What to read first: Next steps: How your unit might not deliver the outcomes
|New to this: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.|
‘A risk’ is one pathway by which something unpredictable could cause an unplanned outcome on an objective.
There’s nothing very new about that idea of ‘a risk’, but it differs from casual usage where something called ‘a risk’ could be one end of the pathway, or the other, but something less than the full pathway.
The common casual usage for ‘a risk’ is the threat of an unpredictable disruptive event – leaving the effect on outcomes unstated:
There is a risk of executive misappropriation fraud.
Another less common casual use of ‘a risk’ is the possibility of an intended outcome not being achieved – leaving the cause unstated.
There is a risk of a profit shortfall against forecast.
This example assumes that meeting the profit forecast is an objective.
The careful usage of ‘a risk’ in this guide refers to the full chain from the cause of uncertainty, through event(s) or invalid assumptions, to a difference in the outcome.
There could be a profit shortfall against forecast arising from executive misappropriation fraud on a big enough scale.
Elsewhere in Clear Lines on Audit and Risk, the term ‘risk scenario’ is used for this kind of chain. The term risk ‘scenario’ is used in ICT and security risk management for a fully described risk, though its meaning may be slightly different in different places.
‘A risk’ must recognise and identify:
- The chain of causation from an event or invalid assumption through to the difference in outcome.
- Why it is uncertain, but possible, that the event or mistake will happen and have that effect on the outcome. The source of uncertainty must be clear.
The difference in the outcome must be important within the objectives.
You have developed a range of outcome pictures for each objective.
‘A risk’ must include a reference to one of the (unplanned) outcomes for one of the objectives.
The ‘risk’ includes either an event or a mistaken assumption. These two possibilities reflect the inclusive term ‘uncertainty’ in the ISO definition of risk.
This definition of ‘a risk’ allows for unexpectedly beneficial possibilities. It links each risk to an unplanned outcome, not necessarily to a bad outcome. The unplanned outcome could be better than the planned or expected outcome on the same objective.
The ‘source of uncertainty’ is sometimes called a ‘hazard’ or ‘threat’. Those older terms do not adequately include ignorance as a source of uncertainty. They also imply that unexpected outcomes are always bad outcomes.
In business planning, the consequence of ‘a risk’ is a planning period outcome, and not just a short-term impact. A short-term impact might be dramatic, but does not necessarily lead to a better or worse outcome for the year. If the scenario consequence is only short term, you don’t have a risk to achieving the business plan.
This simple rule will make your assessment of risk massively simpler and quicker than it might otherwise have been. You won’t need to contemplate the whole universe of everything that can go wrong in your world. You will only need to think about how your business plan might not be achieved.
Formally, risks are more accurately understood as branching and overlapping chains of causes and effects. That kind of understanding is typically represented in diagrams such as the ‘fishbone’, ‘Ishikawa’, ‘bow tie’ or ‘fault tree’, often with numbers attached. Sometimes those numbers even mean something mathematically.
For business planning purposes, you won’t need that level of subtlety and precision. The only mathematics in this guide is adding up percentages. You need to know that an event does not of itself always affect the annual outcome directly, but may do so in combination with other factors or events in your world.