When do the consequences follow from a risk event?

The standard view: Consequences follow at the end of the risk scenario Another view: Consequences follow at the end of the planning period Consequence scales in each view Other ways that the view matters Conclusion Question for experts

Something unexpected happens. The immediate effects are alarming. There are also long-term effects. Which are the ‘consequences’ for risk assessment?

Example

Software testing was compromised to meet a critical system release date. Some system bugs got through to the production release. The bugs led to some service downtime and some lost customer orders. Sales are lost, and some customers are unhappy. Adverse media attention puts a dent in market share. The loss of market share lowers profits for some time. Two years later, profits below expectations lead to a fall in the share price. A lot of other things happened over the same two years, each with a separate effect on share price.

At what time in this sequence would you have rated ‘the consequence’?

The previous post asked how risk consequence types relate to enterprise success. This post asks when a risk consequence affects enterprise success. Like the last post, it was developed with generous help from Steve Daniels FMS, FIOR, FBCS, CITP. You can find Steve on LinkedIn. (Assumptions made in this post)

Two views of when consequences follow

Knowing when consequences follow from a risk is very important for rating the size and importance of the consequence.

You won’t often say clearly when the consequences follow from a risk event. The ‘when’ is usually implied or assumed. This article compares two common assumptions about when consequences follow.

In the standard view, consequences follow when the scenario has finished unfolding. That’s probably quite soon after the critical event, typically much less than a year later.

In the alternative view, the consequence is the difference made in the ‘end’, which practically means ‘at the end of the period being planned’. Exactly when that might be depends on the kind of planning you’re doing, which sets the context for risk assessment.

What difference does it make? As you saw in the example about system outages, the ‘consequences’ of an event can be very different in size and in kind over time. In that example, you wouldn’t get agreement to any straightforward ‘rating’ of that scenario without agreement on a time at which the rating scale is applied.

Clear and agreed ratings are always easier if you first clarify the time for rating. It’s very much easier if your organisation is already planning its activities on an annual cycle or to a three-year target. You then assess ‘consequences’ as the difference in the position reached at the end of that planning period.

The standard view: Consequences follow at the end of the risk scenario

The usual idea of consequence is the way in which the position has changed after the risk scenario has unfolded.

The ‘position’ refers to the organisation’s level of success or failure. Levels of success can be understood in multiple dimensions, typically resembling ‘finance’, ‘safety’, ‘reputation’ and so on.

Risk consequences are understood to have been reached at the end of the scenario.

This diagram shows the effect of an unexpected event in these terms. I’ll call it a time-achievement diagram. The blue line represents the planned success path, while the red line represents the actual path. An unexpected event causes the actual path to deviate from the planned path.

Time-achievement diagram with end-of-scenario consequences

The time-achievement diagram is taken (with gratitude) from the IRM’s explanation of Risk Appetite and Tolerance (2011). The IRM used it to explain risk appetite and tolerance, a topic I avoid in this post. Even without appetite and tolerance, the diagram itself led me to a new way of understanding risk consequences, if only through its poetic imprecision.

This type of diagram represents a single objective or a single dimension of success. In actual risk management, there will be multiple dimensions of success, with different measures. That will be very clear for enterprise or project risk management. In the case of a dimension best minimised, the planned success path would point downward rather than upward. Dimensions best minimised include costs and injuries. If the success measure were a period average (monthly sales) rather than something cumulative (sales to date), the planned success path might be flat.

The planning period starts now at t0 and ends at t1, when the organisation is either successful or not. The unplanned event occurs at tE. Some types of uncertainty, such as dubious assumptions, do not have a time of occurrence.

For ERM and strategic planning, it is probably best to understand different objectives as having different time scales. Those different time scales would be represented by different calendar dates for t1. For annual planning, the period t0 to t1 coincides with the planning year. The goals for a year always include a capability to repeat or expand success in the next year. To recognise that capability, there should be separate annual objectives representing expectations forward from the end of the year. On the graph that means from t1 into the next period.

‘Risk consequences’ are often first understood as numerical values, perhaps as money amounts lost or gained. Those numerical values might sometimes represent the vertical drop in the red actual path (indicated by the bracket ‘Level of consequence’). Positive effects would be represented by a vertical rise. After numbers are used to understand effect sizes, number ranges are typically used to make a scale of discrete consequence levels. Each consequence level represents a length range for the vertical drop or rise in the red line.

It is usually not clear when this gap is to be measured or estimated. The MineRight examples in HB 436 (Table C3) suggest that the gap is to be measured at the time the event has fully unfolded. These examples are an authoritative source for the standard view of when consequences follow from an event.

The different risk scenarios show that the magnitude, and even the direction of the gap, can depend on the time at which you measure it as the ‘consequence’.

All versions of the diagram explained (A3 PDF)

I’m guessing that you might justify your chosen consequence metric by saying that it predicts long-term success. The consequence metric puts a size on the real-world consequence that affects success.

Doing that links ‘risk’ to ‘objectives’, in line with the ISO concept of risk as the effect of uncertainty on objectives. However, saying the consequence ‘affects’ long-term success means that it is not itself that long-term success. The measure of consequence is not a measure of long-term success.

The actual effect of the event’s designated ‘consequence’ on long-term success is an area of further uncertainty. You have not mapped that region of uncertainty in your risk assessment process.

There are some understandable reasons to avoid direct measures of long-term success. One reason is that there are other factors that also influence long-term success. In this way uncertain ‘risk’ events have an effect on objectives (ISO 31000). The ‘other factors’ also have effects on objectives. Those other factors may be outside your boundaries for ‘risk management’. If they are predictable, that’s fair enough. If they are not predictable, they belong inside risk management.

Another view: Consequences follow at the end of the planning period

Another idea of consequence is the success or failure level that will be reached at the end of the planning period, if reality matches the risk scenario.

The ‘planning period’ ends when the organisation has achieved planned success, it has exceeded success, or it has failed to a lesser or greater degree. The planning period might be a year, five years, or the duration of a change project.

The position at the end of the planning period captures the total achievements of that period of activity.

In this interpretation we can say the consequences follow from an event at the end of the planning period. The risk consequence is the level of success or failure that will have been reached when that day comes. In the diagrams, that time is t1.

For example, a relatively high consequence for a risk might be a permanently reduced scope of operations at the end of the planning period, when the preferred end-point would have been to expand.

That kind of difference isn’t a number. It’s the difference between two possible worlds. The importance of that difference can be given a number. That number won’t tell the story. It’s the story that will drive decisions.

This idea of consequence differs from the conventional end-of-scenario idea in two ways:

  • Consequence is always assessed at the end of the planning period, regardless of when the risk scenario begins or ends.
  • The size of the consequence is not an incremental deviation from the planned success path. It is the absolute level of success or failure to which the scenario path leads.

This time-achievement diagram is re-engineered to show the alternative understanding of risk consequence as the success level reached at the end of the period.

Time-achievement diagram with end-of-period consequences

All versions of the diagram explained (A3 PDF)

The degrees of success and failure at t1 form the risk consequence scale. This scale is also the scale for the vertical axis of the graph. The degrees of success and failure at t1 must incorporate prospects looking forward, not only the known situation at t1. It is helpful to roll future prospects into separate objectives. In the Clear Lines risk process for annual planning, those separate objectives are called ‘capability’ objectives.

Not all single risk events will determine the level of success at the end of the period. That level of success may depend upon many factors. It may depend on the cumulative effect of multiple risk events.

The primary resolution to this puzzle is to describe such ‘risks’ only in terms of the cumulative effect of multiple events, and not in terms of a single event occurrence.

For other types of risk, a single occurrence will directly determine the level of success achieved at the end. For those risks there is no puzzle to solve. This is clearly true for potentially devastating events, for permanent situation changes, and for potential ‘breakthroughs’.

Consequence scales in each view

I have three examples of a consequence scale for human safety. Each one is based on a different idea about when the consequence follows from an event. Underneath conceptual differences around risks, everybody cares about safety in a similar way, so these examples are good for comparison.

The first two examples assume that a consequence follows when a chain of foreseeable events have unfolded, in the end-of-scenario approach.

Example from Sobel & Reding, Figure 5.5

Objective

Insignificant

Minor

Moderate

Major

Catastrophic

Safety

Minor injuries that result in no lost time.

Physical harm that may cause short-term absence from the workplace.

Physical harm that may cause extended absence from the workplace.

Life threatening injuries to employees, visitors, or innocent people in the community.

Fatality(ies) of employees, visitors, or innocent people in the community.

In this example, the ‘safety’ objective is not explained beyond the contents of this scale.

The Sobel & Reding example has five levels of significance, with no zero level. This style of consequence scale is the most popular.

Sobel & Reding discusses the organisation’s idea of success in detail in Chapter 2. It does not connect that idea of success with the consequence measures suggested in Chapter 5 (Figure 5.5, from which this example comes).

MineRight example, from HB 436, Table C3

Least

Greatest

Objective

1

2

3

4 5

6

Safety

Achieve world class safety performance

Minor injury or illness, first aid or medical treatment without job restrictions

Recordable injuries or illnesses with up to one week of job restrictions or lost time

Medium-term reversible disability to one or more persons, such as significant medical treatment, disabling or lost time injury

Life threatening injuries to employees, visitors, or innocent people in the community.

Extensive injuries/ illnesses or irreversible disability or impairment to one or more persons

More than one fatality from one event or significant irreversible effects on 10s of people

In this example the objective is stated as ‘Achieve world class safety performance’. It is labelled as the ‘People’ objective. The objective and the scale come from understanding the dimensions of success and failure applicable to the organisation.

The MineRight example labels consequence levels with numbers rather than adjectives. The numbers run from ‘least’ to ‘greatest’ instead of from ‘best’ and ‘worst’. There is a specific reason for that. On other success dimensions (besides ‘People’ safety), the numbers 1 through 6 refer simultaneously to both positive and negative consequences, with a magnitude represented by the number. That way of thinking is most interesting, and highly unusual. There is no numerical rating for a zero effect, representing achievements as planned.

The consequence descriptions from MineRight do not describe any permanent changes in the organisation. The extreme consequences at level 6 are supposed to result in permanent changes to the organisation. That point is made in the text of HB 436 at C2.3. In the suggested consequence scale, all consequences are described in terms of single events, which may or may not lead to permanent changes in the organisation. The permanent change itself is not represented within the consequence scale. In that way it is different from the end-of-period model for consequence measurement, illustrated below.

Government example of end-of-period consequences

This third example is for a hypothetical government agency, based on the idea that risk consequences are differences in the level of success at the end of a planning period. It comes from the Clear Lines article Consequences as Outcome Differences, Part 1 (on LinkedIn).

Best achievement

Planned achievement

Worst achievement

Objective

1

2

3

4

5

Health and Wellbeing

Avoid causing injury and disease

Health and wellbeing outcomes have been clearly better than industry norms.

Health and wellbeing impacts have been within desirable norms for the industry.

There was a serious injury/illness, or multiple cases of lesser injuries/ illnesses.

There was a death or permanent disability, or multiple cases of serious injury/illness.

There have been multiple cases of death or permanent disability.

This scale is used for enterprise risk management. It is not for thematic management of safety risk, in isolation from other risk categories. For that thematic kind of risk assessment, the consequence levels would be more specific about cumulative numbers and severities of injuries.

The objective ‘avoid causing injury and disease’ came from an explicit analysis of the dimensions of success and failure for the organisation. The specific success and failure outcomes across the table came from ‘drawing pictures’ of the best, worst, expected, and intermediate outcomes that the organisation could reach at the end of the planning period. The wording is in past tense because each description represents a view backward from the end of the planning period.

It is not easy to ‘convert’ one type of consequence scale into the other directly. One represents movements, and the movements may be quite small. The other represents places, which may be far apart. The ‘conversion’ will involve going back to context-setting, and probably extensive consultation.

It is possible, and probably a good idea, to create a scale for consequences as success and failure levels at the end of the period. You can do that even if risks have already been rated on a consequence scale based on incremental effects. You can rate each risk consequence in parallel on the new consequence scale representing the period success and failure level.

You might object that some events will have small and unpredictable effects on long-term achievements. You might say those events should be subject to risk management, with recognised consequences. The end-point approach would tend to trivialise those risks right out of the risk register, and out of risk management.

I agree with all of that. The fact remains that the importance of an event comes only from its effect on long-term achievements. If the long-term effect of a single event occurrence is too small, the end-point approach to consequences offers two paths to resolution.

1. Re-define the risk. You re-frame the existing risk description as multiple risks. Each of the new risks represents a different cumulative level of the event type. The total effects (consequences) of each cumulative level of the event type should be big enough to determine the achievement level at the end of the period. Each of the new cumulative risks has that achievement level as its consequence rating. These translations will not work neatly in all cases. The attempt will be informative, even it doesn’t succeed.

2. Re-scope the risk assessment. More radically, you can re-set the context, to define the scope of the whole risk assessment on a small scale. In your small-scale risk assessment, the end-point as something much closer to the event. You also define a separate enterprise risk assessment. The enterprise risk assessment relates the small-scale end-point to the overall achievements of the organisation. Within the enterprise risk assessment, the small-scale end-point might be registered as a single risk (event), with enterprise-level consequences.

Other ways that the view matters

In the conventional end-of-scenario approach, you assume that the change in the organisation’s level of success at that time matches, or at least indicates, the difference made to the organisation’s achievements at the end of any planning period. Other unpredictable factors might also make a difference to the final achievements. Your risk management process does not predict directly the absolute level of success at the end of the planning period.

In that approach, the risk assessment process does not usually question the link from ‘risk consequence’ to the achievement level at the end of any period.

I recommend that you question this relationship, systematically, even if you don’t like the alternative proposal for an end-of period approach. When questioning that relationship, you may find that there is not even a clear understanding of when each risk scenario has its final effect. If you aren’t clear about that, you certainly won’t be clear that the ‘final effect’ will match the success or failure level at the end of the planning period.

Both the end-of-scenario and end-of-period concept of ‘consequence’ can work well—if appropriate care and checking is done within the chosen path. Appropriate care and checking would ensure that:

  1. The final consequences of the risk scenario are rated accurately, including the effects any recovery, learning, or problem exacerbation resulting from the risk realisation.
  2. The rated consequence of the risk scenario is a fair and reliable predictor of permanent or long-term effect on the organisation’s level of success or failure.

It is possible to do that in the end-of-scenario approach to risk assessment, with unusual effort.

I haven’t seen any of those things happen in real life. The end-of-period approach includes all of these steps automatically.

Defining consequences as success and failure levels focuses the risk management effort on the long-term successes and failures that matter. The conventional end-of-scenario approach puts more attention on short term ups and downs. Those ups and downs may map the gradients of life’s emotional roller-coaster nicely. They are not necessarily what matters in the end.

You may be unable to predict the effect of uncertain events on longer-term success and failure. That is not a reason to ignore those events in risk management. It is a reason to expand ‘risk management’ to include the uncertainty of the link between event outcomes and organisation outcomes. There is a simple direct way to do that. Simply understand consequences as the levels of success and failure that will be reached at the key date in the future, if reality matches the risk scenario.

Practical differences between end-of-scenario and end-of-period approaches

Conclusion

There is a simple reason for using end-point success levels as consequences. The question ‘How important is that really?’ is always best answered by looking at the potential effect of the risk event when the enterprise has succeeded or failed. That point is shown as t1 in the diagrams.

You are effectively taking the end-of-period consequence approach if you describe all risk scenarios in terms of a complete path to the end of the period, and you rate all risks on that basis.

Rating consequences for effect at the end of the period also helps keep perceptions in perspective. If a risk scenario produces a sudden shock, but by the end of the year it will look like small blip, you rate the consequence as a blip. Rating it as a shock—in whatever coding scale you use—is emotionally valid, but not really helpful for making decisions.

Understanding consequences as the ultimate level of success or failure has the further benefit of forecasting achievement levels, and reporting risk, all in one view. You simply assess the likelihood of each success and failure level being reached, taking all risk scenarios into account. That is your single view of forecast results and risk.

ISO 31000 does not directly recommend either the end-of-scenario or the end-of-period approach. Both ISO 31000 and COSO Enterprise Risk Management focus intently on ‘objectives’. By doing so they give strong implicit support for understanding consequences as following at the time the objective is or is not achieved.

Question for experts

Why would you prefer end-of-scenario ‘consequences’ to end-of-period ‘consequences’? Reply below.


Drill-down articles

Practical differences between end-of-scenario and end-of-period approaches

Index to the topic Risk in work unit business planning

Assumptions

I assume that your consequence types aim to represent effects on organisation success. Organisation success always has more than one dimension. The dimensions of success include achievement of the organisation’s unique purpose, and other implied expectations around success or failure.

I know that the assumption is not actually true for most risk assessments. Most risk assessments use consequence types that are not linked to the unique purpose of the organisation. Neither are they linked to any other clear vision of success for the organisation. This question was discussed in the last post. In this post I nevertheless assume that we have answered that question, and that we are ready to tackle another one: When do risk events have their consequences?

I use the word ‘consequence’ in line with ISO 31000. Many risk assessments use the term ‘impact’ to mean the same thing. My objection to ‘impact’ is that it wrongly suggests something that is over in an instant.

Reference

Sobel, Paul and Reding, Kurt (2012) Enterprise risk management: achieving and sustaining success. Altamonte Springs, Florida: Institute of Internal Auditors Research Foundation (IIARF). This book is a major source for the CRMA Study Guide, available from the same IIARF bookstore.

Leave a Reply

Your email address will not be published. Required fields are marked *