How to make risk unmanageable

Risk revisited

Once a risk becomes a thing, becomes reified, managing it becomes something else. Once you name a risk and put it on a public risk register, it becomes largely something that you put on the register and managing it has to be seen to be done. That is not how risks work. Managing the reified thing is not managing the way things may go pear-shaped.

I went to one of those dreadful business breakfast things, all bright-eyed and bushy tailed. Since I was then the director of a risk management business, I talked to a nice chap about risk. He explained to me that he was the finance director of a mental health trust. He needed some extra accommodation built, and back in the day there was a choice between PFI, PFI and PFI. For a start, PFI schemes are 30 year deals. He said that anyone who could predict what mental health accommodation needs were going to look like in even 5 year was either a genius or an idiot. So the real risk is in having a scheme with 30 years of inflexibility built in, but that was not where the rules were focused.

The chief thing in the eyes of a politician about PFI is that it transfers risk from the public sector to the private sector. So my poor interlocutor said he had to spend £40K to use someone’s risk model. Then he had to adjust the inputs to the model until they showed a satisfactory risk transfer from public to private. This is an adequate image for public risk management: create something arbitrary, label it risk, show it has the required behaviour, and get it rubber-stamped. No-one is ever going to look at the quality of the fibs because the powers that be have ordered the fibbing in the first place. Remember the soviet screw factory that fulfilled its quota measured in tonnes by making one giant screw? At least that was funny.

This is not just a public sector thing. I observed the annual planning process for a mobile phone rollout programme and it was just as bad. Risks were created by bad senior management decisions and unsupportable policies and then documented and given to relatively junior staff to manage. For instance I think at the time old technology switches that could not handle the volume of traffic but had not been fully depreciated in the accounts were required to be reinstalled.

There is a pattern here that we want for this post. It is that one of the key roles for staff and one of the reasons they get paid for doing bullshit work is that they are in practice tidying up and disguising the chaos created by their “superiors”. I worked with a guy, Jim, who told me he was agonising about whether to resign because he was so good at clearing up the mess that he thought it encouraged the executive to be even more slapdash and corrupt. Really and truly.

Public face

There is also a question about whether risks can be admitted to in public. Putting them on the risk register is one thing, allowing FOI requests on the content of the register is something a little extra. There is a longstanding debate around security risks about how much to admit about the risks that are faced. The advantage of going public is that many people can turn their minds to security and the questions don’t get stuck in a ghetto. The advantage of not telling terrorists where the weaknesses in the system are, are rehearsed constantly by the tabloid press.

A long time ago I had some dealings with the Safety-Critical Software Club. I wrote an article for their magazine in which I was concerned that it was not possible to admit to the reality of the software that is used on commercial aircraft, because the public would not be able to understand that all software is poor and this was just software that it was more important to bring some expertise to bear on. My article claimed that it was going to be difficult to address the software quality problem while the official fiction was that it was already perfect.

Perhaps I should explain that I had a mate who had some automated tools for assessing various aspects of software quality, and he had been looking at some software from Airbus. Anyway the editor of the magazine claimed to be unable to understand the point I was trying to make. Which was exactly the point I was trying to make of course.

Risk aversion

Many people are risk averse. They just are, maybe from upbringing, maybe from historical scars. Here we just want to be clear that in the real world doing real work, risk aversion does not do what it says on the tin. Trying to avoid risks while doing real work is like trying to avoid crevasses, ice climbing and lack of oxygen while climbing Everest. Either you want to climb Everest with all that entails, or you don’t. Though having seen film of the queues of people making the ascent in Robert MacFarlane’s film Mountain, I wonder whether this has been understood.

People who understand how to embrace risk as part of what they are trying to do, are likely to have far fewer problems than more timid souls. Or for a slightly different angle, climbers have fatal falls not on the devastatingly difficult ascents they make, but overwhelmingly on the way down when they have relaxed. Part of what keeps us safe despite the risk and almost because of the risk is being absolutely wired.

We should perhaps rehearse here the story out of Sources of Power by Gary Klein, about a US destroyer sitting in the Persian Gulf while Iraqi missile positions were overrun by the US Army. The feeling was that the Silk missiles in the batteries would be fired rather than merely surrendered, and the destroyer was a sitting target. In the event a missile was fired at the destroyer and it was shot down before it reached. The ship systems recorded how it was shot down before it appeared on the radar and before it could be positively identified as not a commercial airliner.

Notice the close alignment here between risk and work. Only by genuinely identifying with real work, which implies it being your work to do, can you fully inhabit the risk and stay safe. It is not really about safety or risk, it is about doing the work that is your to be done. Sometime some slightly formalised analysis and some extended and sensitised monitoring can help. Formalisation and reification without attempting the real work are a recipe for disaster, but this is near universally misunderstood.

The numbers

I did some work in the interface between the NHS and the HSE. Hospitals kill quite a lot of people, most of them in a medical sort of way. And the serious injure far more. In discussing this with the relevant manager at the HSE, something caught my ear. He said that only “accidents” that were definitely the fault of the hospital were ever investigated. Maybe you have the same response as I did: why not investigate the accidents that need investigating to see whether anything was wrong? The answer was this: who is going to vote for another 10,000 accidents a year in hospitals?

In this way the figures that we have that might inform risk assessment are systematically corrupt and misleading. For an up-to-date example Prof Trish Greenhalgh on a study she did of the cost effectiveness of the NHS diabetes programme. Her results showed that it was marginally cost effective. But from my own experience, the advice given to patients on that programme is wrong and damaging. So although I am sure that there is a baseline against which it is possible to show that the programme saves money over time, there is another baseline against which it is doing patients so much harm that it might well be the subject of a class legal action. What is the risk of taking your GP advice on your diabetes? Well that depends.

Attitude, attitude, attitude

Risk is the domain where it is clearest to me that there are both things in the big bad outside world that can obey Murphy’s law, and at the same time how we relate to those things is absolutely critical and foundational. We both suffer risk and create risks for ourselves, and an outside observer cannot really distinguish between a run of bad luck and a crappy attitude. This is where our conversation with the universe happens, and as in any conversation there is no saying where it will go.

I just read a wonderful short piece by Diana Mitchell, a psychotherapist who has become deaf. In it she describes how as her ability to literally hear and recognise the words here clients were saying faded, her sensitivity to tone and to body language etc. became sharper and sharper. As she asked less questions to establish literal meaning, the emotional meanings became clearer, and clients became more grateful for having been truly heard!

The people who have pushed these boundaries furthest seem to report that knowing your own mind is crucial. The one thing guaranteed to cause the roof to come crashing down on your head is to fail to be honest with yourself: about what you are doing and why you are doing it. You can be a confidence trickster only if you absolutely know how you are taking advantage of people and the harm you are doing.

The great corporate scandals of our time: Exxon and global warming, Coca-Cola lying about sugar, Monsanto polluting the world with glyphosate, whatever you want on the list, are bare-faced exploitative lies, carefully buttressed from all directions. Their harm is twofold: wrecking lives but also wrecking the ability to communicate about risk which compounds the first. The recent huge fine on Monsanto for causing cancer was justified largely on the latter factor: the truth had been systematically obscured and confused for many years in a cynical fashion. The effective risk management these corporations achieved over all that time points to the way they fully understood the truth of their evil actions: none of this is accidental or merely ill-judged.

Living it

Risk is not what it seems because only by doing the real work can you find out what it takes to do the real work. If have plenty of scars from trying to explain to clients what might go wrong. It doesn’t work, they could never hear at the level they needed to hear. There was work they needed to do that was not available to them.