Risk in work unit business planning: Comparison with typical corporate prescriptions

In this article:
Objectives Consequence measures Likelihood measures Level of risk Risk register Overall risk view Negative and positive risk

Parent page: Risk in work unit business planning: Overview for risk experts


This table highlights the key differences between the tutorial risk process and the sort of risk process typically recommended (or sometimes mandated) by corporate procedures. You may hear people say that the corporate process is ‘standard’. If so, both you and they need to understand that neither version of the process detail comes from any formal standard such as ISO 31000, COSO ERM, or the Australian Commonwealth Risk Management Policy. Formal sources are consistently based on principles, not process prescriptions. The process version in the tutorial is:

  • An attempt to meet the ISO 31000 Principles (Section 3) more faithfully than the typical corporate process.
  • A start to ‘tailoring’ of risk management as applicable to business planning for work units. ISO 31000 Principle G says that risk management is tailored. The final tailoring is done by work unit managers themselves.
Area of risk process Typical method Tutorial method
Objectives

Forgetting the objectives is against the intention of ISO 31000 5.3.1.

Noted and then forgotten. Systematic review of objectives, focusing the whole risk management process. (ISO 31000 5.3.1)

This change ensures that that unintended consequences are adequately considered.

Objectives are assumed to be positive achievements to be maximised. ‘Avoidance’ objectives to be minimised are defined along with ‘achievement’ objectives to be maximised. In the method for defining objectives, they are called ‘Dangers’).
Consequence measures

The change achieves consistency with the ISO 31000 definition of risk as the effect of uncertainty on objectives. ISO 31000 does not require ‘levels’ at all.

Consequence scale or matrix uses levels of (negative) ‘harm’ in different categories. The categories do not represent anyone’s defined objectives, but are assumed to be universal (negative) concerns. Consequences are a series of success and failure outcome scenarios against each objective, both better and worse than the planned outcome. The listed outcome resulting from a risk is the measure of risk consequence. (HB 436 5.3.5)

The change achieves consistency with the ISO 31000 definition of risk as the effect of uncertainty on objectives. Understanding the effect requires clarity on the duration of the effect.

Consequence descriptors refer to a short-term effect, or to an effect of indefinite duration. The neutralising effects of recovery and response actions are not recognised explicitly.

It is never clear whether the assessed consequence is before or after recovery and response steps have been taken. (Response and recovery steps are often confused with risk treatments.)

Outcomes descriptions refer specifically to the position at the end of the planning period. The closing position can reflect an aggregate of short term events during the period, after also considering recovery actions. It can also look forward to the future expected beyond the end of the period.

There is nothing in ISO 31000 or HB 436 that requires equivalences. Some assumed equivalences are clearly nonsense.

Consequence levels are abbreviated to a single word or number that is common across consequence categories. Consequences with the same word or number are implicitly assumed to be equivalent in significance, even if they are of radically different kinds (e.g. human injury and loss of market share). Single words and numbers may be used as prompts and labels for consequence levels. There is no assumption that consequences of different kinds are in any way equivalent.
Likelihood measures

No standard requires a scale of likelihood levels. HB 436 regards risk as about the possibility of an unplanned outcome, which is consistent with classifying likelihoods over 50% as ‘expectations’, not risks.

A likelihood scale converts percentages or frequencies into 5-10 discrete levels. Each likelihood is represented by a percentage, with no conversion to a scale. Long-term frequencies can be used in the place of likelihood, or converted into a likelihood in a given period.

Risks with likelihoods of 50% or more are not accepted as ‘risks’. They are reclassified as ‘expectations’ or as a ‘forecast’. On this basis, scales showing likelihoods above 50% are considered unhelpful beyond the unnecessary loss of precision.

Likelihoods are applied to period outcome scenarios, as well as to specific event pathways or ‘risks’ leading to an unplanned outcome.

Level of risk Look-up matrix for level of risk (from the consequence and likelihood level). There may be an assumption that higher level risks are unacceptable, and lower levels of risk are fine. There are no defined ‘levels of risk’. The nearest equivalent is the unplanned outcome scenario (an imagined future), qualified by its likelihood. The scenario is always spelled out as descriptive text. Risk acceptability is considered on the basis on the organisation’s willingness to accept the outcome’s likelihood in view of the trade-offs incurred by changing that likelihood.
Risk register

There is an argument that ‘inherent’ risk is an ambiguous or nonsensical idea. See HB 158:2010 Delivering assurance based on ISO 31000:2009, Section 1.3.3. HB 436 clarifies that likelihood is of ‘experiencing the consequences that flow from the event’ (2.1).

A risk register row identifies ‘the risk’ (event and its consequence), then attaches a single likelihood level and single consequence level to that risk. There may be extra substantive fields for the risk, such as affected objective, hazard class, risk owner, calculated ‘level of risk’. There may be further columns for proposed risk treatments and for likelihood and consequence levels after treatment. There will be other fields for administrative purposes. Clear Lines recognises all of these elements as valid and does not specifically recommend anything different.

Some differences of usage may come up:

  • The initial likelihood and consequence assessments of a risk are clearly understood as ‘current’ risk ratings (assuming specific established controls and treatment), not ‘inherent’ risk ratings (assuming no controls or treatments).
  • Where the description of the risk allows for a range of different outcomes from a similar cause, it must be recognised that one pair of consequence and likelihood ratings cannot cover all the included cases. There must be either multiple ratings per risk, or multiple risk rows for one type of risk event, each representing a different outcome and corresponding likelihood. (This paradigm is normal in quantitative risk assessment.)
Overall risk view

Heat maps do not appear in any standards. (Neither does the Risk Based Outcomes Forecast.)

Summary of all risks by a ‘heat map’, that is, a count of risks at each combination of consequence and likelihood level. Risk is summarised as the overall likelihood of each outcome scenario. Typically those likelihoods are shown within a matrix of potential outcomes, as a Risk Based Outcomes Forecast. These likelihoods are used as the basis for confidence in overall success.
Negative and positive risk

All formal standards recognise some version of ‘positive risk’.

Risk is seen as wholly negative, though perhaps necessary to achieve goals. The tutorial method allows for ‘risk’ to include the possibility of exceeding expected outcomes – sometimes called ‘positive risk’. For simple application to business planning, risks are generally assumed to result in falling short of expectations. In other words, in this series, risk is seen mostly as negative, but necessary to achieve goals. Goals can sometimes be achieved more effectively by taking more risk.

Parent page: Risk in work unit business planning: Overview for risk experts

Index to the series