A not-for-profit organisation called the Australian Risk Policy Institute (ARPI) recently published a paper entitled Strategic Risk Policy 2016. In the paper, ARPI argues that they have devised a new approach to avoiding risk that is different to conventional risk management. The paper is not an academic argument, nor is it in the form of an industry standard for practitioners. ARPI describes it as a guide to risk policy for leaders. This is distinct from risk-based policy such as defence policy, immigration policy, crime prevention policy and so on. ARPI is advocating a policy that is not necessarily specific to identifiable risks.
ARPI advocates an adaptive risk culture, not just in hierarchical organisations but more broadly across networks of organisations. Of course, this concept is well known to high reliability organisations and cultural risk theorists. Indeed, the literature in the field is quite rich and not as new as ARPI suggests.
ARPI argues that ‘traditional risk management’ is a relatively new discipline. This sounds like a contradiction in terms. It is assumed they mean that it is a new management discipline. This could be a flaw in the ARPI argument. Risk management is certainly not new. Human society has always managed risk. Many risk management policies and tools have been developed over thousands of years. The risk management methodologies used in some ancient civilisations were quite similar to the methodologies used today. A very good paper on this history is entitled Risk Analysis and Risk Management: A Historical Perspective, written by Covello and Mumpower and published in 1986.
Many policies, laws and regulations over the centuries have been risk-based. For example, the Code of Hammurabi was written in about 1760BC. Building regulations written since then have been mostly risk-based. Indeed, many laws directed at public safety are risk-based. Insurance is a risk management strategy used since about 3000BC. The Ashipu people in ancient Mesopotamia provided risk management advice as early as 3200BC. Any security professional knows that security decision making has always been risk-based.
Perhaps ‘traditional risk management’ is a term poorly selected by ARPI. For the moment, assume that ARPI meant to use the term ‘conventional risk management’, perhaps as advocated by ISO31000:2009.
ARPI argues that vulnerability is a new concept and that vulnerability needs to be considered in risk policy. Security professionals, defence experts and foreign policy analysts have always considered vulnerabilities, so this is not a new idea.
However, ARPI is correct in stating that in many cases there is a need to enhance risk management systems in order to consider risks that affect networks of organisations and not just isolated organisations. While this is not a new idea, it is worthy of consideration; indeed, it is an important point. Risk researchers have been working on these ideas of reliability for a considerable length of time. Many will differentiate between simple and complex systems. A simple system might be a supply chain where any organisation downstream in the chain may be adversely affected by a failure or incident at any point upstream. Another example of a simple system is a typical building project where there are numerous subcontractors working in a hierarchy for a main contractor who in turn delivers the project for a client, such as a building owner.
In high reliability theory, redundancy is typically used to improve the reliability of simple systems that may be disturbed by unexpected events. It is not clear if ARPI’s use of the term vulnerability is intended to imply that redundant measures are needed to reduce vulnerability. ARPI is not specific about how vulnerabilities should be addressed.
In complex systems, the designer, builder or policy maker may not be aware of all the possible interactions between the component parts and even between subsystems. The risk analyst will consider some failure states, but uncertainties will remain about the interactions of failed components with other failed (or working) components of subsystems. This is especially true in the case of a system which is becoming increasingly complex; for example, electrical energy generation and distribution in most Australian states.
The ARPI strategic risk policy model in one sense recognises that complex networks of organisations and their operating environments need to be managed in more sophisticated ways than often is the case with routine risk management processes like those described in ISO31000. However, at the same time, the ARPI model does not offer any new ways to manage complex risks; indeed, it seems mostly to ignore the wealth of ideas that have been developed in high reliability theory, the cultural theory of risk and normal accidents theory.
The ARPI model is clearly not intended to reflect academic thinking on the subject of complex systems risk analysis and management. However, ARPI could produce a much better, and more useful, strategic risk policy framework if it operationalised the state-of-the-art in academic thinking in this field.
Dr Kevin J. Foster is the managing director of Foster Risk Management Pty Ltd, an Australian company that provides independent research aimed at finding better ways to manage risk for security and public safety, and improving our understanding of emerging threats from intelligent technologies.