minutes of the meeting. It’s just a stepping stone. What’s ironic, is that many organizations don’t store any of the pre-conditions for the risk assessments. They don’t store anything about the assumptions. They don’t even record the decision they were facing. They never agreed what the purpose was of the conversation is. They just reserve the risk register. A lot of them don’t even reserve the risk treatment plan that follows framework because they don’t have any actions. Somehow it’s almost as though this has some sort of magical significance once you create a risk register. I imagine them sort of waving it in the air and suddenly the world is a better place because you have this piece of paper from the risk register. It, it is bizarre how we’ve got to this state.
Alex Sidorenko: What I found fascinating is that people doing the risk registers and having all the discussions, the interviews, the workshop upfront, for the sake of having an updated risk register. Not, not as an instrument or as a tool to actually make a better decision, whatever that decision may be.
Grant Purdy: So we have a meeting, which we call a risk review. We do it once a year. And if you’ve got a really good excuse, you’re trying to find something else to do that day because everybody hates it. We all, they’re always running out of time, so we don’t actually get through them all. Invariably, they’re just about, you know, tweaking things here and there, but it’s absolutely irrelevant. None of it relates to decisions that people are taking now. Just a list of things we generated several years ago that we just embellish and tweak each year.
Alex Sidorenko: I call it stirring the risk register pot.
Grant Purdy: I’ve got Norman Marcs now, called in risk listing, you know, he’s got that from me and a few other people as well. Risk listing. It’s fruitless activity. When, you know, not only do you waste people’s time, but you do, you take up time that could be more useful to put into some other purpose. And you mislead your audience. People think this is what risk management’s about.
Alex Sidorenko: And I mean, as, as a kind of practicing risk management, the biggest challenge I always have, is a new managing director or a new CFO comes in and they all come in with the same thing. “We’ve done risk management at my old company, it was rubbish. I fired the risk manager.” “So what are you gonna propose differently?”
Grant Purdy: I do a lot of work with boards and, and they’re not better. They, they all say, “Oh. We want a risk registers as our report.” I say, “Okay. What are you gonna do with it?” “We look at it.”
Alex Sidorenko: (laughs).
Grant Purdy: “Yes. What is this going to do to you?” “Well, we need to know if the organization is exposed to unacceptable levels of risk.” It ain’t gonna do that. I encourage my clients to stop having risk meetings, you know? To even, not even have a risk committee. What they should do at a board level is ask intelligence questions of managers when decisions are made.
Alex Sidorenko: That’s before the decision is made. Exactly.
Grant Purdy: How, how are you certain about that level of certainty? What are you going to do to ensure that the outcomes are as you predicted? What are some of the scenarios? And after an event has occurred, what lessons have you learned? One of the things we’ve been doing recently is, is not just thinking about decisions, but think about disruptions. We realize that disruptions are inevitable, continuous, and often they’re fortuitous. Not just disadvantageous. Um, and often we create disruptions deliberately to make change in the organization. So the words change and disruptions become synonymous. So the, the after state is often much more preferable to the before state. Or can be. And the more you think about that, you realize there’s this whole edifice called business continuity management. While it’s flashy cousin called resilience. Which is based on absolutely false premise, which is we want to return things back to where they were before. Why would we want to do that? Why would you want to make the same mistake again for your sake? You want to move on. You know? You want to leverage the opportunity that’s been provided by the disruption and actually change things. At least not to go back to where you were before. Why do you want continuity? Nothing else is continuous, it has to be growth. That’s how we progresses. It spots opportunities and it moves forward. So why are you gonna deal with, you know [bends 00:28:25] but disruptive any differently? Why, why treat them as something you can get back to?
Alex Sidorenko: So true.
Grant Purdy: Crazy.
Alex Sidorenko: I think it’s one of the messages that’s coming out on the latest Taleb’s book saying that we learn from whatever changes are. That’s what makes organizations stronger. Just like it makes humans stronger.
Grant Purdy: I’ve always believed that, that, you know, 50% of risk management is about hindsight rather than foresight. In fact, the more you think about it, you realize that risk management so doesn’t help us look at the future at all. It’s all based on hindsight because the way we go through the process of doing it is always based on people’s experience and their knowledge. We never challenge them and say, “Is it possible? What would happen if this would occur?” “Oh, never have to move forward.” I said, “Well, that’s a normal response.” So, you know, no more risk management, true, is we don’t really based on things that will go wrong. The negative. And it’s based on looking backward of things in the past. Now, obviously, there’s benefits from learning lessons as we go through, but that, you know, really what we want to know is what a decision is, how certain are the outcomes and will they support our purpose? And, and often we can’t do that just by dredging up the past. Certainly if it means looking at last year’s risk register. God knows how you’re gonna make a decision. But it’s, it seemed to me so simple now. It’s crazy that we’ve got ourselves into this, this mire of language, of confections, and we’re being conned every day. And the societies that support the profession are the worst culprits here.
Alex Sidorenko: Oh. (laughs). Don’t even get me started on that. But that being said, it’s kind of weird. I mean, vendors are pushing silly ideas big time, but not like people are listening to them. Consultants and others are pushing this idea of implementing risk management and risk appetite statements. And that, that, that of course is silly, but again, they, they influence is very limited. And then, risk management society is an association’s and other kind of think groups, they kind of push their own agenda because they, they try to convince us that risk management is a profusion. When of it’s, I think, just a decision making tool. One of many.
Grant Purdy: Absolutely. How can you have a profession when we can’t even agree what the basic terms mean?
Alex Sidorenko: Yeah, exactly (laughs). And yet, all of those kind of influences, they’re not, none of them are individually that powerful. I mean, nobody cares what Russian Risk Management Association has to say. Any yet, risk managers themselves, make up their minds and just continue doing such nonsense.
Grant Purdy: It’s sad, it’s it?
Alex Sidorenko: It is, I find it bizarre.
Grant Purdy: It’s, I feel like I’m doing the Emperor’s New Clothes, but I shouldn’t need to do that. I mean, somebody should be shaking people and saying, “Hey, wake up.” There’s this conspiracy out there, you know, that one leads to the other. So, risk managers are trained on courses where they’ve indoctrinated this crap, and then, you know, society’s charged the money to go on these courses, and then to charge them money to have the qualifications behind their names. Associate of this and member of that. And then you’ve got the software people who don’t know really what any of it is about, but they’re just gonna sell software. So they’ll go with anybody. Then of course you’ve got the compliance people who say, “Well, I don’t believe it as I can see it”. And, and even the auditors, God bless them, you know? I still find auditors out there that say, “We limit risk,” you know what I’m saying? How on Earth can you audit risk, dear friend? Awarded some you believe is control, you might check this thing in place is modified risk, but you can’t audit a risk. You know? It’s just there, and risk is a risk. You can’t audit it. And who are you to, you know, identify new risks if you weren’t part of the decision making team in the first place? And you’re not even present when the decisions are taking place. So the best you can do is be in this sort of monitoring environment, but at the end of the day, is it better to have third parties doing monitoring for you or would you make it part of someone’s job? If you know the key assumptions that supported the decisions made, surely you should be keeping eye to see if those assumptions still remain valid. And if not, revisiting your decision.
Alex Sidorenko: Exactly.
Grant Purdy: Because otherwise you’re gonna be as many organizations are. Stuck with decisions, which are 10 years out of date. This whole raft of policies that organizations have they never get ’round to reviewing. They’re all decisions. Neat little … And they just, they just block up thinking. They slow organizations down. They clog ’em up.
Alex Sidorenko: But apparently, you can’t really monitor assumptions unless you come out with a KRIs. (laughing).
Grant Purdy: We, we had a, some friends and I had a little exercise going a few years ago where we, we’d come up with a new compound word. And add risk to lots of things. And I think I won that exercise. I’d come up with risk viscosity. And about that time, somebody came up with risk clock speed. Do you remember that?
Alex Sidorenko: Yep, I do remember.
Grant Purdy: Risk velocity.
Alex Sidorenko: Yeah, I think it was EY.
Grant Purdy: And then we got risk governance. The other thing of course we loved, is these three letter acronyms, you know? And, and, and really it’s ever year we invent another one so we can sell them the same box we did last year except it’s got a different wrapping on it. So we got ERM, the SRM, the ORM, IRM. The latest that, of course, came out in ISO9001 is RBT, Risk-Based Thinking. Which, the people who wrote the revision of 9000 didn’t know what it meant either. That doesn’t stop many of the people on the committee making a lot of money now running courses on risk-based thinking.
Alex Sidorenko: Of all the acronyms, I would have to confess that that one is closer to my thinking because it has decision.
Grant Purdy: It has thinking, I agree, but the people who wrote it had no idea what it meant. What I really wanted to do, because they originally said they wanted to distinguish from the 31000 risk management, they wanted to call it formal risk management. Formal, they didn’t want to say ad hoc, because that sounded like it wasn’t as good. So they, oh, risk-based thinkers. They wanted a sort of lesser form of risk management. It doesn’t have that formality. In other words, you don’t have to create a risk register. Thank God. But in fact, if, if they really thought it out, risk-based thinking, which is really about making decisions to gain greater certainty about outcomes, it actually what it’s about. But, look, we’re talking about the quality of fraternity here, you know?
Alex Sidorenko: (laughs). Don’t touch them.
Grant Purdy: Well, they have their own problems.
Alex Sidorenko: There, are too many of them.
Grant Purdy: There are. So look at, one of the attributes of getting older is you like things simpler. You know, you like simpler food, you like simpler pleasures in life. Like a nice wine or that’s sort of thing. And, and it’s occurred to me that I can help organizations make better decisions without using any of this crap. Without any of these confections. You can just talk to people normal and say, you know, as I’ve said here. What, what, what is your purpose? What is the opportunity? You at least define those because often people make a decision without having no clarity as to how it fits with the organization’s purpose. And do not define the opportunity clear enough so that they can convince others it really is an opportunity. Then ask them to at least think of some options, alternative decisions, to look at the assumptions against each one of those and come to a judgment on whether one of those decisions is the preferred one, or whether some other decision, some modified decision is the one they should go ahead with.
Alex Sidorenko: Exactly.
Grant Purdy: Then, at the same time, put in a regime of monetary. So that they keep an eye on those critical assumptions to make sure they remain valid. And if they don’t, have a mechanism to revisit that decision. And it seems to me that that, that’s what process is, first of all, it’s natural, it’s what humans do without thinking ,really. But I’m not saying we do all those things well. But we do an essence of those all the time.
Alex Sidorenko: True.
Grant Purdy: But if we do more of that, we can get rid of all the risk registers and all the rest of the clunk. And actually truly create value. And there isn’t need to think about integration, which often means trying to force something ugly and forcing into some existing system, because this is the way that people manage. There’s no need for integration, because this is the way we do it anyway.
Alex Sidorenko: Yep, And the irony, the biggest irony for me, is that if risk managers who are truly honest with themselves and actually looked at how decisions are being made right now-
Grant Purdy: They would commit suicide, wouldn’t they?
Alex Sidorenko: (laughs). That.
Grant Purdy: (laughs).
Alex Sidorenko: But they would also discover, is that finance have been using scenario analysis and sensativity analysis for ages.
Grant Purdy: Absolutely.
Alex Sidorenko: They, they look at alternatives all the time.
Grant Purdy: Well that’s, that’s how we got into this game. Because when I first started doing this thing called risk management, I didn’t call it risk management. I was doing scenario analysis, I was just coming up with some what-if statements. I was testing things out. And, you know, doing some calculations. I didn’t call, didn’t give it a name. We just thought about things that might happen and how good or bad could it be, and what’s its chance in happening, and a lot of that was done about assumptions. When you found assumptions valid, could it mean need to know?
Alex Sidorenko: I remember at one of the last conferences in Europe, I met a risk manager of quite a big oil and gas company. And he was explaining how he uses heat maps to do business unit risk profiles, which of course is silly. You know, but then I asked, you do realize that your geo research team uses Monte-Carlo simulation with like thousands and thousands of scenarios to make better decisions? And here you are coming to them with this kindergarten stuff, trying to suggest that they need help to better manage their risk.
Grant Purdy: Oh, I think we’re starting to recognize that most of the decisions remain the important ones, are in the area of complexity. And, and using a two dimensional matrix to deal with complexities, it’s, it’s like trying to fly paper plane to the moon. It can’t work out. If, it’s just not gonna take off. It’s, you know, the way we have to approach things such as complex decision making within the project environment, requires a totally different skill set. A different paradigm entirely. And, and, things aren’t two-dimensional matrices and risk registers, they’re absolutely relevant. And we’re not talking about a small number. Most of the decision you have to make, involve an element of complexity. In other words, there are no rules to follow, nothing we can understand there. We’ve never been there before.
Alex Sidorenko: Which is, another thing that I found fascinating, is that when you use the traditional risk tools, the best you can come up with is a conversation about risks. So you can say I really should be doing this-
Grant Purdy: Absolutely.
Grant Purdy: Another conversation about the decision making. No, no, no. It becomes self-perpetuating. So that risk people talking and risk, and you have managers who have no training, of course, to talk about risk, but they don’t see any relevance for it. Now, I mean, if this is ever published in a shape or form, we’re gonna have people sending me rude letters and, and making wax dolls of me with pins shoved in and things like that. I mean, there’s enormous industry out there that breeds off this stuff. But it doesn’t create any value except for the people in the industry.
Alex Sidorenko: Exactly.
Grant Purdy: And they’re not … And I base that on, you know, when you actually go and talk to directors or boards and you talk to managers and it’s shocking. They don’t see any relevance of this stuff. No, they can’t. I mean, obviously you just can’t use this stuff to make decisions. It’s meaningless. All you can do is, as you say, is make decisions about risks. You can’t make decisions per se. And, and particularly if you’re using some sort of, ordinal system that just says, high, medium, low.
Alex Sidorenko: (laughs).
Grant Purdy: All that. Now we see the relative system and for what? What can we possibly do to make decisions of substance in an organization that propel you towards your purpose when you’re using a relative ranking system? Which is really just sorting things into heaps, that’s what it is. Witchcraft. It’s almost a religion now. There are, you know, certain symbols that are hollowed and people bow before them.
Alex Sidorenko: (laughs).
Grant Purdy: They, they, the incantations that have to be answered. That as high priests you have to be, to mourn for them, you know?
Alex Sidorenko: Well I’m definitely the witch hunter. I’ve destroyed so many common risk concepts.
Grant Purdy: Yeah, so am I. I’m absolutely blaspheme.
Alex Sidorenko: (laughs).
Grant Purdy: I’m, I’m, the hands of the devil as far as these people are concerned. And, you know, I poke my head up on occasion. Norman, my good friend Norman, runs a blog. I felt lazy one day and I actually responded to some of these things and I had a debate. But I’m, invariably I’m put out of a debate just because it inevitably ends in the same point, which is some do say, I accept what you say but my regulator insists on doing this, or what you’ve said is not what I’ve been taught at universities, or I wouldn’t be allowed to do this in my organization because they expect to see this. And there’s little I can say there, other than if you’re not capable of thinking about this and you’re, you suffer quite frankly, the problem with ethics but you don’t actually believe any of this other than from some quasi-religious perspective. There’s nothing more I can do to help you if you won’t think yourself properly. You know, from first principles. You actually understand what this really means. I realize I’ve wasted another few hours when I could have been going, growing vegetables or helping somebody with real problems. So that’s that’s my perspective, which is, and, and, you know, I’ve been as guilty as anybody else. I’ve played this game and made money out of it for quite a few years. But increasingly, maybe the last seven or eight years I suppose, with a lot more concern, disquiet. Maybe 10 years, really. 10 … I was going through the motions but not really producing any true value. I was convincing myself and others, that somehow this this methodology which has no validity really at all, is somehow creating mystical value.
Alex Sidorenko: I’ll call this recording the, the confessions of a risk management.
Grant Purdy: I’ve never actually called myself, I’ve never actually had title risk manager. For one thing, I’ve always, even in the days when I was supporting the risk framework, I didn’t really want to be the risk manager. I’ve always been manager of risk management or something like that. Which is slightly less, more acceptable, but I don’t actually know what risk management is though. I don’t know what it is, even though I, you know, I’ve been doing it for 42 years. I don’t really know what those two words mean, and I don’t think many people do.
Alex Sidorenko: The, the best, answer to that question I ever got was, I picked up a book on decision making and decision quality. And I’ve read through the whole methodology on making decisions and eight out of nine chapters, chapter four was validating assumptions and testing alternatives. And that’s where everything about risk management fits.
Grant Purdy: That, that’s exactly what our book’s about. It’s very simple. It’s written not for risky people. You know. It’s really for deciders. That’s why it’s about deciders. For deciders. I mean, it’s just to help people make better decisions by understanding what certain was. How does certain come into the best possible decision? Albeit, there’s always gonna be uncertainty, you just do the best you can. And our feeling is that people could do a little bit more and end up with better decisions just by being, just getting you know, simple, active, writing down your assumptions. And often, you know, organizations that have to make decisions based on mergers and acquisitions, never write down an assumptions.
Alex Sidorenko: That’s very true.
Grant Purdy: Now, a number of organizations I find, don’t have a credible business plan. And, and the business plan they have, doesn’t give any note to the assumptions that underlie it in terms of market share changing direction of competitors’ activities and what customers need.
Alex Sidorenko: Well here is a quick reality check. How many risk managers, when they’re buying a new apartment or moving to work in a different country, how many of them, you know, write out their assumptions? And think about it?
Grant Purdy: No, nobody. They certain don’t write out a risk register, I can tell you that.
Alex Sidorenko: (laughs).
Grant Purdy: Do you use a risk register when you move house? Gotcha.
Alex Sidorenko: (laughs). That’s spot on. Now, thank you so much, Grant. I found this extremely valuable. It’s a pleasure.
Grant Purdy: Well it’s, it’s simple stuff, you know? It’s simple stuff. There’s nothing clever about it.
Alex Sidorenko: It takes years, I think, to get to that. I mean, for me, for me it was an honest conversation with a CEO who I’ve presenting, I was brought into fix state audit. I brought it to general, findings. And, and I’ve created a risk management ERM framework. I had everything. Risk appetite statements risk committee, mitigation plans, risk heat maps, frameworks, policies, everything. Within a couple of months I had it all. And you know? The CEO said it makes no impact on my work. What’s the point? It, it’s, like, is it I’m okay with this, it’s colorful, it’s beautiful, but it’s useless to me.
Grant Purdy: Sure.
Alex Sidorenko: And he goes, “You have six months to figure something out”. “To do something that is actually meaningful for us, the board members, on making decisions.”
Grant Purdy: Well, I’m embarrassed but this stage in my life and career really has dawned on me that it’s actually very, very simple. And actually, I’ve gone back to the very beginning. It’s what I used to do years and years and years ago, which is I don’t have to worry about definitions. Just make better decisions by exploring scenarios, looking at certain uncertainties. It’s as simple as that. And particularly the assumptions.
Alex Sidorenko: I remember, the meeting in Brazil, the ISO TC 262 Committee, where there was a number of sub-groups. Then one of the sub-groups, the first one, was assigned the terms and definitions. They were like raising hands, who’s going to go into which group. And I’m like, that’s a pretty irrelevant group. Who cares what’s the definitions are? If you’re overall idea is understood, I mean, it doesn’t really matter. And most of the people signed up for that group, and I though that’s strange.
Grant Purdy: Because the argument goes on these minutiae definitions. I mean, as far as I can see, if you have to define a term, it’s, it’s an admission of defeat. It means normal humans won’t understand the word that you’re putting in there. If you have to define it, that means you are somehow converting or narrowing the meaning from original. One of the things I sometimes do some provocatively when I meet people in the risk management profession, is say, just explain what you do but don’t use the word risk.
Alex Sidorenko: I’ve just played it in my mind. I think I would be able to.
Grant Purdy: But a lot of people can’t.
Alex Sidorenko: Impossible without using that word. And even then, they can’t define it. Because none of us define it. The risk of something happening, the risk of it happens, that’s risky, I’m taking a risk, I’m exposing myself to risk, I’m risking that. I mean, we’ve got so many different ways of using the R word. And, and, none of them are consistent.
Alex Sidorenko: The, the best one I love was residual risk.
Grant Purdy: Well the one I particularly hate is inherent risk. Absolutely gibberish.
Alex Sidorenko: Oh no, every single year there’s someone in the LinkedIn community who goes, “So what is the difference between inherent and residual again? And how do we actually use it?” And, and, without a fail, that silly question gets the most responses and engagement from the community.
Grant Purdy: Yeah, yeah, that’s … Because, invariably, it’s because, well we have to do it. Again, the person I was talking to yesterday said, you don’t have inherent risk in system design, but we’ve got to have inherent risk. And how do we know if our controls need it?”
Alex Sidorenko: Yes. Oh my God.
Grant Purdy: Oh, for God’s sake. You know? Junk.
Alex Sidorenko: Junk. Exactly. I, I think that’s where we’ll wrap up.
Grant Purdy: All right.
Alex Sidorenko: If you, if you continue doing that, you might as well jump (laughs). Thanks, Grant.
Grant Purdy: Cheers.
For more videos like that subscribe to the official RISK-ACADEMY channel https://goo.gl/ksCybT
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
Thank you for the transcript