Grant Purdy and Roger Estall have written a profoundly interesting, and perhaps heretical, book on risk management, with the caveat that it’s not about risk management. Deciding: A Guide to Even Better Decision Making (Amazon) does not want to be a book on risk management, and it’s not. But it is. And isn’t.

Some background. Grant and I have corresponded for years, and he’s part of a group of international risk experts that I rely on to bounce ideas off of, or simply ask questions. Unlike so many of my brethren in the ISO consulting field, I didn’t suddenly rebrand myself a “risk management expert” because a few folks at ISO decided to drop “risk-based thinking” into ISO 9001.

Grant even came to visit me in Peru, and enjoyed some admittedly “meh” pato pekin at the trendy Asian fusion restaurant Madam Tusan, owned by famed chef Gaston Acurio.

Within ISO circles, there have formed two camps. The first considers “risk” and “opportunity” to be opposites. I reside in this camp, having crafted my own set of definitions (“uncertainty is neutral; risk is the negative effect of uncertainty, and opportunity is the positive effect of uncertainty.”) The other camp claims that risk and opportunity are synonyms, and ISO’s top leadership, along with groups like the Project Management Institute, sit in this camp. The latter group argues (literally) that sure, cancer is bad, but cancer is awesome if you earn money in pharmaceutical research. The two camps don’t agree, clearly, since they are opposing viewpoints.

Purdy and Estall, however, present in their book another mindset, which I dare not even call a “third way” because that invokes some clumsy political (or Buddhist) middle ground that wholly undermines the dramatically different approach they discuss. Instead of positing risk vs. opportunity, the authors throw out all the jargon, and ask the question: what this is all intended to accomplish? The answer, which arises with stunning clarity, is: decision-making.

Whether a person or company is trying to manage risk or opportunity, in the end, it is all an exercise towards making the best decision one can make. Perhaps that is to address some bad thing, or perhaps to pursue some good thing. But breaking it down into binary “good vs. bad” cripples the discussion before it starts. For readers, I urge them to toss out concepts such as “risk” and “opportunity” and open page 1 of Deciding without such pollution. Yes, the authors will tackle these concepts, but in their own time, after they have wholly corrected the foundational structure of the question first.

When one focuses on the true purpose (to make a decision), labels like “risk” and “opportunity” become not only meaningless, but irritating distractions. After reading Deciding, I realize that one should not be in either of the two camps, since there are no camps. The camps are an invented construct that gets in the way of real thinking.

Instead, Purdy and Estall present a “universal model for decision-making” that Deming fans will appreciate since it hints at the classic PDCA model. (That’s likely not intentional, it’s just that PDCA fits into any logical thought process, at least at the 60,000-foot level.) But whereas PDCA sits in a process-based bucket, the book’s model requires understanding a macro concept first: the purpose of the entity making the decision in the first place.

For a company, the “purpose” is likely something like, “to develop new products that will increase our market share,” or somesuch wish-making. Purdy and Estall define it thusly:

We see it as being more fundamental than objectives, strategies and plans. Rather, it is the highest expression of the reason the organisation exists. Whether articulated or not, the Purpose reflects both the values to which the organisation aspires and what it seeks to achieve.

The authors then present some methods to hone that down from “dreamweaving” into more practical, biteable morsels. And, better still, they propose a practical method for actually testing the purpose, to ensure it’s not just sloganeering or mindless, boardroom blather. This struck me as particularly revelatory, while also being relatively simple for a dummy like me.

The book’s model also relies on determining the background “context,” which ISO 9001 users may fumble over with all of ISO’s mindless mumbling over “context of the organization.” That’s not quite what Deciding is talking about, but there are some similarities. The model presents three levels to consider for context: the internal considerations (of the company or entity making the decision), the consideration of external stakeholders and outside dependencies, and finally the “wider” considerations of grander, external influences. ISO 9001 users will note that final level is missing entirely from the standard, and has to be “interpreted into” a management system, assuming the user has even thought of it.

A big part of the “deciding” process is then the identification and control of assumptions, something that traditional risk ranking methods like RPN or FMEA are literally based on, but which never directly confront. As I have written, assigning numbers to guesses than calling it “science” reveals that RPNs are essentially no different than Tarot cards; they have numbers on them, too. Here, the book goes into detail on how to raise conscious awareness of the assumptions within any decision-making, determining their significance (some assumptions are critical, others not so much), and then “dealing with the potential for change over the life of the decision.” This latter point is mentioned not at all by most risk management professionals; once you’ve assigned a number to a risk, you can send the client your invoice. If something blows up a year later you can blame…. Microsoft Excel?

Speaking of which, you’ll find no risk matrices with their debunked math and ridiculous usage of multiplication. Concepts such as “likelihood” and “consequence” are barely mentioned, and even then, only in the broader sense of decision-making. The authors reject artificial tools such as risk registers:

The practical task of filling out the columns of the [risk] register invariably distacts Deciders from achieving sufficient certainty that their decision will deliver the required outcomes.

A template form is provided for governing the overall thinking process, and for even roughly assigning subjective grades to concepts such as “probability of change,” “speed of change” and “detectability of change,” but this is not presented as a method to rank risks so that one is mathematically more important than another. Instead, it’s intended to be used “either as an aide memoire to structure the conversations about context, or as a document suited to expansion and completion to create a record of what was decided – as might be needed, for example, for major or complex decisions.” Mathematicians can once again rejoice that their science is not being perverted to defend random occult prophecy.

There’s enough there to dramatically overhaul a company’s thinking process, and the book includes a priceless and practical, step-by-step guide on “shedding the risk management millstone.” Going beyond the usual trope of books that present high-minded ideas without any practical guidance on how to implement them, Purdy & Estall present an actual checklist on how a company can move from old fashioned, and ineffective, “risk management” into the “deciding” model presented in the book.

I could end the review there, but the book also touches on some elements that I found particularly interesting, and are worth mentioning. In no particular order:

I loved how the authors took a potshot at the coming rise of “resiliency.” As I write this, BSI and ISO are busy trying to create a new cottage industry — because we don’t have enough, apparently — for “resiliency management.” The authors of Deciding don’t mention these bodies or their craven attempts, but do eviscerate the concept.

Increasingly often, the expression ‘resilience’ gets an airing when considering the broad issue of disruption. This is an expression with many meanings, which might not matter were it not for the fact that cult-like, claims of being or achieving ‘resilience’ have become something of a corporate virtue-signal. Unfortunately, as with the word ‘risk’, ‘resilience’ is a word with several meanings ranging from: ‘bouncing back’ (e.g., “the city showed its resilience by recovering from the shock of a massacre”); capacity to bounce back (e.g., “the organisation’s contingency arrangements ensure resilience”);or not falling in the first place (e.g., “the river levees made the town resilient against flood”).

Further confusion arises from it being used in a way implying that ‘resilience’ is a destination and is thus binary (resilient or not) rather than a continuum (not very resilient → very resilient). As has been the case with ‘risk’, despite endeavours by individuals (including BCM advocates who have sought to harness it to their cause) to assert that ‘resilience’ has only one (i.e. their) meaning is fanciful. The genie is out of the bottle.


Next, you could read almost the entire book and not encounter the words “risk management,” at least until the authors roll up their sleeves and grab the beast by its horns to slay it once and for all. (It’s also thrown into an Appendix, so if risk managers are squeamish, I suppose they could skip it… but they’d be missing out.)

Purdy & Estall remind us a little about the history of corporate risk management, bringing us not to its origins in ancient Egyptian pyramid building (or earlier), but instead from the contemporary insurance industry:

By describing the myriad of practices that they were coercing their clients to adopt as ‘risk management’, insurers shifted the focus from their own interest to something ostensibly associated with their client’s management of their organisation.

Furthermore, this new compound noun, ‘risk management’ acquired the appearance of something of substance that was tangible, definitive, beneficial and noble. The ‘risk management’ label caught on, and in a generally random way, became adopted by others such as legislators, regulators, and advocacy groups to label their own decision-making ‘wisdom’.

They then go onto to explain how risk management became something outright culty (my word, not their’s):

The ‘risk management’ expression was also seized on by consultants because it provided the illusion of something of substance and authority which could therefore be sold to their clients in the form of advisory services.

The (entirely untested) belief was that practising ‘risk management’ (in whichever guise) was prima facie evidence of, and a prerequisite for, sound management.

This latter point had me shaking my head, as I live this every day. Whenever we file complaints against ISO certification bodies or their accreditors, we are confronted with tepid defenses that the conflicts of interest or corruption can’t be happening, because ISO 17oh-so-and-so requires the bodies to have a “risk management procedure” covering these things. Repeatedly, we see the bodies holding up a procedure as some sort of legal vaccination against the sickness of corruption going on in full view. Those who still love risk management should be appalled, as it cheapens their profession.

You’re not likely to love risk management when you’re done with Deciding, however, and that’s all for the best. The book moves the conversation away from consultant-driven boardroom BS into a more practical, and infinitely more applicable, method that anyone can use

If I were to come up with criticisms, I’d have two. First, cynics will note that both Purdy and Estall have come up through their careers as risk management professionals, and run consulting firms. So some of the criticism against consultants may ring false, but since I’m constantly trashing my own profession, I personally gave them a pass. We can also chalk this up to the authors evolving over their long careers, into something new.

Next, the decision-making process defined herein would take time to become second nature, and I can imagine the first few dozen times it would be a shock to those used to typing guesses in a risk register, letting a formula do the math, and then closing the file to go off and drink a latte. The thinking and steps here are easy, but they aren’t few. In a world where concepts like risk management are already being dumbed-down for the ADHD crowd (“risk-based thinking!“), this moves in the opposite direction. This is leather-elbow stuff, and while it will yield better results, lazy folks are not gonna like it.

Deciding is available at Amazon in both hardcopy and e-book (Kindle) formats.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


Free ISO 9001 Template Kit