In this article:
Each outcome picture is important, even if unlikely
The last step on capturing outcome pictures at each level was to check that the Success cells each represent the most likely year-end outcomes, as they look at the beginning of the year.
Soon, the risk assessment proper will shine a very bright light on the likelihood of each of the outcomes depicted in the collection.
You may be thinking already that some of those outcome pictures are so unlikely as not to be worth further consideration, or even worth including in a sensible document. You may be thinking that especially of the more extravagant ‘Worst imaginable’ outcomes. Perhaps they will cause alarm, derision, and accusations of hysteria.
Well, unlikely they may be – and unlikely is what they should be. A key result of risk management is to recognise and agree that there is some potential for bad stuff to happen, and to have reasons for saying why the likelihood of that bad stuff is acceptably low. Those reasons will usually refer to the way the unit operates. The way the unit operates is a choice, and not a law of nature.
By including the very bad stuff among the potential outcomes, you have recognised that such things are at least potentially possible. As a result, they have to be avoided, and avoiding them is an active process. You deserve resources and credit for the active work that goes into keeping the likelihood of those bad outcomes at a level where everyone can sleep at night, or at least stay awake but worrying about something else.
If the nearly impossible, but very bad, outcomes weren’t even in the collection, neither you, nor risk management, would get any credit keeping them nearly impossible.
It is also possible that you would compromise stakeholder trust if you were to simply ignore the worst possibilities. Those worst possibilities may be the very ones that the stakeholders concerned about the most, even if they are routinely dismissed as highly implausible by those inside the unit who know exactly how things work.
If you want to approach this issue more systematically, here is a way.
|Take any outcome description that seems so unlikely as to be far-fetched. Then consider these questions – ideally from the point of view of your least trusting stakeholder:
If the outcome remains far-fetched in each of the hypotheticals, there is some basis for getting rid of it. If there is some plausibility on one of the hypotheticals, the outcome is worth keeping. Keeping its likelihood acceptably low is an active process with a cost and with recognisable value.
For comparison, consider the risk of death from a plane crash. We all know that passenger planes are very safe, thanks to procedures, rules, and design. And planes do still kill people, just very rarely per passenger-kilometre. The likelihood of person dying on a given flight is tiny, as is the likelihood of any specific plane killing a person in the coming year. At the same time, we expect that the aviation industry will spend the bulk of its risk management effort on addressing the risk of deaths. We would be shocked and disappointed if they had taken safety for granted, simply assuming that safety procedures prevent deaths, and not even recognised passenger death as a potential outcome. All the while, the pilots working inside the system do not consciously think about passenger deaths each time they get into the plane and work through checklists.
In historical practice, ‘risk management’ has often been focused exclusively on unlikely but very bad outcomes. The form of risk management recommended for your business plan in this series is innovative to the extent that it looks at those bad possibilities, but is also focused on the much more likely possibility of a year-end outcome only slightly worse than the planned outcome, or even better than the planned outcome.
Comparing the objectives with the business plan
You have now re-defined your unit’s intended outcomes for the planning period. The approach used here was probably different to the way you approached the business plan, though drawing on the same body of understanding.
If you have the opportunity, you might like to revise the business plan in the light of what you’ve discovered this time around.
If not, and there are no fundamental disagreements between the two documents, you can relax. Just treat the new version of the objectives and outcomes as something done specifically for risk management purposes.
Where we are in the risk management process
At this point we’ve done the hard and important work for risk management in business planning, even though there isn’t yet a single risk. Everything done so far can be classified as business planning itself. However, the objectives included ‘Dangers’, the unintended consequences best avoided. A standard business planning method would probably have ignored those. Were they in your existing business plan? If not, you already have something worth adding.
In the formal vocabulary of risk management, you have completed the necessary steps in ‘Setting the context’, specifically identifying the objectives and developing the consequence criteria.
Within ISO 31000 there are other steps in ‘setting the context’. Some of those other steps were taken implicitly, within the business planning process. The remaining steps for ‘setting the context’ will be built into the later stages of the process in this series, and you will barely notice them.
Reconciliation with a ‘standard consequence scale’
If you weren’t given a consequence (impact) scale or matrix from a corporate source, you can skip this section.
If you were given a ‘standard’ or ‘example’ for a consequence scale (or matrix), you may have noticed a resemblance between the one you were given and the collection of outcomes you made from your unit’s objectives. This resemblance will be very clear if your outcomes are in a matrix format, like this example for payroll outcomes.
If the one you were given had the status of an ‘example’ or an editable template to adapt, you can note with confidence, and quiet pride, that your own collection of outcome pictures is a consequence matrix that meets the purposes of the example, and can be made to look nicely similar. Unlike the example, which would have been generic, it reflects precisely your specific unit objectives that are affected by uncertainty. You can re-populate the corporate template with your table of outcomes for each objective.
If you were given a ‘standard’ scale or matrix that you are obliged to follow (without alteration) then I nevertheless urge you to stick with your own outcome picture collection for now. It is your own collection that will get you on the way to looking your boss calmly in the eye when responding to the question Have you assessed the risks to achieving this plan? The standard consequence scale is far less likely to do that.
You have my blessing to use the ‘standard’ matrix as well, to comply with any further bureaucratic requirement. You can do that after making the main decisions based on your own collection of outcome pictures. Using both versions, in that order, will be quicker than trying to get anywhere with a ‘standard’ consequence scale that doesn’t work for your unit’s objectives. If possible, submit your own version as an attachment so that the bureaucrat gets at least a glimpse of contemporary risk management based on the ISO standard. (The idea of a ‘standard’ matrix comes from the 1990s. It was comprehensively superseded by ISO 31000 in 2009.)
Compromise may also be possible. Sometimes there is a standardised set of consequence ‘levels’ defined by numbers or single words such ‘minor’, ‘major’, and ‘catastrophic’, but those levels are linked to impacts that are described only loosely or as examples. You might be able to attach the ‘standard’ numbers and words your outcome levels and use the standard numbers or words to refer to your success levels. The success level words (‘qualified success’, ‘partial success’, ‘failure’ etc.) were important during the building of your outcome picture collection. After the collection is built, they are less important, because the success and failure pictures should be clear enough on their own.
Coming soon: Specific risks