What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Tuesday, June 27, 2017

ERM Decision Trees and ISO 31010

Over the years we have written numerous blogs that share in-depth presentations on different risk modelling methods and in the coming months ahead, Causal Capital is going to increase the number of these technically natured risk management articles.

Today we are going to focus on Decision-Trees from the ISO 31010 Risk Assessment standard, and if you are interested in downloading the presentation associated with this posting, please do continue reading.

ISO 31010 Decision Trees

One of our clients recently reached out to us asking for technical support on Decision Trees:
"The Enterprise Risk Unit has reviewed the Decision Tree section on page 61 of the ISO 31010 Risk Assessment Techniques document, and we find the ISO guidance is not detailed enough."
"Can you help explain how Decision Trees work, perhaps show an example to us so that we can better understand the concept."
I am a big supporter of Decision-Trees, and I see the tool as a logical way of thinking or perhaps planning what to do when presented with adversity. Decision-Trees should be central to a risk manager's tooling because they integrate or bind the 'Measurement Aspect' of risk management with the management of the risk being measured. This may sound like a bit of a brain twist, but the technique is completely dynamic in that sense, and while Decision-Trees are not the only risk assessment approach that tightly connects these two modes of operation, they are perhaps one of the best methods for achieving this purpose.

Decision Tree Presentation | LINK

At present, there is a bit of a movement among the community of enterprise risk managers to place decision-making at the heart of risk management, and when it comes to DECISION trees, that is as the name applies.

Decision trees can be thought of as being forward-looking blueprints designed to allow operators or stakeholders to make 'Confident Decisions' given different situational forms of uncertainty that may be presented to them. What we mean by making 'Confident Decisions' is that you can act proportionately, with authority and with contextual relevance or alignment to your purpose. You know how much and what type of information is required to form an effective decision but importantly you are also aware of the significance levels required in what you are monitoring to make a choice that maximises your objectives' survival.

Very few risk management techniques work so well at addressing this broad set of criteria and also in such an elegant manner. Decision-Trees are a natural way of conceptualising risk problems, decision-making processes or assessing uncertainty; they are very much akin to Risk Management Engineering or Critical Thinking.

You can find our presentation at the following LINK and do keep the questions coming through.


  1. Yet, we know that sensitivity analysis inside a decision tree is part of its deep value. How far wrong in our estimates of probable options can we afford to be and still favor the same decision? How far wrong int he gain or loss of the decision can we afford to be and still favor the same decision? These provide process oversight metrics for Risk Management. They provide sensitivity ranges of acceptable risk. ISO 31000 processes also need to do more than simply provide a single outcome to risk evaluation, they also need to produce sensitivity estimates to trigger when re-evaluaiton of risk is necessary.

  2. Martin,
    Totally agree with you re decision trees. Thanks for sharing the slides and article. I like your term "forward-looking blueprints" and the idea that they are "designed to allow operators or stakeholders to make 'Confident Decisions'".
    Decision trees are a great analysis and discussion tool which is sadly under-utilised. Keep up the good work with publishing this stuff to the world so that more people can find it.