It was a great pleasure to interact with fellow risk management professionals at the recent on-line book launch for Simplifying Risk Management: An Evidence-Based Approach to Creating Value for Stakeholders. The event, hosted by the Institute of Strategic Risk Management, was my first chance to see people’s reactions to the arguments that I present in my book for a more rigorous, quantitative approach to risk management. As ever, the most interesting part of the event was the excellent questions from the audience and two in particular stuck in my head:
- How does a quantitative approach deal with paradigm shifts?
- Can you allow for the possibility of simultaneous events, eg a cyber-attack occurring during a pandemic?
I attempted to answer each question individually as it was posed, but I’m not sure that I did a very good job! However, on reflection, looking at both questions together provides a more elegant response which highlights two important themes in the book.
Firstly, and with all due respect to my colleagues, I would suggest that the questions should really be rephrased. In both cases, the real question of interest is: is the proposed quantitative approach better than existing (qualitative) approaches? As indicated by my difficulty in giving straight answers on the day, both issues pose challenges for quantitative risk management. However, it is entirely unclear to me that qualitative approaches have any meaningful way of addressing these issues; so quantitative techniques still represent an improvement.
Secondly, one of the key objectives of the book is to refocus attention away from a narrow focus on risk analysis towards paying more attention to risk treatment. In the context of risk analysis, both questions are potentially problematic: if we are unable to fully account for paradigm shifts or interactions between hazards, we could seriously underestimate the risk to which the organisation is exposed. However, if we are looking at the effects of risk treatment, the worst that can happen is that we may under-value a potential risk treatment and fail to implement it.
Thanks once again to everybody who attended the event on 4th July. The questions posed have really forced me to think about the messages that I am trying to get across in my book.