In the UK, requirements for "risk management" and internal control are laid out in a document called "Internal control: guidance for directors on the Combined Code", published by the Institute of Chartered Accountants in England and Wales. The committee that produced this guidance was chaired by Nigel Turnbull, so the guidance is normally referred to as "the Turnbull guidance".

The main guidance for auditors appears in a briefing paper called "Providing Assurance on the Effectiveness of Internal Control" issued by the Auditing Practices Board. Although the principles of this paper are strong, some of the technical details appearing in the example report and particular techniques referred to in the text are flawed. The APB are keeping the area under review and point out that the paper says the details of the example should not be taken as a guide to current good practice.

The Turnbull guidance applies to all UK listed companies. It supplements the "Combined Code of the Committee on Corporate Governance" which contains lots of other rules on corporate governance applying to companies listed in on the London Stock Exchange.

In the USA the strongest requirements for internal control and risk management come from the recently enacted Sarbanes-Oxley Act of 2002. See, in particular, sections 302 and 404. These have been interpreted by the SEC as rules.

Much of the thinking about what internal controls are and why risk management is important was captured in a document called the "COSO report". This odd name is short for "Committee of Sponsoring Organisations of the Treadway Commission" and refers to a report called "Internal Control - Integrated Framework". The COSO organisation has a website and some of its guidance is free online.

Once you are attuned to it you can see uncertainty suppression at work any day of the week, but if you would like research to back up your observations try "Embracing Uncertainty: the essence of leadership" by Phillip G Clampitt, Robert J DeKoch, and M E Sharpe, 2001. The authors have a handy overview of their book, free on the web. Click here. They also have a paper on uncertainty suppression. From here choose "Other Publications".

This is not to be confused with "Embracing uncertainty" by Susan Jeffers, which is an altogether more mushy style of psychology.

An interesting article about the helpful effects of events we would normally consider bad has been written by Richard Anderson of the Corporate Risk Group. The article is "Risk Management into the New Millenium."

Steven Ward and Chris Chapman of Southampton University have suggested that "risk management" be renamed "uncertainty management" to help people remember that unexpected favourable events are included. Good idea. Their article is called "Project Uncertainty Management as a Desirable Future".

Others have used "risk and opportunity" management as their name. For example in "Integration of risk and opportunity thinking into projects" by Kalle Kahkonen and in A new approach to busines risk" by David McNamee.

This area has been researched ad nauseam, and yet there is still much to be discovered and almost all of it is still to be properly explained.

One of the classics is "Judgement under uncertainty: Heuristics and biases" edited by Daniel Kahneman, Paul Slovic, and Amos Tversky, 1982.

Dr Sam Savage of Stanford University is entertaining and authoritative. His explanations of the flaw of averages are invaluable. He has a company, Analycorp, that sells software for modelling uncertainty explicitly.

Crystal Ball is an example of an Excel add-in tool that makes it comparatively easy to show and quantify uncertainty in spreadsheet models and so avoid the Flaw of Averages and similar mistakes. Their site has many examples of models for different purposes to show how it's done.

Another leading tool in this area is @risk from Palisade.


