Risk-based decision making
Decisions evolve around the need to make choices, either to do or not to do something, or to select one option from a range of options. The choices available are often constrained by social, technical, business, safety and environmental requirements and objectives. Successful decision making requires an understanding of these many requirements and objectives, their relative importance, and how to assess options and make the ‘best’ decision.
A typical framework for the decision making process is illustrated in Fig. 1. The importance of the change dictates the extent and formality of assessment, documentation, review, consultation and approval.
Fig.1 Standard Process for Decision Making
- The need to change could come from a number of sources, including statutory requirements, internal reviews, audit findings, lessons learned form major incidents, etc.
- The extent of assessment and documentation will be dependent on the significance of the change. This will range from experience based assessment through to more comprehensive numerical assessment.
- The extent of review will be dependent on the significance of the proposed change. This will range from internal review through to independent review and involvement of regulatory bodies.
- The approval body will be dependent on the significance of the proposed change.
- Implementing the change effectively is arguably the most important step, since it is only at this point that the risk is reduced (see Active Risk Management article, page 4)
RISK-BASED DECISION MAKING PROCESS
The overall decision making process steps remain the same in Risk Based Decision Making – define the issues, examine the options and implement the decision. What is different is that the decision is arrived at by a structured understanding of the risk-reward balance and uncertainties, illustrated by Fig 2.
Fig. 2 Risk Based Decision Making Process
The options available will be based on one or more of the “4Ts” risk response strategies: Terminate, Treat, Tolerate, Transfer. A well designed risk response portfolio will focus not only on reducing the likelihood of a risk occurring, but also includes plans for stabilisation and recovery to ensure business continuity and effective reputation management. It may also be possible to reduce the potential for financial loss by hedging techniques or insurance purchase.
Next, an evaluation of the risk response options is required, taking into account their cost, benefits and views of relevant stakeholders. Whilst risk responses which are not cost-effective (i.e. the value of any reduction in risk is outweighted by the cost of the control) would normally be discarded, there may be mandatory requirements imposed by internal standards or external regulatory authorities.
Ultimately, a decision is made. Often the decision is clear-cut: the proposal is clearly worthwhile or not. At other times there is no clear answer, requiring further investigation of the underlying issues or a simple consensual decision. Any decision requires an assessment of whether the “residual” risk is acceptable, given the risk appetite of the organisation which, while difficult to quantify, is surprisingly well understood, if subconsciously, within most organisations.
Whilst this process is reasonably straightforward in principle, in practice there can be demanding issues to overcome, for example:
- Ensuring the options have been properly selected and defined.
- Setting assessment criteria, and objectives and their relative importance.
- Identifying risk issues and perceptions.
- Assessing the performance of options against aspects that may not be quantifiable, or which may involve judgements and perceptions that vary or are open to interpretation.
- Dealing with differences in the uncertainties of estimates, data and analyses – it may not be able to provide a fair reflection of the actual differences between the options being considered.
- Managing or avoiding hidden assumptions or biases.
The United Kingdom Offshore Operators Association (UKOOA) decision making framework was developed specifically to address these issues, and is the best known within the high hazard industries [Ref.1]. However, effective Risk Based Decision Making processes do have common features, regardless of the business application, as noted in the recent Rail Safety & Standards Board research review [Ref.2] including;
- Use of a framework for incorporating societal values/concerns into risk based decisions.
- Ability to plan and take risk based decisions for the long term.
- Effective risk based decision making forums both within single companies and cross industry.
- Clear understanding of the required inputs for and pride in the output of risk decisions.
- Positive management of the media and transparency of risk based decision making.
- Ability to take rapid risk based decisions to operate under degraded modes.
- Co-operation with the regulator(s) leads to co-ordinated risk based decisions.
- Evidence from experts provides a sound basis for risk based decisions.
Figure 3: Summary of Key Lessons to be Learned from Industries (Ref 2)
Many organisations in commerce, industry and the public sector have learnt the need for structured Risk Based Decision Making processes after some very painful lessons. Few would state their processes are fully evolved and functioning without problems. Many other organisations are really only now starting their journey. Successfully applied, though, risk based decision making can be both powerful and cost effective.
1- Industry Guidelines on a Framework for Risk Related Decision Support, UKOOA, April 1999.
2- Decision-making Practices and Lessons from Other Industries, Rail Safety & Standards Board, Report T266, 2004.
This article first appeared in RISKworld Issue 7.
Related consulting services:
Subscribe to Risktec publications
Please use this form to subscribe to RISKworld. You will also receive exclusive access to the Risktec Essentials series, plus notifications of new events and publications.