Where outcome likelihoods are not acceptable, you decide what to do about them.
You cannot ignore outcomes with unacceptable likelihoods.
When you first note an outcome likelihood that is unacceptable, you might first look at ways to improve that likelihood.
The obvious ways to change likelihoods are by changing the strategies by which you intend to achieve your outcomes. You may have noted those strategies in the business plan.
At a lower level of detail, you might consider changing controls. Controls can change the likelihood of the risk event occurring, or change the outcome that would follow if and when the event occurs. In changing the outcome that would follow, you have reduced the likelihood of the original outcome and increased the likelihood of things turning out differently.
Whatever you change, that change will probably influence the likelihoods of other outcomes and your expectations on other objectives. There are always trade-offs involved.
When you have confirmed the changes that you will and won’t make, you re-assess all the affected risks and outcome likelihoods. Many of the facts noted in your risk register will have changed.
If after making all the changes within the world you manage, there may remain one or more outcomes with likelihoods that are not clearly acceptable. You then have something to discuss with the boss. That discussion might touch on the possibility of simply avoiding certain business plan activities altogether. It might also contemplate carrying on regardless, perhaps subject to some monitoring and review of events.
If you are unable to have a sensible discussion with the boss, you are the one left to make hard decisions about the outcome likelihoods that are least unacceptable.
Some risk management jargon. Measures taken to change risk likelihoods, or to change the outcome consequences of a risk, are called controls. Measures proposed, not yet taken, are called treatments. Decisions to accept, avoid or share a particular risk are also called treatments. Risk indicator monitoring is another kind of treatment. Risk sharing is new jargon that replaced the old jargon risk transfer. Both sharing and transfer are about engaging with another organisation in a way that your organisation’s outcomes become relatively predictable, while the outcomes for the other organization are not (or vice versa). Insurance transfers a lot of risk in some very narrow financial categories, but never all of the effects of uncertainty. Outsourcing can include moving risk in either direction, while creating other new risks.
To the extent that you are relying on controls, you ensure that those controls really work. Confidence comes from always knowing that those controls are in place.
Controls are measures you put in place to change the risk to achieving your objectives. ‘Controls’ can be at a high managerial level, for instance choosing unit strategies only in structured consultation with stakeholders. ‘Controls’ can also be buried deeply into policies, operational routines, or an automated system. Controls of any kind always have some sort of cost. That cost may be in lost opportunities and reduced performance, as much as in dollars. But the risk-changing benefit may be essential, so that omitting certain controls would be rightly seen as negligent.
For controls that you consider essential, you might set up accountability and monitoring. One way or another, you need to be sure they are working at all times. You must know immediately if any of them cease to work as you assumed.
You can hardly ever transfer risk. There is such a thing as sharing risk, but that may not help either.
If you have had some risk management training, you may have heard of ‘transferring’ risk (old term), or of ‘sharing’ risk (new term).
Risk sharing is structuring your organisation’s activities in such a way that some of the effects of uncertainty on your objectives are absorbed outside the organisation.
Risk ‘sharing’ legitimately includes insurance, but insurance doesn’t get rid of much risk, only the risks of tightly defined monetary losses. Insurance has more to do with your CFO than with your unit. Other forms of risk sharing are also probably well outside your span of control.
The concept of risk sharing is easily confused with out-sourcing, and in-sourcing. If you were to out-source some of your activities, your unit would still be responsible for the same outcomes. Risks of team under-performance might disappear, but risks of service provider under-performance will replace them almost one-for-one. Those risks might be more favourable, or less favourable, at outcome level. But they have not even left your unit. If the service provider lets you down, your unit’s objectives are not met, and your organisation is that much worse off. It’s as simple as that. Out-sourcing arrangements can re-allocate some uncertain outcomes between you and the provider, but out-sourcing rarely shifts the main outcomes.
The Clear Lines do not run through the pros and cons of out-sourcing. The Clear Lines stop at clarifying that out-sourcing does not, of itself, transfer risk.
You can get rid of unacceptable risk to your unit’s outcomes by cutting down the unit’s responsibilities. That change will result in a reduced span of unit objectives. That is a drastic step, and it simply passes the problem up to your boss, where it is still inside your organisation.
After all of that, you will definitely be ready to look the boss in the eye over the business plan.
Having taken all those steps, you will be ready to explain the basis for confidence in the business plan. You will know that the objectives to which your unit strives are the right ones. You will know why the objectives have a good chance of being achieved. You will know why you cannot guarantee achieving them.
You will understand the exposure to unintended disasters, and whether anything needs to be done to further reduce that exposure.
You will discuss all of these assurances, and concerns, with poise and confidence.
If your confident delivery is not convincing, you will show the record of the process you went through. You will share your confidence.
Almost certainly, there will be some points of discomfort to work through with the boss, confidently poised as you are. You may need to negotiate expectations, or recommend actions to be taken outside your unit.
In the most extreme case, the best way forward might be a substantial change to your unit’s role, goals, and strategies. Changes as big as that will need your boss and may involve a wider group of senior managers. But the result of senior management consideration may be no change in your unit. Ultimately the organisation might decide that the risk in your unit is acceptable for the greater good, with or without actions to be taken elsewhere to limit the exposure.
What has changed is that you will have made it clear that you cannot guarantee the preferred outcome, and that disappointments can happen. You will have set out the reasons in advance.
If you and the boss are never going to make eye contact, or even see eye to eye, you will be as confident as you could ever have been. You will know that you understand the uncertainties that are involved in the next year of your employment. That will give you your best opportunity to protect your own future.
You can maintain the outcome pictures and their likelihoods as the focus of conversations with the boss through the year. You can review and maintain the risk collection at the same time.
By maintaining the written record of the risk process, you can always know that you unit’s risk is under control. Documenting the risk work means you can both know it and show it.
Your management process creates a risk-based outcomes forecast for the year. The risk-based outcomes forecast ties together in a single view, the planned results, performance, risk, and prospects for the unit.
|Risk in work unit business planning: A how-to guide|
Previous article for Managers