Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Collapse Internal ControlsInternal Controls
Internal Control Disaster: Fiasco at Heathrow (April 2008)
Efficient Samples for Control and Audit (January 2008)
The Startling Economics of Controls Documentation Review (November 2007)
How To Test Fewer Key Controls in a Sarbanes-Oxley Section 404 Project (July 2007)
Clear Thinking and "Risk Appetite" (April 2007)
The Psychology of Devising Internal Controls (January 2007)
COSO's New Guidance for Smaller Organizations (November 2006)
Promoting Good Management of Risk and Uncertainty (August 2006)
Practical Word Choices for Risk Managers (April 2006)
Seven Frontiers of Internal Control and Risk Management (January 2006)
Controls Design for Efficient Compliance with Sarbanes-Oxley's Section 404 (October 2005)
Time To Put Numbers on Internal Controls (August 2005)
Why the COSO Frameworks Need Improvement (April 2005)
How To Cut Sarbanes-Oxley Compliance Costs (January 2005)
Internal Control and Leaking Profits (October 2004)
Risk Management versus Internal Control (June 2004)
Embedded Risk Management: The Auditors' Contribution (January 2004)
Innovating in the Face of Internal Control Regulations (January 2004)
Embedding Risk Management: Easier, Faster, Better (October 2003)
Auditors and Risk Management (July 2003)
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Practical Word Choices for Risk Managers

April 2006

Risk specialists use specific words to communicate with each other. This is important for theoretical reasons, but the words they use to communicate with their nonspecialist colleagues may be of greater practical importance. This article reports on some effects that are already shown by experiment, and suggests some others that need more attention.

by Matthew Leitch

Corporate risk managers, internal auditors, and internal control managers, as specialists, have their own special language. We frequently debate the meaning that words should have within our own specialties. No official framework or standard for internal control or risk management would be complete without definitions. As so often, it is the most used words that lead to the most alternative meanings. For example, we often refer to "a risk" and "some risk" and yet very, very rarely acknowledge that these must refer to two different concepts—one countable, the other not countable but potentially measurable.

In places our jargon has departed from nonspecialist use of the same words or phrases. For example, most leading specialist opinion now agrees that risks can have unexpectedly positive impacts as well as negative impacts, though this is controversial and different from nonspecialist use of the word "risk" which is overwhelmingly negative.

If we use our specialized language with nonspecialists, for example in workshops or self-certification documents, the results could be disappointing to say the least. On the other hand, get it right and implementation of risk and control ideas could be considerably easier than it usually is today.

Results from Experiment

A little while ago I ran an online experiment to test four alternative ways to ask people to list risks and actions. The results showed that the words used had a profound effect on the balance of negative, positive, and neutral "risks" listed, and on the types of actions people suggested to deal with them.

Volunteers for the experiment, of which there were 36, visited a Web page where they chose one of four scenarios:

  1. Planning a wedding
  2. Buying a company
  3. Building an extension to a house
  4. Looking for a new job

In the next stage they were asked to, either:

  1. List risks
  2. List sets of risks
  3. List risk factors
  4. List areas of uncertainty

The choice of wording was random and allocated subjects nearly equally between the four wordings. They were also asked to list actions they might take in respect of each item.

The items people wrote down were varied, but two common types of item predominated. One type was an item expressed in terms of failure to achieve something that would be an objective for the project. For example, "Failure to complete the build within budget." Actions for these items tended to be different ways of trying harder to do the thing that was at risk. The other type of item was an unknown: for example, "The cost of the build." Actions for these items tended to be different ways to find out more, either immediately or as the work proceeded.

The scenario clearly had an effect on behavior. For some reason, people tended to list possible failures in connection with weddings, jobs, and building, but when buying a company, preferred to list unknowns. Probably it is the tradition of due diligence in company acquisitions that cues these items and the resulting actions. However, there was also a strong effect from the wording of the instructions. All three instructions that mentioned "risk" had the same effect, which was to trigger a high percentage of potential failure items. In contrast, the "areas of uncertainty" wording triggered more unknowns.

If you want to encourage people to be less introspective and negative, and to pay more attention to missing information, then you should ask them for "areas of uncertainty" and not mention the word "risk."

My observation is that most risk registers resulting from workshops pay far too little attention to uncertainty, and consequently many actions are things that would be done even if the world was without uncertainty. For example, people will suggest the risk, "Failure to complete on time" and then the action "Carefully plan the project." This is not risk management because you would plan even in a world without risk. This is just going through the motions.

Another point from this research is the failure of respondents to distinguish between "risks" and "risk factors." Clearly these are not the same, but when asked for "risk factors," people did not list risk factors, i.e., things that were true, or very likely to be, and would be drivers of the risk involved.

Using risk factors is a powerful way to evaluate risks, but if people do not distinguish between the two, this cannot work. The research does not show what wording to use instead, but we should be aware of this problem and give extra instructions, including examples to make clear what is intended, and look for better words.

The research is written up in full in "Results of an experiment in risk and uncertainty management."

Other Words That Could Be Crucial

In your organization, are people asked to "identify" risks or to "define" them? Almost certainly they are asked to "identify" risks, and yet there is an overwhelming practical reason for saying "define" instead.

A common problem with risk register items is that it is hard to tell what is included in the item. They tend to be vague, rather general, and to lack details necessary to properly assess them. Pick a sample on most corporate risk registers and think about each critically. The chances are you will conclude that nearly all of the items have this fault.

This may be, in part, because people think of "risks" as things that already exist, have clear boundaries, already given, and therefore need only be named. This is the frame created by the instruction to "identify" risks. As soon as we say "identify" we have people thinking that the risks need only be named. In contrast, if we say "define" the risks, this promotes a different frame, one in which risks do need to be explained and defined. And they do, don’t they!

Another wording that may help to encourage good explanation of risks is to ask for "areas of" risk/uncertainty. If we say "areas" this again suggests a concept that has a boundary, and therefore needs some definition.1

Moving on to another topic, if you are interested in getting people to consider "upside risks" as well as downside risks, then you face a particular challenge. As already discussed, if you mention "risk," this is interpreted as negative by most nonspecialists. As an alternative, some have tried asking for "opportunities" instead. So far, my informal observation is that this tends to trigger a lot of statements about things that are opportunities existing now, rather than ones that might arise in the future, which would be closer to the idea of an upside risk. Worse, the "opportunities" that pop up immediately in workshops tend to be suggestions the participants have made in the past and which were not acted upon, usually for good reasons.

At the very least, we need to add to the explanation and perhaps experiment with alternative wording, such as asking for "potential future opportunities."

Summary

The evidence so far is that the words we use to get people thinking about how uncertainty should affect their actions can have a profound effect on how well they perform. This is not just a theoretical debate between specialists, but a vital practical concern that affects whether risk management programs make headway or not.

We need more research, but already it is clear that asking people to "identify risks" is far from the best way to proceed.

1Poorly worded risks are also a feature of well-known documents on risk. For example, as part of regulation for banks, the Basle II documents included a breakdown of operational risk events. One of the first items is "Internal Fraud," which was then broken into two sub-items: "Unauthorized Activity" and "Theft and Fraud." If part of internal fraud is unauthorized activity, then presumably the rest is authorized activity—authorized theft and fraud!

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.