Enterprise Compliance Today

Demystifying Risk – Life vs Death

Posted by Greg Carroll on Sat, Jun 25, 2016 @ 07:22 AM

Risk management is suffering from too much consultant-speak – mystifying what is a standard business practice. When inducting new staff in the concepts of risk management, I use the most obvious analogy which clarifies the issues simply: that of our own mortality.

 

demystifying-risk

Risk of death is affected by the state of your health, lifestyle choices, environmental factors and what happens around us..

paperbackfront

FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

Risk Identification

Do we worry about being hit by lightning? No, but we don’t go playing golf in a thunderstorm (most don’t anyway). We do have insurance though, in case that once-in-a-lifetime (black swan) event occurs. So, every day we easily identify what is worthy of noting, managing, or avoiding. It’s not much of an extension to apply those same principles to what we do at work. The main need is to take the time to do it.

 

Risk Assessment

The irrelevance of the Risk Matrix and Heat Maps.

How would you feel if you had a risk of dying that is “3” or colour-coded yellow? Your risk of death is neither finite nor static, so allocating a value or mapping it onto a heat map does nothing to aid in your understanding or treatment of the risk. So why would it be any different in business? Most people know they should eat better, exercise more often, drive slower, and not play golf in a thunderstorm. Think, when have you changed your lifestyle?

 

Risk Drivers & Influences

Risk of death is affected by the state of your health, lifestyle choices, environmental factors and what happens around us. Once we decide to do something about our risk, we start by identifying the key things that result in risk, be it cholesterol, anxiety, where we live, etc. These are the risk drivers and we monitor their effect on us (Key Risk Indicators or KRIs). This is the first step in managing risk. To understand these drivers, we then look at what (Risk Influences) causes them to move up or down, and by monitoring or working on those influences – be it fat intake, stress, or political action – we move to prevention.

 

Mitigation vs Hierarchy of Controls

Controls are what we put in place to protect against the threat where mitigation is minimising the effect/impact. So controls are about prevention, and mitigation about reaction. To prevent getting hurt we remove the threat, put safeguards in place, or wear protective clothing. Obviously it’s better to removing the threat than just protecting yourself, so we arrange the possible options in order of benefit (Hierarchy of Controls) and then select the most cost practical required (applying controls).

This highlights the problem with most ‘traditional’ risk management systems. Do you wear a helmet to drive a car? What about on a race track or in a mine? It’s not risk you manage – it’s the event! 

 This highlights the problem with most ‘traditional’ risk management systems. Do you wear a helmet to drive a car?  What about on a race track or in a mine?  It’s not risk you manage – it’s the event! 

 

Risk Events & Incident Management

How many so-called risk management systems even manage risk events? Look at your Risk Register. Does it register possible events or just static impacts? The risk of a car accident has many contributing factors from where, when, how, who, etc, etc. The Risk Events Register should cover multiple scenarios, with appropriate controls for each, and methods of identifying which are applicable. You then have pro-active risk management. As the old adage goes: “If you can’t measure it, you can’t control it.” Recording incidents in concert with risk events enables a true closed feedback loop to ensure your risk management continues to evolve.

 

Scenario Analysis & Aggregation

Finally, if you want to have a risk management system that adds value to the business – not just an overhead – it needs to be a tool for better and faster decision-making. This means going further than risk registers and heat maps to providing operational management with insight and options. By adding contributing factors to your risk events, and using Neural Networking technique, you can quickly identify the current possible outcomes. Using Bayesian mathematics (add-in to Excel), you can easily see the compound effects (risk aggregation) of these current possible outcomes and identify the most vulnerable parts and areas of your business.

 

Summary

Like getting fit, having a destination goal is a strong motivator. Perhaps Scenario Analysis and Aggregation are beyond your present capabilities. Knowing what’s available once you have mastered the other principles can motivate you to adopt this more proactive approach to risk management.

 

Resources

ERM-PULLSHEET-HERO-448X336.png  reduce non-compliance  reduce compliance costs
Risk Management Data Sheet
How Fast Track provides true ERM
Demo Videos
See recorded webinar on 21st century Risk Management
Product Guide
Technical specifications, pricing, and more.

Tags: corporate governance, risk management