ARM 2 – People

This blog dives into the second component of the Anti-fragile Risk Management (ARM) Model: People.  As a refresher, ARM has these risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of these components impact the organization on a continuous (short term) or periodic (medium to long term) basis.  The People component is considered short term. That is it is your staff, volunteers, contractors, etc. who are on the front line mitigating risks or capitalizing on opportunities.  Another reason to include the ARM risk component of People here is that things such as trust, loyalty or affiliation take years to grow and a very short period of time to destroy.

The ARM Component ‘People’ is on the front line of Anti-Fragile Risk Management and thus has a short term focus.

People:  Does the Organization have adeptness to achieve its objectives?

Until the robot overlords force us all into the Matrix, People will be the second greatest risk/opportunity/uncertainty for organizations.  An example is the following classic cartoon that gets right to the heart of matter of cyber-security.  No matter how good the investments in technology human ineptness, malevolence or ignorance rules!

Cyber Security versus Dave (copyright and restrictions may apply)

This ARM is Brought To You by Organizational Biology

The name of this site is ‘Organizational Biology‘ which is my mental model to describe how organizations work.  In a nutshell, Organizations are composed of two parts, Mass and adeptness:

Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures.  Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.

Mass will be discussed more in the next blog when Process and Plant is considered. ‘People’ considers many different facets of organizational adeptness ranging from the board room to the shop floor and from the heart to the brains of the employee/volunteer.

Measuring Adeptness (NOT!)

Unfortunately adeptness cannot be directly measured because as soon as you can quantify adeptness it becomes mass.  Here is an example:

A master craftsman uses decades of experience to precisely machine a part.  He is adept in this task .

The moment the craftsman’s knowledge and experience is transferred to a computer program those same actions become mass (the computer, software, machinery, etc.). Beyond experience, adeptness includes innovation, creativity, informal communication, trust, loyalty, elan, esprit de corps and countless other adjectives that affiliation and organization pride.  Of course adeptness also includes the negatives of all of these attributes (e.g. stifled creativity, poor communication, hostility, disengagement, etc.).  Adeptness is not without its dark-side either as it can also lead to group think and conformity (read more on this in a healthcare context in my blog, the Healthcare Ethos).

Good, bad, light or dark – adeptness cannot be directly measured but it can be indirectly estimated through:

  • Organizational success (e.g. profitability).
  • Low staff, volunteer or contractor turn-over.
  • Social standing in a community.
  • Trust quotient or Metric.
  • Leadership and followership capacity/effectiveness.
  • Training and capabilities of staff, etc.
  • Organizational loyalty or affiliation.

ARM’s Length Definition

The ARM definition for the People-Risk Component is: does the organizational have the adeptness (people) capacity to carry out the objectives of the organization? 

Why Does this Matter and ISO 31000 Context

Organizational Objectives are completed by People (robot overlords notwithstanding) and risk often boils down to human error.  ISO 31000 alludes to adeptness.  For example the following extracts is from ISO 31000:2009 Principles and Guidelines:

  • Section ‘2.11, internal context‘:
    • The capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
    • Information systems, information flows and decision-making processes (both formal and informal); [editors note, emphasis added]
    • Relationships with, and perceptions and values of, internal stakeholders;
    • The organization’s culture
  • Section ‘3.h) Principles‘:
    • Risk management takes human and cultural factors into account.
    • Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives.

ISO 31000 Risk Assessment Technique

Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of people on risk although Human Reliability Analysis certainly is much more focused on this one particular ARM.

Examples of Risk Tests and Mitigation

Risk Identification: The organization is unable to attract and retain quality employees (or contractors/volunteers).

  • Evaluation/Analysis: Despite a supply orientated labour market, the organization has trouble recruiting suitable candidates.  Once recruited, turn over is high and the organization is constantly re-training staff.  As well, staff are poorly motivated and require constantly motivation, supervision and direction.
  • Stakeholders: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: staff retention, turn over analysis, employee satisfaction surveys.
  • Example: the industry average staff turn over for the qualified widget assemblers is 5-10% pa.  The organization’s turn over for assemblers is 50-75% pa.

Risk Identification: The organization lacks the management and leadership experience to enter into new markets.

  • Evaluation/Analysis: The experience and capabilities of management has focused on widget-exploration and there is little to no experience in widget refining – a key strategic objective of the organization.
  • Stakeholders: Executives, board (minister), regulator, etc..
  • Measure: Years of related experience in a particular expertise area on the part of all Directors and above.  Trust quotient on the part of staff in management.
  • Example: A survey or interview with the following question: ‘Describe your direct operational or management experience in the following business areas:’
    • Widget exploration: 1 – none… 5-ten or more years.
    • Widget transportation: 1 – none… 5-ten or more years.
    • Widget refining: 1 – none… 5-ten or more years.
    • Widget retailing: 1 – none… 5-ten or more years.