Risk (only) arises where there is non-compliance.
The unhelpful equation of risk and non-compliance can work two ways: instances of non-compliance are seen as risky; and where there is compliance, no risk is seen. ‘Compliance’ is typically with formal regulations or strongly supported organisational policies, whether written in ink or ingrained in habitual behaviours.
Complying with prescriptions may or may not reduce risk. It will hardly ever eliminate risk to overall outcomes.
The ‘risk’ that always increases with non-compliance is the potential for non-compliance to attract penalties, liabilities, profit-killing court injunctions, or reputation damage that could not arise if the activity were to be kept compliant. These particular effects on outcomes are not usually the most important reason to manage risk. The important reason to manage risk is to optimise and assure the overall outcomes of the activity, and those outcomes are influenced by many factors beyond rule compliance and the direct consequences of breaches.
For example, to describe the possibility of ‘fines’ as the risk arising from breach of health and safety laws is to miss the point of risk management. Risk management for health and safety is about reducing the likelihood and frequency of death, injury, and disease.
Risk (only) arises from change.
Carrying on an activity without any change is obviously not risk-free, especially as the surrounding world changes. The advantage of the pre-change situation is that there has been some experience with it. By itself, that does not mean that change increases risk. Very often the actual outcomes from the pre-change situation are not even known, and its risks have not been assessed. Feeling comfort in that situation is more dangerous complacency than robust assurance.
The ‘before-’ and ‘after-’ change versions of the activity each have their own risks. The change process itself may also have risks. It is less confusing to consider look at these three sets of risks separately: pre-change, post-change, and change-related.
Risk (only) arises where governance or control processes are not mature.
The standard of performance representing a ‘mature’ process varies widely in different contexts. It may simply mean that the process has been repeated many times, is repeatable, and has an acceptable track record (perhaps overlooking ‘that one time when…’). Mature processes may or may not include effective management of risk. Risk management must include appreciating the particular effects of uncertainty on activity objectives. That appreciation does not follow simply from implementing controls considered to represent better practice, no matter how consistent and successful the controlled process may have been to date.
Risk is (only) whatever can stop the plan from being executed.
This kind of thinking can appear when risk management is done for the first time in project planning or annual business planning. The plan is defined, then someone asks about the risks in the plan.
That approach leads to a narrow understanding of risks. For one thing, it leaves out the risk that the plan isn’t the best way to achieve the objective. Another signature of this approach is the listing of well-known problem areas as if they were ‘risks’—for example, staff turnover and recruitment difficulties that are familiar and predictable, not uncertain.
A better approach is to identify the objectives of the activity, separate from the intended means of carrying it out (the plan). Then consider all influences on the outcomes for those objectives, many of which can change the outcomes independently of what’s in ‘the plan’. Alternative plans will achieve success and avoid failure with different levels of confidence. You might then choose a plan that provides a good balance of assured outcomes within the real-world constraints. In that way ‘the plan’ is also a risk management plan.
Carrying out the plan is never the objective. Don’t focus risk management on carrying out the plan. Instead, focus risk thinking on the achievement of the objectives.
Risk management (just) is designing controls.
The concept of ‘controls’ is usually applied to a system or well-defined process, such as a project or a transaction flow. In that context, controls are a legitimate type of risk treatment, within the category of changing the likelihood and/or impact of an event or mistake. Almost always, the control is a system element that reduces the likelihood that an instance of a risk event will lead to its default consequence. The risk events dealt with by ‘controls’ are predictable enough as a routine occurrence.
Risk management includes a class of risk treatments broader than controls. The broader class includes termination of the activity, acceptance of the risk as-is, and transfer of risk between parties. Risk management is also applicable to classes of activity other than a well-defined system or process like a project or transaction flow. For instance, risk management can be applied to business lines and activity locations. It is also worth noting that controls deal with predictable event types, and not with other flavours of uncertainty, such as incorrect planning assumptions.
It is possible, and historically normal, to design essential controls into systems with only a trivially simple concept of ‘risk assessment’ that does not justify lengthy web pages or an ISO standard. I’ll be talking about that kind of control design in a future article.
Risk management is (not) workshops, consensus, and voting.
Risk management involves trying to understand the effects of uncertainty as accurately as possible. Communication and consultation are essential.
Workshops may or may not be part of the approach to communication and consultation, or to any other element of risk management. There are many alternatives. I am doubtful about surveys, but they might have a useful role somewhere.
Voting works in risk management about as well as it does for any other attempt to find the truth: basically, not at all.
Consensus is possibly worse. If the priority is on reaching consensus, there will be a subtle (or less subtle) pressure for legitimate concerns and disagreements to be suppressed. This phenomenon is also known as group-think, which is dangerous anywhere and catastrophic in risk management.
On the other hand, taking well-considered straw polls and exploring the disagreements could be a very productive step along the way to group understanding of a greater truth, with helpful humility.
Risk management is (not) about re-directing blame.
It is sometimes imagined that ‘my risk’ is the extent to which ‘I’ will be blamed if something goes wrong. This leads to behaviours that re-direct the future blame elsewhere. It may also lead to relying on one’s future capacity to move blame should the need arise. Possibly some people feel that there is ‘a risk’ only in that circumstance.
A typical blame-shifting sequence would start with producing a risk assessment document with marginal credibility. The document vaguely points to significant but unavoidable risk. The document is in the approved format with signatures. The responsible manager then carries on with no regard to the assessed risks, or to any actual risks. If something goes wrong, the manager can point to the signed document, especially the part that referred to unavoidable risk.
This ‘risk management’ strategy might actually reduce personal risk to the manager involved. It does nothing for the organisation or anyone else. It creates a moral hazard to the extent that the manager has less motivation to actually manage risk than there would have been if the risk assessment had not been done.
ISO 31000 has ruled this sort of behaviour out of true risk management, through its key principles and its emphasis on consultation and communication.
Risk management can (not) be achieved by risk scoring.
Risk scoring consists of looking at a list of ‘possibilities’ or candidates, and rating each one for ‘riskiness’. The candidate ‘possibilities’ may be investments, projects, tenders, loan applicants, or job candidates. The ‘risk’ ratings can be done directly, or via some indirect indicators that go into a formula that calculates a ‘risk score’. The indicators and formula may or may not have been validated against some sort of objective facts and history. Candidate possibilities are accepted, rejected, or given a specific kind of streamed treatment, based on the ‘risk score’.
Risk scoring is at best a fragment of risk management activity that may occupy a space within overall management of risk. If risk scoring is the whole risk management effort, it is minimal and probably irresponsible.
Within established risk management vocabulary, risk scoring is a type of control. Controls are a type of risk treatment. Risk scoring is not not a step in the assessment of risk. It does not of itself contribute to understanding the effect of uncertainty on objectives.
Risk management is (not) just a matter of monitoring.
Monitoring is a legitimate type of risk treatment. Monitoring may allow for actions to be taken at a time that changes the likelihood or impact of an imminent risk scenario. On the other hand, almost no risk reduction is achieved by simply watching indicators with no idea what they mean, and with no capacity to respond to them effectively.
Effective monitoring can exist beneficially without the other elements of risk management, or may be undertaken as a treatment adopted through explicit management of risk.
Risk management is (not) calculating the ‘expected’ loss or gain.
For those unfamiliar with the term, the ‘expected’ loss or gain is the total of each possible loss/gain level multiplied by the probability of that figure being realised. If I am offered a bet that has a 25% chance of gaining me $100 and a 75% chance of losing me $10, I am faced with an expected gain of (25% x $100) + (75% x -$10) = $25.00 – $17.50 = +$7.50. If I were to take the bet many times, I would on average win $7.50 per bet taken. That $7.50 is the ‘expected’ gain or the [mathematical] ‘expectation’ of each bet instance.
‘Expected’ losses and gains have their uses, especially in highly repetitive situations. The method of expected is more or less valid if all the potential outcomes can be proportionally valued, including the long-term outcomes. The outcome values must include very high negative values for disastrous long-term outcomes that would represent personal or organisational death. The result of using ‘expected value’ will be invalid if critical outcomes are not adequately valued.
There are two important problems with the use of ‘expected value’ in risk management:
Previous article for Everyone
Main article on What is Risk Management?