Module 3: Risk Decisions: International Diploma in Risk Management

International Diploma in Risk Management
Module 3: Risk Decisions
Module Handbook
June 2012
Module Handbook: Risk Decisions
Module Three: Risk Decisions
Contents
1 The Diploma so far 2
2 Looking ahead 3
3 Module aims in summary 6
4 Module learning outcomes 6
5 Module syllabus 7
6 Module learning activities 7
7 Module learning materials 8

7.1 Reading materials 8
7.2 Important notes about reading materials and expectations 8
8 Unit 1: Decision making – An introduction 9

8.1 Unit 1 Reading 10
8.2 Unit 1 Self-assessment 11
9 Unit 2: Decision makers – risk thinking and decision making 12

10 Unit 3: Risk problem structuring and the creation of risk information 16

and knowledge
11 Unit 4: Using technology to support risk decision making 21

12 Unit 5: Critical risk thinking and improved risk decision making 22

13 Appendix 25
Self-assessment answers, comments and suggestions
Module Three: Risk Decisions 1

© IRM Sept 2011
1 The Diploma so far

Mastery of the material covered in Modules One and Two places students in a strong position
to succeed in Module Three. Students should be sure to have either successfully completed
the Modules One and Two examinations or, if studying more than one module at a time, to
have completed the work on Modules One and Two before moving on to Module Three.
Modules One through to Five are intentionally designed to be studied in sequence, and
many difficulties may arise in approaching the modules out of sequence.
Successful completion of the material contained in Modules One and Two should give students
confidence that they understand and can apply the key concepts that underlie a study of risk
and the practice of risk management. Further, students should now possess a solid foundation
for understanding the interaction of risks and organisations. In particular, completion of Module
Two should make students comfortable and confident that they can discuss, apply, and think
critically about:
How organisations become exposed to risk and how this exposure provides insights into
managerial responses.
The methods necessary to develop an overarching framework for organising, sorting,

ranking and evaluating risks.
The various perspectives of risk that exist within organisations and particularly how
professional cultures (finance, the law, engineering) can combine with national and
corporate cultures to influence how organisations and managers look at risk.
The proper language necessary to be able to discuss the technical aspects of risk within
specific areas of an organisation.
The specific managerial challenge of integrating and coordinating risk across an

organisation and, specifically, an insight into the challenge of leading organisations toward
cross-functional responses to key risks.
The distinct and unique nature of an individual organisation’s risk profile and insights into
the challenges that arise in developing a risk management response that is specific and
relevant to each organisation.
In general, a student successfully completing Modules One and Two should be in good
position to discuss the overall role and purpose of risk management and to discuss
organisational risks knowledgeably in a reasonably comprehensive and meaningful way.
Beyond understanding terms, concepts, principles and frameworks, however, students should
also possess confidence that they can apply this knowledge in organisational settings and can
think critically about abstract risk management issues. Notably, students should be able to
construct a meaningful argument for what risk management can mean to a specific
organisation, and to understand broadly the types of risks likely to be relevant to that
organisation.

© IRM Sept 2011
Beyond this, students should have confidence that they can make meaningful assessments of
abstract situations where the absence of risk management or its inadequate application has
resulted in a problem or dilemma. It is not expected at this point that students will be equipped
with the knowledge of specific tools strategies, techniques and methods that would enable
them to prescribe and implement a specific solution, but they should be confident in their
abilities at least to frame the issues properly.
It is very likely, however, that students will complete Module Two with a sense that they now
know a lot about organisational risks, but perhaps without the confidence that they can
systematically and methodically gather risk information, analyse that information, and make
important decisions based upon that information. These are the subjects to which Module
Three now directs students’ attention.
2 Looking ahead
Students are reminded here that Modules One to Three serve a particular purpose within the
Diploma. One of the goals of the Diploma is to enable students to begin a journey towards
becoming “risk experts”. In this respect, Module Three rounds out IRM’s response to this
challenge by providing students with an in-depth exposure to the challenges of:
1. Gathering and organising risk data and preparing it for analysis
2. Understanding the methodologies employed to analyse that data and to render judgments
about its meaning
3. Using information so gathered and analysed to make meaningful and consistent

managerial decisions, and
4. Appreciating the broader benefits and limits of various risk decision methods.
Within Module Three, successful students will acquire the following:
An ability to compare and contrast methods used to generate risk information and risk
knowledge.
Knowledge of how to examine the basis on which decision maker characteristics may
impact risk decision making within the organisation.
An ability to explain the role of technology in support of the risk information and
knowledge creation process.
A basis for understanding how technology might support risk problem solving and the
risk decision making process.
Methods for identifying and understanding the different steps in the problem solving
process and evaluate the role of risk information and risk knowledge in support of
corporate risk decisions.
An ability to demonstrate an understanding of concepts related to problem solving and

decision making, and to distinguish the main business risk decisions made in
contemporary organisations.
Knowledge of the challenges of employing risk information in formal and informal

managerial decision making settings.
© IRM Sept 2011
Students should not expect to achieve absolute mastery of the various statistical and other
formal methods employed in risk decisions. This would require an immersion in technical
methods far beyond the scope of the Diploma. However, students will develop a firm
understanding of underlying concepts, foundational methods and principles, and an
understanding of the strengths and weaknesses of various methodologies.
Importantly, Module Three will enable students to become sophisticated users of risk data and
information and to be able to use such information to support managerial decisions. Further,
when Module Three is combined with information and skills developed in Modules One and
Two, students will be able to devise strategies and methods for using risk information to
support effective risk communications both within an organisation and to external stakeholders.
In the view of IRM, successful completion of Modules One to Three will move students some
way toward achieving the status of “risk expert”. However, the challenge of using that expertise
in the service of skilful managerial practice is a subject only generally addressed in these first
three modules. The purpose of Modules Four and Five is to focus on the “management” side of
risk management.
Thus, in Module Four students will encounter the conceptual frameworks that drive risk
management within organisations. In the course of Module Four, students will become
conversant in matters of corporate strategy, governance, corporate social responsibility, and
even the subject of business ethics. Importantly, students will also develop knowledge of
existing standards of practice, and the wide variety of rules and regulations that govern
organisational risk management practices today.
Module Five, in turn, guides students through a learning process that will allow them to develop
knowledge of specific tools, techniques and methods for managing risks, and – importantly – to
understand the specific challenges of making risk management work within an organisation.
The risk management process can be broken down into the processes of:
1. Risk problem structuring (risk identification)
2. Risk estimation/analysis and risk evaluation, and
3. Selection of risk treatments.
Each of these is considered in detail. The module does not, however, deal with implementation
issues. These matters and a number of other managerial issues – are covered in Modules Four
and Five.

© IRM Sept 2011
Students have seen or will see that the standard format for the core modules varies somewhat.
Owing to the nature of the material covered in Module Three, the material is divided into five
study units. These in turn have several subsections.
Unit 1 introduces students to decision theory and decision making strategies. The main
purpose of this unit is to provide the theoretical underpinning of the risk management process
as a specialised decision making process.
Recognising that people make non routine risk decisions, in Unit 2 students will explore
decision maker predispositions (personality, background, gender, values, attitudes, beliefs,
education and experience) and their impact on the risk management process, risk decisions
and behaviour.
In Unit 3, students focus on risk identification, estimation, evaluation and analysis. Quantitative
and qualitative methods and techniques are explored and explained.
Unit 4 seeks to build upon the previous unit and identifies how technology, specifically
databases, spreadsheets, decision support and business intelligence software, and specific
risk decision software, can enable the risk management process. Technology may allow things
to be done faster and at lower cost and more reliably. Consequently, the application of
technology to the risk management process may result in competitive advantage for the
organisation.
The final unit, Unit 5, focuses on the outputs of the risk management process and sub-
processes. Students will consider the challenges of communicating risk information to a range
of organisational stakeholders for a variety of purposes. They will also take a step back and
undertake some critical risk thinking in order to improve the quality of risk information,
conclusions drawn from such information and decisions based upon it. In this unit, students will
recognise that opinions about risk are easy; anyone can have one. What is important is to use
the evidence that has been carefully evaluated and have well reasoned conclusions and
arguments. The ultimate goal is to form rational and consistent decisions.
Student note
As noted above, Module Three has five units and each unit has sub-units. The recommended
method for studying is to approach each sub-unit in sequence and undertake each of the
activities suggested within the core text, Kelly, P. Risk Decisions (2007) and this module
handbook as they occur in the materials – that is, rather than waiting to complete all the
readings in a unit before turning to the self-assessment activities.

© IRM Sept 2011
3 Module aims in summary

To provide a critical overview of how risk information and knowledge are created and used to
support risk problem structuring in support of tactical risk decision making, and to identify
factors affecting the quality of risk decision making within organisations.
4 Module learning outcomes

By the end of the module students should be able to:
1. Compare and contrast methods used to generate risk information and risk knowledge.
2. Examine how decision maker characteristics may impact risk decision making within the
organisation.
3. Explain the role of technology in support of the risk information and knowledge creation
process.
4. Identify how technology may support risk problem solving and the risk decision making
process.
5. Identify the steps in the problem solving process and evaluate the role of risk information
and risk knowledge in support of organisational risk decisions.
6. Understand concepts related to problem solving and decision making: distinguish the main
organisational risk decisions in contemporary organisations.
Student note
Seriously consider and review the module learning outcomes listed in each module handbook.
This list goes a long way toward informing students what they are intended to learn and,
importantly, what the basis of evaluation and examination will be.

© IRM Sept 2011
5 Module syllabus
Unit 1: Decision making, an introduction.
This first unit introduces students to decision theory and decision making strategies.
Unit 2: Decision makers, risk thinking and decision making.

Recognising that people make non-routine risk decisions, students will explore decision
makers’ predispositions (personality, background, gender, values, attitudes, beliefs, education
and experience) and their impact on the risk management process, risk decisions and
behaviour.
Unit 3: Risk problem structuring and the creation of risk information and knowledge.
In this unit students focus in detail on risk identification, estimation, evaluation and analysis
generally. Both quantitative and qualitative methods and techniques are explored and
explained.
Unit 4: Using technology to support risk decision making.

Unit 4 builds upon the previous unit and identifies how technology (specifically databases,
spreadsheets, decision support and business intelligence software, and specific risk decision
software) can enable the risk management process.
Unit 5: Critical risk thinking and improved risk decision making.

The final unit focuses on the outputs of the risk management process and sub-processes. In
this session, students will consider the challenges of communicating risk information to a range
of organisational stakeholders for a variety of purposes.
6 Module learning activities

Course content: Students will be introduced first to principles and concepts.
Applications: Students will be shown illustrations of these principles and concepts in

application.
Practice: Students will then be given the task of applying the principles and concepts to a
practical problem/situation/challenge.
Self-assessment: Students should then test themselves on their newly acquired knowledge
and skill.
Formal assessment: Students will be formally tested by a written three hour examination.

© IRM Sept 2011
7 Module learning materials

Kelly, P, (2007) Module Three: Risk Decisions
Dickson, G C, (2003) Risk Analysis, Witherbys, Chapters 1, 2, 3, 4, 5, 6, 7, and 9
Drucker, et al, (2001) Harvard Business Review on Decision making,

Harvard Business School Press, Chapters 1, 3, 4, 7 and 8
7.2 An important note about reading materials and reading

expectations
“What am I required to read?” This is a question commonly asked by Diploma students, and it
is important that they understand the IRM’s position on this matter.
Students will immediately notice that the module handbooks lists required reading. Required
reading is self-evident: the texts that are listed must be read. Failure to do so virtually
guarantees that the student will fail. All of these readings are available in the Reading Room.
However, IRM does expect students to read and study beyond the required reading list. As the
Diploma represents a higher order learning experience, it is appropriate that students should
undertake some self-directed learning. How does IRM enforce its expectation? The structure of
the examinations and the marking scheme include recognition of additional reading and
research. In other words, part of the mark a student obtains will be based upon evidence that
he/she has gone beyond the required readings and brought other perspectives and material
into his/her exam responses. It is difficult to imagine that a student could receive the highest
marks without including evidence of additional study.
Students studying the Risk Decisions Module may wish to purchase and read the following
additional reading materials:
Hopkin, P, Fundamentals of Risk Management, Kogan Page, 2010
BSI (2008), Risk Management – Code of Practice, BS 31100: 2008 British Standards
Institution

© IRM Sept 2011
8 Unit 1: Decision making – an introduction

How do managers make decisions? This question underlies the entire structure of Module
Three. The learning destination is the acquisition of skills necessary to think critically about risk
management issues and evaluating alternatives. However, to begin this journey, students will
first need to consider the basic ideas and principles behind that most essential of managerial
tasks – making informed decisions.
As will be developed in this module, effective managers possess the knowledge and skill
necessary to make decisions that are consistent, systematic, internally and externally logical,
and – importantly – defensible (explainable to others). One of the clear messages of Module
Three is the idea that decisions must be informed by the overall goals and objectives of the
organisation, a particular subject that is more fully developed in Module Four.
Any methodology can be explained in its own terms, but the key to examining appropriate
methods is an acknowledgement that the organisation’s overall goals and purposes are clear
and understood. Indeed, one might say that the absence of goals, or a lack of clarity about
them, is the prime decision making error. If it is not clear what an organisation is trying to
achieve, then it is really impossible to decide which action is preferred: “Do I undertake action
A or B?”
So – and in anticipation of Module Four – students here should keep in mind that all of the
discussion in Module Three is predicated on the assumption that managers can clearly
understand the overall goals and purposes of the organisation and, therefore, discern the
appropriate methods and considerations necessary to make sound risk decisions.
In this first unit, students are introduced to decision theory and decision making strategies.
Decision theory can be normative or descriptive. Normative decision theory refers to theories
about how we should make decisions if we want to maximise expected utility (satisfaction of
wants). Descriptive decision theory refers to theories about how we actually make decisions.
Unit 1/Section One: “Introduction” (Kelly, Risk Decisions) opens the subject of decision making
in an informal way by considering a particular researcher’s view and the possible implications
of that view.
Unit 1/Section Two: “Decision making theory and models” (Kelly, Risk Decisions), introduces
decision making theory and models for decision making. In this section, students learn to
distinguish structured from unstructured, routine from non-routine and operational from
strategic decision making, and explore generic decision making models. They then consider
decision making approaches such as simple and vigilant, and the constraints that might
prevent a vigilant (quality) decision making approach.
Unit 1/Section Three: “Decision making strategies - an introduction” (Kelly, Risk Decisions),
enables students to explore decision making strategies, and make enquiries into whether there
is a formula for making winning decisions. This section also introduces students to tools and
techniques for decision making, a topic that is further developed later.
The main purpose of the Kelly readings is to provide the conceptual underpinning of the risk
management process – a specialised decision making process. By deconstructing risk
decisions into a number of related sub-processes, students can identify more precisely where
and how certain methods, tools and techniques, and technology can be used to improve the
quality of decision making within organisations.

© IRM Sept 2011
The first text (Dickson) presents a fairly conventional introduction to the subject of risk analysis.
The main purpose for including this selection is to allow students to encounter some
foundational concepts that underlie much of the discussion in Module Three. Since students
may not have been exposed to basic principles and ideas for quite some time, it is not much of
a diversion to require them to revisit basic topics briefly.
The second Dickson reading is a brief review of probability concepts and theory. Module One
discussed the history of probability theory, but provided only a brief look at the substance of
the theory. In Module Three students are not expected to become proficient in the use of
theoretical tools, but should be able to discuss the basic principles.
Notably, Dickson includes reference to the Risk Management Standard, which has been
introduced in Module One and is referred to in Module Two. Modules Four and Five also
include some treatment of the standard. Here the inclusion of the standard is intended to direct
students toward an understanding of what the standard directs organisations to do with respect
to analysis and decision making.
Student Note:
Although it is not expressly required in the reading list for Module Three, students should re-
read the Risk Management Standard with an eye to discerning its meaning in regard to risk
decisions.
The Drucker reading presents insights from one the leading management scholars and
commentators of the late 20th century – Peter Drucker. He offers some broad but penetrating
comments on the meaning of effective decisions. What are the component parts of good
decision making processes and how do we evaluate the success of a decision?
8.1 Unit 1 Reading
Drucker, et al. (2001) The Effective Decision Chapter 1, Harvard Business Review
Dickson, G C, (2003) Risk Analysis Chapter 1, Witherbys
Kelly, P. (2007) Risk Decisions, Unit 1

© IRM Sept 2011
8.2 Unit 1 Self-assessment
Students should undertake the activities listed at the end of each session of Unit 1 within
Kelly’s Module Three: Risk Decisions text. Students will be ready to move to Unit 2 when they
can confidently answer the following questions.
1. Briefly discuss decision making theory basic concepts.
2. Answer the question: What is/are the main theme(s) of the Fone & Young reading
contained in Kelly?
With respect to the Dickson readings, answer the following:
1. What is risk analysis?
2. What is cost of risk?
3. What does the UK Risk Management Standard IRM/AIRMIC/ALARM have to say about risk
analysis and risk decisions?
4. What are the basic foundations of probability theory?
With respect to Drucker:
1. What constitutes an “effective decision” in Drucker’s view?
2. What are the elements of good decision processes?
3. How closely does your own decision making style compare with Drucker’s approach?

© IRM Sept 2011
9 Unit 2: Decision makers – risk thinking and decision

making
One of the most overlooked subjects in the field of risk management is the influence a
manager, or groups of managers, brings to bear on the actual process of thinking about risk
management and about making decisions.
Most programmes of study introduce methods of analysis and the better programmes step
back from the technical discussion to look at structural or methodological errors or problems
(Have we correctly set up the method of study? Have we gathered the appropriate
information?).
Unit 2 takes the investigation one step further by considering the a priori factors that influence
the entire act of making decisions. How will an individual manager’s own background, attitudes
toward risk, professional experience and position influence the selection of methods, the
selection of information to consider and a whole array of framing decisions that affect the
actual analysis?
The great difficulty in obtaining a fully unbiased and objective assessment of risks is a key
observation that emerges here. Controls for, or consideration of, human influence must
become part of the process of making risk decisions – but it is not easy to achieve.
It is sometimes said that risk management boils down to asking a simple question: “How might
I or we be wrong?” Although the evidence does not entirely support such an assertion of
simplicity, in the context of Unit 2 it does have some value. The human mind tends toward a
deterministic view of the world (If I do A, B will occur). By consciously inserting the question
“How might I be wrong?” into the decision process, we are reminded that the world is not
deterministic, at least not in most respects. (Is B actually attainable by any means? Does A
lead to B? Have I considered all the relevant possible influences on A? And so on.)
Consideration of what we may have got wrong goes quite a way toward instilling a risk
management view on managerial decision making.
Specifically in the context of Unit 2, “getting it wrong” may mean several things: we are not
conscious of our biases; we may not understand the issues we are trying to evaluate; we may
be framing the question incorrectly or we just might have too much uncertainty. So risk
management, as it is applied here, must include a reasonably methodical consideration of the
cultural, psychological, experiential and other influences that can affect the quality of actual
decision processes.
Risk thinking may be divided into three areas:
1. Analytical thinking
2. Synthesis (creating solutions), and
3. Valuing.
Broadly speaking, as introduced in Unit 1e, analytical thinking corresponds to risk problem
structuring (risk identification and estimation), and synthesis corresponds with the creation of
risk controls. Valuing is a key aspect of risk decision one – whether to treat any given risk
(evaluation) – and risk decision two – which risk treatment option to choose (control
devaluation). However, values also permeate problem structuring and control of design
activities. The predispositions of a risk analyst, surveyor or decision makers can colour their
selection of method, tools, techniques and their ultimate judgment of risk and how best to treat
it.
© IRM Sept 2011
In this unit, students are introduced to the concept of risk philosophy and identify differing
perspectives on risk. A generic interpretation is offered, based on the two risk positions
describing a realist (“techno-scientific”) and the relativist (“social construction”) perspective.
This idea is proposed as a risk continuum with one perspective at either end.
Exponents of the techno-scientific perspective, with origins in natural science disciplines, treat
risk as an objective phenomenon and undertake rationalistic approaches, which assume that
expert scientific measurement and calculation are the most appropriate standpoints from which
to proceed. The social construction view is seen as deriving from social science foundations
and focuses on human psychology and cultural perspectives on thinking processes and
actions.
After considering risk philosophy at the individual level, students are introduced to organisation
risk philosophy, and will examine the different ways an organisation may think about risk and
risk management. Consideration is given to the concept of risk culture as a determinant of risk
thinking and behaviour.
Student note
Students will see strong echoes of Module One in the Unit 2 readings. Module one provided an
introductory treatment of human psychology, culture and the perception of risk. The present
unit reintroduces that material, but with a very specific focus – how does risk perception
influence risk decision making?
Specifically, Unit 2 engages students to begin Unit 2/Section One (Kelly, Risk Decisions) with a
focus on the decision maker, examining the factors that might impact upon the way humans
think. Section One gives particular attention to risk attitudes and risk perception, and their
mediating role in determining risk behaviour and action. It also considers risk and
organisational risk philosophies and presents and discusses a range of key concepts and
terms.
Unit 2/Section Two, “Culture and practice” (Kelly, Risk Decisions), investigates risk culture as a
concept that concerns itself with the way collections of individuals in organisations or in society,
for that matter, think collectively about and act upon risk. Students will review and develop the
concept of risk culture in organisations (work that began in Section One). Organisational risk
culture is conceptualised in terms of collective risk thinking to include risk perception and other
cognitive processes and risk behaviours.
In Unit 2/Section Three, “Risk decisions” (Kelly, Risk Decisions), students investigate judgment
and decision theory, and consider how such theories impact upon the risk management
process, which is explained later in the module. With regard to pure risk decision making,
students focus on two key risk decisions, namely:
1. whether to treat a particular risk, and
2. if so, how to decide the best way to do it.
The emphasis is not on control options and types but more on selecting the best alternative
from a range of options.

© IRM Sept 2011
In Unit 2/Section Four, “Standards and governance” (Kelly, Risk Decisions), students consider
how the environment of external expectations affects risk management and decision making.
Thematically, such is the importance of the subject of standards/governance that it recurs
throughout the Diploma programme. Here the focus is on the implications of
standards/governance for structuring and implementing risk decisions.
Finally, in Unit 2/Section Five, “Participation” (Kelly, Risk Decisions), students return to the risk
decision maker, asking who should make risk decisions and why, and who should participate in
risk decisions and why? Students also examine why many organisations are moving away from
centralised risk management in favour of broader participation.
The Dickson reading material (Risk Analysis, Chapter 2) serves as a supplement or

reinforcement of the discussion carried in Kelly. Dickson’s contribution here is particularly
useful in the context of group decision making. This subject will become more important in
subsequent modules where the actual development and implementation of risk management
programmes will require the engagement of many managers within an organisation.
The Harvard Business Review readings (Chapters 3 and 4) provide a slightly different
organisation of the issues covered in Unit 2. In Chapter 3, “Humble Decision Making”, students
are asked to reflect on how personal traits and judgment influence decision making. Chapter 4,
“Interpersonal Barriers to Decision Making”, takes students through a discussion of the
challenges of decision making when multiple decision makers are involved.
9.1 Unit 2 Reading
Dickson, G C (2003) Risk Analysis Chapter 8, Witherbys
Drucker, et al, (2001) Humble Decision Making Chapter 3, Harvard Business Review
Drucker, et al. (2001) Interpersonal Barriers to Decision Making Chapter 4, Harvard Business
Review
Kelly, P. (2007) Risk Decisions, Unit 2

© IRM Sept 2011
Students are instructed to undertake the activities listed at the end of each session within Unit
2 of Kelly, P. (2007) Risk Decisions book.
Students will be ready to move to Unit 3 when they can confidently answer the following study
questions.
1. Be certain to be able to define, describe and discuss the following concepts and terms:
personality
risk attitudes
risk beliefs
risk perceptions
judgment
heuristics
risk taking culture
risk philosophies
organisational risk philosophy.
2. Be comfortable in understanding the specific heuristics that often influence decision

making.
3. What is the concern that we might have with “participation” in the risk decision process?
With respect to the Dickson and Drucker readings, answer the following:
1. What does Dickson have to say about measuring attitudes toward risk?
2. What is the influence of risk on decision making?
3. What do we need to understand about group decision making and risk taking?
4. What are the differing effects of culture on risk analysis and decisions when comparing
public with private sector organisations?
5. What does it mean to be a “humble decision maker”?

© IRM Sept 2011
10 Unit 3: Risk problem structuring and the creation

of risk information and knowledge
At the outset of Unit 3, students learn to distinguish between data, information and knowledge.
Data are facts, information is meaningful processed data and knowledge is actionable
information (experience used to solve problems, knowing that or how to do something).
Information may be used to reduce uncertainty and, therefore, may be used to improve
decision making. Students then consider how information may be communicated by formal
structure or informal means, for example, casual conversation.
One of the prime goals of this unit is to help students understand how to estimate the level of
risk in an organisation. In particular, students consider risk identification methods and different
approaches to risk analysis. The unit will help students to assess and manage risk using the
risk management process (RMP) to determine significant risk and where to focus
organisational resources in a manner that will improve efficiency and effectiveness. Students
evaluate the RMP as a means of creating risk management information and knowledge
(output) for decision making.
Most researchers and practitioners agree that the first part of the RMP is essentially about
understanding the risk problem in the context of the organisation. Different terms may be used
to describe the risk problem structuring tasks. But, generally, all approaches follow a similar
generic model for understanding specific forms of risk to organisations; risk identification,
evaluation/assessment and treatment.
A significant amount of attention is paid to the various approaches that may be used to
undertake decision analysis, beginning with basic principles, moving to qualitative approaches
to framing and analysis, and then focusing on quantitative methods. The purpose here is not to
create statisticians but to help students become informed consumers of qualitative and
quantitative information.
In Unit 3/Section One: “Risk processes” (Kelly, Risk Decisions), students will be reminded of
the RMP, a subject that received introductory treatment in Module One. The focus here,
however, is on the relevance of RMP in decision making. Thus, RMP (that is, risk identification,
evaluation, estimation, analysis of alternatives, selection, re-evaluation and monitoring) is not
just a description of risk management in action but more specifically, an organised thought
process by which managers can make rational and consistent risk decisions.
In Unit 3/Section Two, “Risk identification” (Kelly, Risk Decisions), the first step of the RMP is
examined with the student’s eye particularly trained on risk identification as the principal
method for gathering data and information for analysis. In this sense, the material covered in
Module Two provides a strong general background for considering the kinds of information that
a manager would wish to identify and gather.

© IRM Sept 2011
However, the methodologies that support systematic risk identification employ both common-
sense and more scientific approaches, so students will soon learn that risk identification not
only involves knowing, as well as possible, what one is looking for but also understanding the
best approaches for gathering that information. Students will be reminded here, as elsewhere
in Module Three that humans are undertaking the risk identification process and so the issues
studied in Unit 2 are particularly relevant.
Unit 3/Section Three, “Risk estimation and evaluation: qualitative data analysis” (Kelly, Risk
Decisions), leads students through an investigation of the process of assigning value to risks.
Assigning value can mean many things, and can be quite complicated and difficult. Value can
be determined in highly quantitative ways, as when a commercial bank estimates and
evaluates its credit risk exposure. Value estimation can also be highly qualitative, as when a
business considers a new venture in a country where business data is limited or unavailable.
Indeed, despite those who argue that risk management is a scientific endeavour, students are
likely to conclude that the usefulness of quantitative data is actually quite limited in most real
world settings.
Value estimation and evaluation are subjects that force students to reflect on the actual
meaning of “value” – value from what/whose perspective? Some risks may be assigned a
direct value in the sense that, say, a fire might damage a building that would cost €3 million to
repair. However, frequently the value of a risk is best understood in the context of its influence
on the overall value of the organisation.
So, for example, one might ask what the fire-damaged building contributes to the share price of
the organisation. The value, in that context, might be quite different from €3 million. Likewise,
the value of the fire might be interpreted quite differently depending on a stakeholder’s
perspective. Suppliers to the organisation may have to shut down their entire operations while
the organisation rebuilds the burned structure.
Section Three includes more pointed discussion of qualitative decision methods and highlights
the Delphi method as illustrative of such approaches to decision making.
Despite the admonition in Section Three that the usefulness of quantitative data is often
limited, students will do well to develop an understanding of the methods and principles that
underlie quantitative analysis of risk. In Unit 3/Section Four, “Data analysis - quantitative
techniques: displaying and summarising risk data and probability” (Kelly, P. (2007) Risk
Decisions), students will learn the fundamentals of risk measurement. Included in this
exploration will be:
An investigation of common data display methods.
An identification and investigation into probability distributions.
Development of skills necessary to compute probabilities.
Development of an understanding of common descriptive statistical techniques such as

measures of central tendency and dispersion.
An investigation of linear relationships between variables and the important concept of

correlation.

© IRM Sept 2011
Students are reminded that the goal of Module Three is not an expertise in statistics, but rather
the development of an advanced understanding of the uses and misuses of decision
methodologies and the encouragement of a “sophisticated information consumer” perspective.
Unit 3 Section Five, “Two key risk decision models” (Kelly, Risk Decisions), discusses two
specific methods that are widely employed in risk analysis, net present value (NPV) analysis
and Monte Carlo simulation.
The Dickson readings (Risk Analysis, Chapters 3, 4, 5, 6 and 7) supplement what clearly is the
most substantive unit within Module Three. The subject matter here is oriented toward practical
tools as well as concepts. The Dickson material is, as will be easily seen, geared to the
practical tools side of the unit. Chapters 3, 4, and 5 link to Kelly’s discussion of risk
identification, while Chapters 6 and 7 relate to Kelly’s risk measurement and decision
methodology presentations.
Students will recognise somewhat of a shortfall in the Dickson chapters on risk identification.
Clearly, the author’s focus is “traditional” in the sense that identification tools and processes
are largely presented in the context of hazard-based risks (fires, accidents, systems failures),
and are rather silent on matters related to opportunity-oriented risks (investments, research
and development, product positioning).
However, the application of risk management principles to opportunity-oriented risks is perhaps

one of the newest and most quickly evolving subject areas within the field. Simply put, there is
not much in the literature that focuses on this issue.
This noted, the Dickson readings do have a high degree of elasticity, and one might quite
easily imagine identification techniques employed in the service of finding opportunities: tools
like fault trees and hazard indices used to sort out up-side risk scenarios, and scorecards and
profiles including significant recognition of opportunities and positive outcomes.
Chapters 6 and 7 serve a function here similar to the required Chapter 8 (“Probability”) in Unit
1, in as much as the point is to familiarise students with critical concepts and principles of
statistical analysis, not to create technical experts. Students should strive to understand the
concepts and the issues related to the application of the concepts. They will not be expected to
construct and conduct statistical analyses of risk problems.

© IRM Sept 2011
10.1 Unit 3 Reading
Dickson, G C, (2003) Risk Analysis, Chapter 5 Witherbys
Kelly, P. (2007) Risk Decisions unit 3
Students should undertake the activities listed at the end of each of the Unit 3 sections as part
of the self-assessment process. Students will be ready to move to Unit 4 when they can
confidently answer the following study questions.
1. What is the risk management process (RMP)?
2. What are the general challenges in effective risk identification?
3. Distinguish between estimation and valuation, and measurement and analysis.
4. Discuss the difference between intrinsic and contributory value.
5. What is the Delphi method? Give an example of its use.
6. Provide a general description of the theory of the firm and its possible implications for
decision making.
7. Understand and describe net present value (NPV) analysis and Monte Carlo simulations.
Regarding the Dickson readings, answer the following:
1. Describe the range of techniques that might become part of a thorough risk identification
initiative.
2. Define and briefly describe:

a) hazard and operability studies
b) fault tree methods
c) hazard indices.

© IRM Sept 2011
3. What is process mapping and when might it be used?
4. Distinguish between risk scorecards and risk profiling.
5. What are the fundamental characteristics of successful data gathering efforts?
6. What are the most common methods of data “representation”?
7. Understand the definition of mean, median and mode and be able to discuss the
differences and meaning of each.
8. Be able to discuss standard deviation and skew.

© IRM Sept 2011
11 Unit 4: Using technology to support risk decision making

In the introductory materials for the Diploma, there was some discussion about the specific
goals for Module Three. Although the previous units have restated and addressed these goals,
it is worth underscoring one in particular.
It is not possible for a programme like the IRM Diploma to devote sufficient attention to the
subject of risk decisions to enable students to become decision science experts. The degree of
immersion into the fields of statistics and probability theory necessary to build expertise would
take students far beyond the scope and level of this programme.
Thus, early on IRM stated that students should complete Module Three as intelligent and
thoughtful consumers of risk information. In other words, students should learn enough to
navigate their way through the challenges of gathering and analysing risk data, but they also
should have some awareness of the problems, challenges and issues that arise for specialists
in the field.
Importantly, students should also develop some awareness of “what they don’t know” –
meaning that they should have some sensitivity to the limits of their knowledge, but have
knowledge of where they need to go to get the answers. To put it even more simply, students
should be able to carry on a reasonably informed discussion with technical specialists like
statisticians and actuaries, and think critically about the information they provide.
Unit 4 provides support to students by introducing and explaining the role modern technology
plays and can play in risk decisions. One of the clear advances in risk management practice
since 1990 is the growing sophistication of computer and telecommunications technology in
enabling managers to gather information more quickly and comprehensively, in conducting
more sophisticated and complex analyses of risks, and rendering judgments more quickly and
confidently.
In Unit 4, it is not necessary for students to become completely immersed in the various
technologies available today, but only to become fully aware of the nature of technology today,
and the current issues, challenges and developments that may impact risk decision making.
In Unit 4/Section One, “Decision making technologies - an introduction” (Kelly, Risk Decisions),
students will identify and describe the technologies used to support decision making such as
databases, spreadsheets, decision support systems and BI tools.
11.1 Unit 4 Reading
Kelly, P. (2007) Risk Decisions Unit 4
Students are instructed to undertake the activities listed at the end of Unit 4/Session One
within Kelly’s Module Three: Risk Decisions book. Students will be ready to move to Unit 5
when they can confidently answer the following study question.
“Provide an overview of the issues and challenges in using decision support technologies.”

© IRM Sept 2011
12 Unit 5: Critical risk thinking and improved risk decision making

Module Two introduced students to risk communication but did so largely in the service of
understanding the nature of risks within organisations. It specifically observed that
communication of risk information was – in and of itself – a potential source of risk. Improper
flows of information, inappropriate media of communication, incorrect information and
uninformed recipients of information – all these issues might become risk management
challenges themselves.
Unit 5 here approaches the subject from a different direction and, in doing so, offers some
direction in understanding how to manage “communication risks”. In this present context, risk
communication (that is, effective risk communication) is seen as the end product of an
organised process of critical thinking applied to the task of identifying, analysing and rendering
judgments about risks. Since the goal of the Diploma is to set students on the path to become
managerially skilful risk experts, communicating risk information into an organisation becomes
a hallmark of an effective risk manager/leader.
More broadly, however, this unit focuses on the specific issue of critical thinking. In a sense,
the entire module has served as a structured argument for sound critical thinking, but the
subject merits some specific, individual attention. What does it mean, formally, to apply critical
thinking to risk problems? What is the structure of critical thinking methodology?
In Unit 5/Section One, “Critical thinking: critical communicating” (Kelly. P Risk Decisions),
critical thinking is described as the intellectually disciplined process of actively and skilfully
conceptualising, applying, analysing, synthesising and/or evaluating information gathered from,
or generated by observation, experience, reflection, reasoning or communication as a guide to
belief and action. In Session One, students will examine how critical thinking and other factors
can help improve the quality of risk thinking and decision making in organisations.
Risk critical thinking will be established as that mode of considering risk in which the individual
improves the quality of his or her thinking by skilfully analysing and assessing data and
information.
When thinking critically about a risk problem, the risk professional/practitioner must:
Recognise how individuals and groups think about risk.
Gather evidence that is both reliable and relevant to structuring and solving risk problems.
Rationally evaluate plausible alternative solutions/treatments by examining evidence.
Provisionally select the answer that best fits the evidence (that is, select a credible rather
than merely a plausible answer) and continue to evaluate this provisional answer with
respect to plausible alternatives as new evidence is collected.
In the discussion on risk communication, students consider the challenges of communicating

risk information to a range of organisational stakeholders for a variety of purposes.
Broadly speaking, the challenge of risk communication requires the communicator to:
1. Understand the content of the message and the basis on which knowledge of that content
was derived (a capability that is the goal of Module Three).
2. Understand the method of communication and the medium employed.

© IRM Sept 2011
3. Understand the audience or the environment to which the message is communicated.
As the first point is fully elaborated in Units 1 through 4, the introductory comments here are
directed only to points two and three.
An accurate, timely, and useful piece of risk information may fail to reach its audience if the
medium of communication is not appropriate. Organisational newsletters may be appropriate
for some things and utterly useless for others. Likewise, communications to external
stakeholders must occur through appropriate channels and in effective forms. Thus, thinking
about the medium of communication can be a risk management issue in its own right.
Presentations in Modules One, Two and Three fully underscore point three. Since human
psychology and culture so fully shape perceptions of risk, it would be folly for a risk
manager/leader not to anticipate the viewpoint of the audience or the environment in which a
risk communication occurs. This observation might lead to the communicator pondering
cultural proclivities or values, the individual psychology of a colleague, the broader corporate
culture within which a change of behaviour is promoted or the varying perspectives that
investors, regulators and society in general might bring to bear on a specific issue.
Perhaps slightly more obviously, understanding the audience should lead communicators to
realise that the information may need to take different forms or, indeed, have different content,
depending upon the level or positioning of the audience within the organisation. Thus,
communication to chief executive or director level may need a different form and content from
communication about the same issue directed to mid-level managers.
The concluding discussion focuses on one method for organising a decision process and in
that framework presents a discussion of several broad and general issues pertinent to effective
decision making.
The Dickson reading (Risk Analysis, Chapter 9) offers a more structured discussion of several
risk communication issues. It features and examines several tools and techniques. The
Harvard Business Review material (Chapters 7 and 8) offers a concluding look at two particular
issues of interest – consequences of poor or bad decisions, and the subtle influence of
judgment and instinct on day-to-day decision making.

© IRM Sept 2011
12.1 Unit 5 Reading
Dickson, G C, (2003) Risk Analysis Chapter 9 Witherbys
Drucker, et al, (2001) When to Trust Your Gut Chapter 7, Harvard Business Review
Drucker, et al (2001) The Hidden Traps in Decision Making (HBR Classic) Chapter 8, Harvard
Business Review
Kelly, P. (2007) Risk Decisions Unit 5
Students are instructed to undertake the activities listed at the end of Unit 5/Session One
within Kelly’s Module Three: Risk Decisions book. Students will be ready to move to Unit Two
when they can confidently answer the following study questions.
1. Describe the Neustadt-May model and comment on its strengths and limitations.
With respect to the Dickson reading:
1. What are the challenges to effective risk communication?
2. What are tools and techniques that might be employed to support effective risk
communication?
With respect to the Harvard Business Review readings:
1. What are the “hidden traps” of decision making?
2. What is the role of instinct and the “gut feel” in decision making?

© IRM Sept 2011
13 Appendix 1: Self-assessment answers, comments and

suggestions
Student note
Self-assessment has been conceived slightly differently for Module Three. Within each chapter
of the Kelly text, there are activities that direct students to think more critically about the subject
matter of the chapter. As students will see, few questions have only one right answer.
Therefore, they should undertake the activities not so much to answer questions “correctly” but
to help shape their thinking about the readings.
Unit 1: Decision making – an introduction
With respect to Kelly’s Module Three: Risk Decisions text, students should be able to:
1. Briefly discuss decision making theory basic concepts.
The points worth covering can be found in Kelly, P (2007) Risk Decisions pp 1-13.
2. Answer the question: What is/are the main theme(s) of the Fone & Young reading
contained in Kelly, P (2007)?
Thematically, the essay notes that risk decisions frequently present a set of characteristics that
tend to add difficulties to the analysis of risk. They are time horizons, externalities, data
credibility, interdependencies, uncertainty recognition and measurement of costs and benefits.
With respect to the Dickson readings, answer the following:
1. What is risk analysis?
The answer is found in Dickson, G C (2003) pp 1-4.
2. What is cost of risk?
The answer is found in Dickson, G C (2003) pp 9-12.
3. What does the UK standard have to say about risk analysis and risk decisions?
The answer is found in Dickson, pp 4-8
4. What are the basic foundations of probability theory?
The basic foundations of probability theory are presented in Chapter 8 (from p185) of Dickson,
G C (2003)

© IRM Sept 2011
With respect to Drucker:
1. What constitutes an “effective decision” in Drucker’s view?
Drucker’s views are based upon practical rationality, which is to say that he praises decision
approaches that are clear, generally easy to understand and use, and produce results that are
consistent with an organisation’s goals and purposes.
2. What are the elements of good decision processes?
Drucker lists these elements in Chapter 1. Students should be able to briefly summarise them.
3. How close does your own decision making style tally with Drucker’s approach?
Students will answer this question differently.
Unit 2: Decision makers - risk thinking and decision making
With respect to Kelly, P (2007) Risk Decisions
1. Be certain to be able to define, describe and discuss the following concepts and
terms:
personality (Kelly, p 16)

risk attitudes (Kelly, p 17)
risk beliefs (Kelly, p 17)
risk perceptions (Kelly, pp 17-18)
judgment (Kelly, p 18)
heuristics (Kelly, pp 18-20)
risk taking culture (Kelly, pp 21-22)
risk philosophies (Kelly, p 22)
organisational risk philosophy (Kelly, pp 22-24).
2. Be comfortable in understanding the specific heuristics that often influence decision

making.
See Kelly, P (2007) pp 18-20 – anchor and adjustment, availability, representative,

overconfidence and framing.
3. What is the concern that we might have with “participation” in the risk decision
process?
See Kelly, P (2007) pp 47-48. Deciding who must be involved is critical because it can
influence the quality of the decisions and their acceptance and support within the organisation.

© IRM Sept 2011
With respect to the Dickson, G C (2003) and Drucker et al. (2001) readings, answer the
following:
1. What does Dickson, G C (2003) have to say about measuring attitudes toward risk?
See Dickson, G C (2003) pp 18-27.
2. What is the influence of risk on decision making?

3. What do we need to understand about group decision making and risk taking?
4. What are the differing effects of culture on risk analysis and decisions when
comparing public with private sector organisations?
Many answers are possible for this question. Key elements will be the expectations of
stakeholders, laws and requirements, and the issue of being public.
5. What does it mean to be a “humble decision maker”?
Drucker, et al. (2001) seems to emphasise the importance of perspective and judgment in
decision making. Specifically, decision makers need to be aware of constraints and their own
limitations, as well as the other factors that can influence decision making.
Unit 3: Risk problems structuring and the creation of risk information and
knowledge
1. What is the risk management process (RMP)?
See Kelly, P (2007) pp 49-50.
2. What are the general challenges in effective risk identification?
See Kelly, P (2007) pp 51-53.
3. Distinguish between estimation and valuation, and measurement and analysis.
See Kelly, P (2007) pp 56-58.
4. Discuss the difference between intrinsic and contributory value.
See Kelly, P (2007) p 58.
5. What is the Delphi method? Give an example of its use.
See Kelly, P (2007) pp 59-60.
6. Provide a general description of the theory of the firm and its possible implications
for decision making.
© IRM Sept 2011
See Kelly, P (2007) pp 61-63.
7. Understand and describe NPV analysis and Monte Carlo simulations.
See Kelly, P (2007) pp 64-66.
Regarding the Dickson G C (2003) readings, answer the following:
1. Describe the range of techniques that might become part of a thorough risk
identification initiative.
2. Define and briefly describe:

a) hazard and operability studies
b) fault tree methods
c) hazard indices.
3. What is process mapping and when might it be used?
4. Distinguish between risk scorecards and risk profiling.
5. What are the fundamental characteristics of successful data gathering efforts?
6. What are the most common methods of data “representation”?
7. Understand the definition of mean, median and mode and be able to discuss the
differences and meaning of each.
8. Be able to discuss standard deviation and skew.

© IRM Sept 2011
Unit 4: Using technology to support risk decision making
1. Provide an overview of the issues and challenges in using decision support

technologies.
See Kelly, P (2007) pp 68-78.
Unit 5: Critical risk thinking and improved risk decision making
1. Describe the Neustadt-May model and comment on its strengths and limitations.
See Kelly, P (2007) pp 80-86.
With respect to the Dickson, G C (2003) reading:
1. What are the challenges to effective risk communication?
2. What are tools and techniques that might be employed to support effective risk
communication?
With respect to the Harvard Business Review readings:
1. What are the “hidden traps” of decision making?
The author notes several. Students should be conscious that the general theme underlying the
issues here is tied to the biases and influences that exist “outside” the formal decision making
process (whatever it is) and that produce unexpected or unforeseen results.
2. What is the role of instinct and the “gut feel” in decision making?
This material is intended mainly to convey the importance of experience and judgment in
decision making, as well as the reality that many decisions must be made in compressed time
frames. For the young manager, it can be frustrating to realise that there are few short cuts to
gaining experience and judgment, but awareness of the tools and issues covered in Module
Three and in this reading can allow students to reduce the likelihood and consequences of bad
decisions.

© IRM Sept 2011
The Institute of Risk Management

6 Lloyd’s Avenue
London EC3N 3AX
Tel: +44 (0)20 7709 9808
email: studentqueries@theirm.org
web: www.theirm.org

© IRM Sept 2011

Module 3: Risk Decisions: International Diploma in Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 3: Risk Decisions: International Diploma in Risk Management

Uploaded by

Copyright:

Available Formats

International Diploma in Risk Management

Module 3: Risk Decisions

Module Three: Risk Decisions

1 The Diploma so far 2

3 Module aims in summary 6

4 Module learning outcomes 6

6 Module learning activities 7

7 Module learning materials 8

8 Unit 1: Decision making – An introduction 9

9 Unit 2: Decision makers – risk thinking and decision making 12

10 Unit 3: Risk problem structuring and the creation of risk information 16

11 Unit 4: Using technology to support risk decision making 21

12 Unit 5: Critical risk thinking and improved risk decision making 22

Module Three: Risk Decisions 1

1 The Diploma so far

The methods necessary to develop an overarching framework for organising, sorting,

The specific managerial challenge of integrating and coordinating risk across an

Module Three: Risk Decisions 2

1. Gathering and organising risk data and preparing it for analysis

3. Using information so gathered and analysed to make meaningful and consistent

Within Module Three, successful students will acquire the following:

An ability to demonstrate an understanding of concepts related to problem solving and

Knowledge of the challenges of employing risk information in formal and informal

1. Risk problem structuring (risk identification)

2. Risk estimation/analysis and risk evaluation, and

3. Selection of risk treatments.

Module Three: Risk Decisions 4

Module Three: Risk Decisions 5

3 Module aims in summary

4 Module learning outcomes

Module Three: Risk Decisions 6

Unit 2: Decision makers, risk thinking and decision making.

Unit 4: Using technology to support risk decision making.

Unit 5: Critical risk thinking and improved risk decision making.

6 Module learning activities

Applications: Students will be shown illustrations of these principles and concepts in

Module Three: Risk Decisions 7

7 Module learning materials

Dickson, G C, (2003) Risk Analysis, Witherbys, Chapters 1, 2, 3, 4, 5, 6, 7, and 9

Drucker, et al, (2001) Harvard Business Review on Decision making,

7.2 An important note about reading materials and reading

Hopkin, P, Fundamentals of Risk Management, Kogan Page, 2010

Module Three: Risk Decisions 8

8 Unit 1: Decision making – an introduction

Module Three: Risk Decisions 9

8.1 Unit 1 Reading

Dickson, G C, (2003) Risk Analysis Chapter 1, Witherbys

Kelly, P. (2007) Risk Decisions, Unit 1

Module Three: Risk Decisions 10

8.2 Unit 1 Self-assessment

1. Briefly discuss decision making theory basic concepts.

With respect to the Dickson readings, answer the following:

1. What is risk analysis?

2. What is cost of risk?

4. What are the basic foundations of probability theory?

With respect to Drucker:

1. What constitutes an “effective decision” in Drucker’s view?

2. What are the elements of good decision processes?

Module Three: Risk Decisions 11

9 Unit 2: Decision makers – risk thinking and decision

Risk thinking may be divided into three areas:

2. Synthesis (creating solutions), and

1. whether to treat a particular risk, and