The In's and Out's of Risk Management

 

The term GIGO is famous as an abbreviation for the phrase “Garbage In Garbage Out”. Originally used in the IT industry, it described the fact that the output from a computer system was only as good as its input. Even the best program cannot take meaningless data and produce meaningful results. Of course GIGO applies much more widely than just computers. The integrity of the output from almost every system or process depends on the integrity of its input – with the possible exception of the human brain, which seems able to create order out of chaos by the application of reasoning and intelligence (at least sometimes!). And “Garbage In Garbage Out” can certainly apply to the risk management process..

A recent variant on GIGO translates it into “Garbage In Gospel Out”. This describes the tendency of people to accept output from a system without judging it critically. Even if the input is rubbish, we still believe the result, usually because we don’t fully understand the way the system works to produce it. This is sometimes called “blind faith”. “Garbage In” to the risk process can mean lack of agreed objectives, poor or lazy risk identification, or use of inappropriate risk responses. “Gospel Out” means treating outputs as infallibly true, with no need for interpretation or judgement. 

There is of course a third meaning for GIGO – “Gospel In Garbage Out” – where the system takes good data but introduces errors or makes wrong calculations, and so produces nonsense results. In the risk process this often arises from lack of time, attention or resources for risk management, the use of inappropriate tools or techniques, or lack of risk skills.

How can risk management avoid these three GIGO problems? The third is perhaps easiest to address, since “Gospel In Garbage Out” can be avoided by using a sound risk process, together with staff training and proven tools.

Both “Garbage In Garbage Out” and “Garbage In Gospel Out” can be tackled by applying two filters to the risk process :

1. Verify the input. This means asking questions about the data fed into the risk process. Is it complete? Is it up to date? Can we trust it? Is it influenced by bias, assumptions or a limited perspective? Is it accurate? Is it relevant? And most importantly – is it true?
2. Validate the output. Here we are checking the results of the risk process to see if they make sense. Do the outputs match expectations (and if not, why not)? Are they counter-intuitive (and if so, why)? Is there a clear trend from previous results? Can we double check using other approaches? And can we act on the results with confidence?

Of course verification is not a simple task because input to the risk process is inevitably uncertain. It involves subjective judgements about what the risk is, how likely or severe it might be, and what responses are appropriate. But we should still ensure that input data quality is as high as possible.

And although risk outputs may sometimes be surprising or counter-intuitive, they should always make sense if the underlying risk process is sound. We should not be afraid to challenge assumptions and test outputs before we use them as a basis for decisions and actions.

So verifying input (“Is it true?”) and validating output (“Does it make sense?”) can protect against the perils of GIGO. These dangers are real but they can be overcome, and they should not stop us from using risk management on our projects or in our business. After all, there is one thing worse than GIGO, and that is NINO : “Nothing In Nothing Out”!