objectives are preferred outcomes from an activity, and that
risk consequences are the differences in outcomes that the activity might reach, given the uncertainties.
In ISO 31000, risk is the effect of uncertainty on objectives. I was always confused about how consequence (or ‘impact’) levels and types can represent effects on objectives, unless the impact types are the objectives, or at least validated proxies.
A consequence scale typically has impact types such as finance, operations, market, reputation, safety, and environment. These impact types are reasonably universal, like the dimensions of a generic Balanced Scorecard (Financial, Customer, Process, Organisational Capacity). For each impact type, there are examples of impacts at particular levels, from minimal through to extreme.
But objectives are unique to each organisation and activity. In a government organisation, financial objectives may focus more on integrity than on numbers. Reputation is nearly always important, but not always in the same way for the same reasons. Every organisation has a unique purpose and mission. The unique purpose and mission lead to unique objectives.
The uniqueness of objectives is particularly important for the manager of a functional unit within a larger organisation, who must also manage risk in that unit.
In using consequence as a risk criterion (or measure), is a generic consequence or impact scale enough for risk management? Or do we need to measure the effects on the unique objectives for the organisation?
Two extreme views
The rest of this post is about different understandings of ‘risk consequence’. For vivid contrast, I compare just two extremes. Both understandings of consequence can be represented in a matrix, and in both cases the matrix is used for consequence measurement. These matrices are purely about consequence measurement. (I am not talking about a ‘risk matrix’ that provides ‘level of risk’ from a likelihood level and a consequence level, like this colourful example.)
There are other established ideas of a ‘risk consequence’ between these extremes (see below).
|All of these understandings of risk consequence are consistent with the letter of ISO 31000 (ISO 31000:2009 5.3.5). Consistency with the ISO 31000 principles (ISO 31000:2009 3) is less clear.
These are the two extreme understandings of risk consequence.
Generic impact scale
Objective-achievement consequence scale
A risk consequence is an ‘impact’ of a given magnitude within a general impact type. General impact types include finance, reputation, and safety. Impact types are not based directly on the organisation objectives. The scale also has impact levels, such as Insignificant, Minor, Moderate, Major, and Catastrophic.
A risk consequence is the ultimate effect on the unique objectives of the organisation. The organisation’s stakeholders give value and meaning to the achievement or non-achievement of the objectives. There will be at least one achievement scale for each unique organisation objective. There will be no other consequence scales.
The impact types and impact levels form a two-dimensional matrix. The matrix ‘should be customised to fit the organisation’s specific context’. Customising does not mean building it around the organisation’s unique objectives.
The scales can be shown in the approximate form of a matrix. The objectives run on one axis and levels of achievement run on the other. Not all cells are used.
There is a one-dimensional scale for consequence. The one-dimensional scale is the range of impact levels, because every risk consequence matches one of the matrix cells, and each cell has an impact level.
There are no consequence ‘levels’ common across scales or objectives. The scales for each objective are independent and incomparable.
On a quick reading, you might think that the two approaches are equivalent, with just a trivial difference in the order of development steps. But that difference is not just about words. It can change the whole risk assessment process, from context-setting through to risk evaluation and reporting. For example, it brings into question the understanding of both ‘consequence level’ and ‘level of risk’ as a quantity or position along a scale or traffic light colour. It also makes possible a completely new kind of risk overview report, showing the overall likelihood that each objective will be achieved at each depicted level of success. (See the conclusion of Norman Marks post 13 April 2018 Reporting on Risk to the Board.)
|Risk treatments do not necessarily change, as treatments are real things in the physical world. Treatments don’t change with a change in the risk management process, which is conceptual rather than physical.
Most importantly, I don’t understand how a generic impact scale can measure the effect of uncertainty on objectives. Yet risk is the effect of uncertainty on objectives (ISO 31000, drawing on HB 73).
Does the ISO definition of ‘risk’ mean that the amount of risk is the amount of uncertainty that objectives will be achieved? The amount of risk takes into account the likelihood and magnitude of deviation. Is this view naïve? If so, I’m not entirely alone. Tim Leech and Norman Marks are putting out similar views. (I see Tim Leech mainly on LinkedIn).
Like Tim Leech and Norman Marks, I also believe that risk management should be about maximising and assuring success. Risk is not just the potential for ‘impacts’ along an otherwise pre-determined path to achieved objectives. I don’t see how a generic consequence scale can support success assurance. I see that risk management can assure success if we understand ‘risk consequences’ as the achievement of objectives to varying levels. Even if the difference isn’t so huge, the objective-achievement understanding of consequence will make ‘risk’ and ‘risk management’ more real to decision-makers.
|Real decision-makers will be found in the main chain of command, or on a board. They have a lot to think about, and they care viscerally about meeting their own objectives.
Perhaps you can fill in the missing part of my picture of generic consequence scales, or correct any other faulty assumptions that I’ve made.
Here are some specific questions within my broader confusion.
- What is your version of ‘risk consequence’? Is it a good or bad ‘impact’ on a generic impact matrix? Or is your ‘risk consequence’ the extent to which your organisation’s objectives are achieved?
- Either way, how do your ‘risk consequences’ relate to the achievement of the organisation’s unique objectives? Is that link clearly proven, or is it an untested assumption?
I really want to know your answer, in painful detail, with references. Good answers will appear on my site, with credits.
This post is obviously equating ‘risk management’ with organisation or enterprise ‘risk management’, in the same way as ISO 31000 and HB 436. This equation was made to bring out the main question clearly. Elsewhere the Clear Lines emphasise that ‘risk management’ is not only enterprise risk management, but can be applied thematically and to layered discrete units of activity within a larger enterprise, or crossing organisation boundaries. Discrete units of activity include projects. ‘Risk management’ can also be used at a microscopic scale, to an individual event or transaction. The problem discussed in this post is real, but less obvious, when the scope of the risk assessment is very narrow.
The explanation also assumes that uncertainty is the possibility of an identifiable event occurring. Elsewhere the Clear Lines spell out that uncertainty can take many forms, of which the occurrence of an identifiable event is only one. Uncertainty can also take the form of assumptions that may be incorrect, or the possibility of something happening that no-one would have been able to describe (or even imagine) before it happened. Back to introduction
SA/SNZ HB 436:2013 Risk management guidelines – companion to AS/NZS ISO 31000:2009 describes an intermediate approach, in which the consequences are effects on objectives. In HB 436, the consequences may have their effect along the organisation’s journey, well before the (final) objectives are achieved or not. In the HB 436 examples (Tables C2, C3), the consequence types still resemble generic types such as ‘financial’, ‘reputation, and ‘safety’. However, those consequence types are supposed to be derived from unique organisation objectives, and should represent those objectives (C1-C2). The consequence types are not simply adopted, or adapted, from a pre-existing consequence matrix, nor from any other universal management model. Back to text above
|Version 3.0 Beta
Previous article for Debate
Main article on Risk in work unit business planning
Sobel, Paul and Reding, Kurt (2012) Enterprise risk management: achieving and sustaining success. Altamonte Springs, Florida: Institute of Internal Auditors Research Foundation (IIARF). This book is a major source for the CRMA Study Guide, available from the same IIARF bookstore.