Book Review: “Deciding” – Don’t Call It Risk Management
Review at Oxbridge.com on January 3rd 2021
Grant Purdy and Roger Estall have written a profoundly interesting, and perhaps heretical, book on risk management, with the caveat that it’s not about risk management. Deciding: A Guide to Even Better Decision Making (Amazon) does not want to be a book on risk management, and it’s not. But it is. And isn’t.
Some background. Grant and I have corresponded for years, and he’s part of a group of international risk experts that I rely on to bounce ideas off of, or simply ask questions. Unlike so many of my brethren in the ISO consulting field, I didn’t suddenly rebrand myself a “risk management expert” because a few folks at ISO decided to drop “risk-based thinking” into ISO 9001.
Grant even came to visit me in Peru, and enjoyed some admittedly “meh” pato pekin at the trendy Asian fusion restaurant Madam Tusan, owned by famed chef Gaston Acurio.
Within ISO circles, there have formed two camps. The first considers “risk” and “opportunity” to be opposites. I reside in this camp, having crafted my own set of definitions (“uncertainty is neutral; risk is the negative effect of uncertainty, and opportunity is the positive effect of uncertainty.”) The other camp claims that risk and opportunity are synonyms, and ISO’s top leadership, along with groups like the Project Management Institute, sit in this camp. The latter group argues (literally) that sure, cancer is bad, but cancer is awesome if you earn money in pharmaceutical research. The two camps don’t agree, clearly, since they are opposing viewpoints.
Purdy and Estall, however, present in their book another mindset, which I dare not even call a “third way” because that invokes some clumsy political (or Buddhist) middle ground that wholly undermines the dramatically different approach they discuss. Instead of positing risk vs. opportunity, the authors throw out all the jargon, and ask the question: what this is all intended to accomplish? The answer, which arises with stunning clarity, is: decision-making.
Whether a person or company is trying to manage risk or opportunity, in the end, it is all an exercise towards making the best decision one can make. Perhaps that is to address some bad thing, or perhaps to pursue some good thing. But breaking it down into binary “good vs. bad” cripples the discussion before it starts. For readers, I urge them to toss out concepts such as “risk” and “opportunity” and open page 1 of Deciding without such pollution. Yes, the authors will tackle these concepts, but in their own time, after they have wholly corrected the foundational structure of the question first.
When one focuses on the true purpose (to make a decision), labels like “risk” and “opportunity” become not only meaningless, but irritating distractions. After reading Deciding, I realize that one should not be in either of the two camps, since there are no camps. The camps are an invented construct that gets in the way of real thinking.
Instead, Purdy and Estall present a “universal model for decision-making” that Deming fans will appreciate since it hints at the classic PDCA model. (That’s likely not intentional, it’s just that PDCA fits into any logical thought process, at least at the 60,000-foot level.) But whereas PDCA sits in a process-based bucket, the book’s model requires understanding a macro concept first: the purpose of the entity making the decision in the first place.
For a company, the “purpose” is likely something like, “to develop new products that will increase our market share,” or some such wish-making. Purdy and Estall define it thusly:
We see it as being more fundamental than objectives, strategies and plans. Rather, it is the highest expression of the reason the organisation exists. Whether articulated or not, the Purpose reflects both the values to which the organisation aspires and what it seeks to achieve.
The authors then present some methods to hone that down from “dreamweaving” into more practical, biteable morsels. And, better still, they propose a practical method for actually testing the purpose, to ensure it’s not just sloganeering or mindless, boardroom blather. This struck me as particularly revelatory, while also being relatively simple for a dummy like me.
The book’s model also relies on determining the background “context,” which ISO 9001 users may fumble over with all of ISO’s mindless mumbling over “context of the organization.” That’s not quite what Deciding is talking about, but there are some similarities. The model presents three levels to consider for context: the internal considerations (of the company or entity making the decision), the consideration of external stakeholders and outside dependencies, and finally the “wider” considerations of grander, external influences. ISO 9001 users will note that final level is missing entirely from the standard, and has to be “interpreted into” a management system, assuming the user has even thought of it.
A big part of the “deciding” process is then the identification and control of assumptions, something that traditional risk ranking methods like RPN or FMEA are literally based on, but which never directly confront. As I have written, assigning numbers to guesses than calling it “science” reveals that RPNs are essentially no different than Tarot cards; they have numbers on them, too. Here, the book goes into detail on how to raise conscious awareness of the assumptions within any decision-making, determining their significance (some assumptions are critical, others not so much), and then “dealing with the potential for change over the life of the decision.” This latter point is mentioned not at all by most risk management professionals; once you’ve assigned a number to a risk, you can send the client your invoice. If something blows up a year later you can blame…. Microsoft Excel?
Speaking of which, you’ll find no risk matrices with their debunked math and ridiculous usage of multiplication. Concepts such as “likelihood” and “consequence” are barely mentioned, and even then, only in the broader sense of decision-making. The authors reject artificial tools such as risk registers:
The practical task of filling out the columns of the [risk] register invariably distacts Deciders from achieving sufficient certainty that their decision will deliver the required outcomes.
A template form is provided for governing the overall thinking process, and for even roughly assigning subjective grades to concepts such as “probability of change,” “speed of change” and “detectability of change,” but this is not presented as a method to rank risks so that one is mathematically more important than another. Instead, it’s intended to be used “either as an aide memoire to structure the conversations about context, or as a document suited to expansion and completion to create a record of what was decided – as might be needed, for example, for major or complex decisions.” Mathematicians can once again rejoice that their science is not being perverted to defend random occult prophecy.
There’s enough there to dramatically overhaul a company’s thinking process, and the book includes a priceless and practical, step-by-step guide on “shedding the risk management millstone.” Going beyond the usual trope of books that present high-minded ideas without any practical guidance on how to implement them, Purdy & Estall present an actual checklist on how a company can move from old fashioned, and ineffective, “risk management” into the “deciding” model presented in the book.
I could end the review there, but the book also touches on some elements that I found particularly interesting, and are worth mentioning. In no particular order:
I loved how the authors took a potshot at the coming rise of “resiliency.” As I write this, BSI and ISO are busy trying to create a new cottage industry — because we don’t have enough, apparently — for “resiliency management.” The authors of Deciding don’t mention these bodies or their craven attempts, but do eviscerate the concept.
Increasingly often, the expression ‘resilience’ gets an airing when considering the broad issue of disruption. This is an expression with many meanings, which might not matter were it not for the fact that cult-like, claims of being or achieving ‘resilience’ have become something of a corporate virtue-signal. Unfortunately, as with the word ‘risk’, ‘resilience’ is a word with several meanings ranging from: ‘bouncing back’ (e.g., “the city showed its resilience by recovering from the shock of a massacre”); capacity to bounce back (e.g., “the organisation’s contingency arrangements ensure resilience”);or not falling in the first place (e.g., “the river levees made the town resilient against flood”).
Further confusion arises from it being used in a way implying that ‘resilience’ is a destination and is thus binary (resilient or not) rather than a continuum (not very resilient → very resilient). As has been the case with ‘risk’, despite endeavours by individuals (including BCM advocates who have sought to harness it to their cause) to assert that ‘resilience’ has only one (i.e. their) meaning is fanciful. The genie is out of the bottle.
Next, you could read almost the entire book and not encounter the words “risk management,” at least until the authors roll up their sleeves and grab the beast by its horns to slay it once and for all. (It’s also thrown into an Appendix, so if risk managers are squeamish, I suppose they could skip it… but they’d be missing out.)
Purdy & Estall remind us a little about the history of corporate risk management, bringing us not to its origins in ancient Egyptian pyramid building (or earlier), but instead from the contemporary insurance industry:
By describing the myriad of practices that they were coercing their clients to adopt as ‘risk management’, insurers shifted the focus from their own interest to something ostensibly associated with their client’s management of their organisation.
Furthermore, this new compound noun, ‘risk management’ acquired the appearance of something of substance that was tangible, definitive, beneficial and noble. The ‘risk management’ label caught on, and in a generally random way, became adopted by others such as legislators, regulators, and advocacy groups to label their own decision-making ‘wisdom’.
They then go onto to explain how risk management became something outright culty (my word, not their’s):
The ‘risk management’ expression was also seized on by consultants because it provided the illusion of something of substance and authority which could therefore be sold to their clients in the form of advisory services.
The (entirely untested) belief was that practising ‘risk management’ (in whichever guise) was prima facie evidence of, and a prerequisite for, sound management.
This latter point had me shaking my head, as I live this every day. Whenever we file complaints against ISO certification bodies or their accreditors, we are confronted with tepid defenses that the conflicts of interest or corruption can’t be happening, because ISO 17oh-so-and-so requires the bodies to have a “risk management procedure” covering these things. Repeatedly, we see the bodies holding up a procedure as some sort of legal vaccination against the sickness of corruption going on in full view. Those who still love risk management should be appalled, as it cheapens their profession.
You’re not likely to love risk management when you’re done with Deciding, however, and that’s all for the best. The book moves the conversation away from consultant-driven boardroom BS into a more practical, and infinitely more applicable, method that anyone can use
If I were to come up with criticisms, I’d have two. First, cynics will note that both Purdy and Estall have come up through their careers as risk management professionals, and run consulting firms. So some of the criticism against consultants may ring false, but since I’m constantly trashing my own profession, I personally gave them a pass. We can also chalk this up to the authors evolving over their long careers, into something new.
Next, the decision-making process defined herein would take time to become second nature, and I can imagine the first few dozen times it would be a shock to those used to typing guesses in a risk register, letting a formula do the math, and then closing the file to go off and drink a latte. The thinking and steps here are easy, but they aren’t few. In a world where concepts like risk management are already being dumbed-down for the ADHD crowd (“risk-based thinking!“), this moves in the opposite direction. This is leather-elbow stuff, and while it will yield better results, lazy folks are not gonna like it.
Deciding is available at Amazon in both hardcopy and e-book (Kindle) formats
“Deciding: A guide to even better decision-making” by Roger Estall and Grant Purdy
Reviewed in LinkedIn, 9 September 2020
Einstein is credited with saying “If you can’t explain it simply, you don’t understand it well enough”. In this slim, self-published paperback book Roger and Grant succeed in explaining a great deal very simply. They understand the importance of the “purpose” of an organisation, and of uncertainty and assumptions in effective decision making.
Roger and Grant are friends and I have heard them talking about their beliefs for some years but, as expressed in Deciding, their ideas have extra force and conviction. In eight brief chapters plus five appendices they show how better decisions can be made using a few key principles and processes.
They strongly argue for the use of plain English and avoidance of jargon. Grant and Roger are especially averse to the words “risk” and “risk management” and related terms with a 22-page appendix on this subject, preferring to focus on the purpose of an organisation and uncertainty about achieving that purpose.
The chapter on the purpose of an organisation is key: if we don’t know what an organisation is for how can we manage uncertainties about achieving the goals? In my work as a consultant for 17 years and, more recently, academic researcher, a frequent problem was that managers did not know what the organisation was for. Whether called purposes, objectives, goals, targets or a range of other terms they boil down to what the organisation was set up to do. They are important from the governance level to the frontline of an organisation, requiring good decision making.
Deciding highlights the importance of understanding and monitoring the context in which a decision is to be made and any assumptions in a decision. Both should be explored and written down to help ensure they can be monitored for change.
Consultants, software package vendors, and others may dislike the book, dismissing it as simplistic. But after reading this book I will be revising the content of the two papers I teach at Victoria University of Wellington to be more focused on uncertainty and the purpose of organisations. Indeed, the book will be a set text in 2021.
I was unable to order the book via Amazon in New Zealand but Unity Books in Wellington was able to access it from the UK for $34.
5.0 out of 5 stars on Amazon.co.ca and Amazon.com
How to achieve the outcomes you value by understanding uncertainty and deciding more effectively
Reviewed in Canada on April 22, 2020
The two authors of this book have used their decades of experience in advising key decision makers in government and business to provide compelling clarity on how to implement effective decision making in the presence of uncertainty. The book is written to be immediately understood by decision makers at all levels, from the captains of industry to airline pilots facing an emergency.
A simple diagram showing the links between purpose, deciding and an outcome is the paradigm around which this comprehensive analysis of decisions takes place. The critical role played by purpose (in some ways an analog of objectives) is a thread that guides and directs the analysis of decisions. Decisions give effect to a purpose and give rise to outcomes.
In its essence, decision making to increase valued outcomes by accounting for uncertainty, falls into the realm of what has come to be called “risk management”. In its Appendix C, this book’s thorough deconstruction and obliteration of the jargon, implementation and execution of “risk management” prove quite unequivocally why current approaches to risk management have consistently failed organizations. The authors, by doing this, essentially burn down a house that they helped to design but which was constructed in so many different flawed ways that a new start was essential. The new start has been achieved by moving to a strategic level of analysis and by very effectively communicating how deciding can be done in a manner that can consistently and effectively result in valued outcomes.
Disruption has finally come to risk management. Like Uber disrupting taxis where the disruption resulted in clients getting what they desired by avoiding a complex and over regulated approach that no longer provided value, “Deciding” provides what risk management promised but never delivered on.
The structure of the book makes it a valuable reference to readers where chapters one and eight provide the essence. The remaining chapters speak directly to the nature of discussing, deciding, purpose, context, assumptions and monitoring. Each of the five appendices provide focused analysis and advice with Appendix E providing a handy, pocket sized prompt card. This presentation brings clarity and focus to critical elements and allows the reader to quickly access areas they are interested in or where they are grappling with important challenges.
Can you decide?
Reviewed in the United States on May 9, 2020
Have you decided yet? No?
Then you are very much like me: I am a natural procrastinator, an observer, an equivocator, a questioner. I am always curious that there might be another course of action, so I instinctively postpone any decision.
But Estall and Purdy, two literate Australians, have composed this short and lucid guide to easing many of us toward firmer and better decisions.
Also included is a critical analysis of the disintegration of the idea of “risk management” into a chaotic jumble of unnecessary complexity, codification, and complication. That section alone is well worth this book.
Reviewed on Norman Marks’ Blog on April 26 2020
The book Deciding …was a great read.
The authors deserve accolades for rejecting jargon and writing in plain English with words having their normal meanings. As they say, “let’s face it, the human race functions very successfully communicating in its normal languages”. How right. I’ve never heard two people use the word ‘risk’ in the same way which, as the authors say, makes it a wholly useless word.
As both a former special forces officer and a kidnap response consultant, I also agree entirely with what the authors say about making decisions under pressure. Even though such decisions must sometimes be made almost instantly, only if the ‘Decider’ is skilfully applying the ‘universal’ method as described in Deciding will he or she have sufficient certainty about what at times, can be life and death outcomes. However, I have also found that the same applies to decision-making in the comparative tranquillity of the business world.
The chapter and supporting Appendix about detecting any changes between what was intended and what results, as well as future changes in context (i.e. ‘monitoring’) are also very apt. Decisions are not ‘fire and forget’. The example in the book about the conventional taxi industry that found itself flat-footed when Uber arrived is a great example. Indeed, the Appendix relating to creating and avoiding disruption is a ‘must read’ for businesses in these COVID times.
Peadar Duffy on LinkedIn
I downloaded ‘Deciding’ by Roger Estall and Grant Purdy a few days ago and really enjoyed the read. A seminal piece providing a practical account of the ‘universal method of decision making’.
The book is a must read for risk professionals who:
- Acknowledge that ‘traditional risk management’ has failed,
- Understand that the purpose of risk management is to ‘provide sufficient certainty’ that organisational purpose can be achieved, and
- Want to know how to conduct business focused discussions without using the ‘Risk’ word!
Check it out!
Selected Abridged Responses
When we published ‘Deciding’ we were overwhelmed by an almost universal enthusiasm for its availability, with many citing the very reasons that had stimulated us to write it. Here is a selection of responses.
I’ve just downloaded this great book…. I’m only partway into it but so far it’s spot on, and a great addition to the bookshelves of anybody who makes decisions.J T
I am required to develop an Enterprise Risk Managenent Framework by the Board, Funders, government etc. I know this will not assist my new organisation to make better decisions and am embarking on a long road to influence internal and external stakeholders of this, whilst protecting the organisation from repercussions of not ‘ticking the box’. I had heard about your book and look forward to reading it. Thank you for sharing you considerable experience and best of luck changing the way the world thinks about risk managementC o’N
I totally agree on your observations that there are things fundamentally wrong with the concepts of risk as used by the risk management community…. If one cannot understand the topic under scrutiny then how to decide how it will affect one’s plans?P vd G
More people should be thinking this way!S F
During the last 10 years I’ve increasingly become aware of the nonsense of having something like risk management separate from regular management. I’ve observed that there are strong parallels between religion and risk management, varying from unbelievers – skeptics – liberals – illuminati – fanatics – extremists.M d P
… as soon as people started making money from the process of “Risk” management (think big four, management consultants, etc. ) and the terminology of risk champions, CROs, etc. this decision-making tool became corrupted in my opinion. I recently (last week) had to give advice to a village leader in Indonesia about how to handle the question (“oh s**t, what next?”), and I must admit that I didn’t contact any of the numerous RM associations around the world for help.P C
I was also privy to seeing how my clients approached risk through the use of things like risk registers, heat maps etc. I was cautiously sceptical of this at the time and couldn’t quite see the value, but didn’t really think I was informed enough to know better.
What I now realise is that I am incredibly fortunate to have come into a blank canvas rather than inheriting an approach and having to change it. Three and half years later I am making some progress. We have introduced the analysis of uncertainty into the strategy planning process, the annual business plan, and are working towards incorporating this into how we provide revenue and profit guidance.
The progress with our Board is mixed. Those who are more analytical really like the quantitative approach and connection to a relevant decision. Those less analytical continued to ask for heat maps and risk registers.
One of the challenges is that at the other companies they are directors of they are used to seeing risk info presented in a certain way. However we pride ourselves on original thinking and are not afraid to call out fads. G G
I agree with every word of your message. Sounds like we have both been swinging at this pinata for a long time. I’ll check it out …….. it’s all about decision making.B H
New way of thinking that linked with my frustration to keep the Risk Management process alive and trying to make it more meaningful than just paper! I told [my manager] before Christmas that I had done all I could for now and that I really did not think it was helping as it was just a paper system that the managers complied with, as it was linked to their bonus!DH
I am fighting almost on a daily basis with regulators, consultants and representatives from HQ over the ‘compliance’ requirements (risk appetite, heat maps, risk registers and whatever other nonsense they ask for). Luckily enough I found my management on my side. We are trying to integrate RM and assist them in making better decisions. We find this very complicated and time consuming. I hope the book can help/guide us through this! R K
Your thoughts and the book resonate with the work I have been doing inside [company] for the last 10 years. I have been very frustrated by the lack of change in thinking on RM. In my work in vehicle interaction systems we have developed a methodology with a strong human factors component … but takes it a whole lot further to your point about decision making. The work has been picked up globally and we have shared it with all the majors through the ICMM Initiative for Cleaner Safer Vehicles. The Safety zealots are up in arms over this new approach but the operational people love itT E
I share many of your concerns in relation to the current direction of risk management and thus its potential to influence organisational decision making, particularly at strategic levels. …I have slowly begun to realise that ultimately all of these areas are only really of importance in so much as how they can improve decision making at all levels with an organization (strategic, tactical, and operational). I therefore believe that decision making is at the heart of success or failure, and intelligence is merely the oxygen or lifeblood. Your ideas in this regard are indeed timely and I very much look forward to interpreting the direction you have taken on this.S L
A new approach is always necessary and even more so when the previous ones have not had the desired effect.J F