What exactly is Risk Management?
To many people, the term "Risk Management" is a bit daunting and instills in the mind images of high risk, life threatening dangerous health and safety scenarios at one extreme, and at the other is the picture of the stressed out stockbroker shouting over all his colleagues trying to make the killer sale at the exact profit-generating moment.
Risk management is actually a fundamental part of our every day lives whether it be in our personal or business affairs. We are constantly doing it, even if we don't recognise that we are. We are frequently checking our activities and assessing - how do I make the most out what i'm doing right now, and how best can I prevent something negative coming out the situation? The former is more likely - as humans we are naturally quite ambitious, optimistic and positive. We are always trying to make the most out of our lives to ultimately promote our well being and happiness. That's all well and good - but in risk management you have to pay as much attention to the potential negatives as much as you do the positives.
Indeed, in risk management, we are concerned with weighing up outcomes by balancing the probabilities of negatives and positives to maxmise gain and minimise loss.
Risk as defined by International Standard ISO 31000 is the
effect of uncertainty on objectives, which in simplistic terms means we want to make the most out of the potential positives of something whilst limiting the potential negatives.
So how do you go about calculating risk?
Risk assessment in, numeric terms is fairly straightforward. If you think about any event there are two fundamental factors:
1) What is the probability of this event occurring?
2) What is the impact this event will have on what I am doing?
It is actually as simple as that:
Risk = Probability(p) x Impact(i)
(This is the simplistic overarching formula for calculating a risk value where p is 0 - 1 and i is 0 - infinity. Your impact values are all relative to each other and dictated by your specific operations/context. Importantly, p and i, in most cases require thorough calculation themselves in order to be accurate e.g. historical data of how often a piece of equipment fails. For the purposes of this post however, this formula suffices.)
Although simple, this formula is actually quite useful for the risk manager. If you carry out that calculation on tens, hundreds, thousands or even millions of events, and then align the results side by side, you can clearly see the highest risks versus the lowest risks: this is termed "risk prioritisation" and is essential for any effective risk management plan as it allows you to work out which risks require the most control, management, or resources throwing at them.
OK, i've identified and prioritised all my risks, now what?
This part is largely down to you. One person or organisation may interpret the risk values (from the formula above) differently to the next. e.g. a risk value of 5 might be high to you but low to someone else: it is entirely based on the context. In fact, the industry term is Tolerability Of Risk (TOR)
. TOR does exactly what it says on the tin: how tolerable are you to different levels of quantified risk? You have to set thresholds to decide at which level of risk you are happy with. Indeed, what you do is decide whether to accept, minimise or eliminate
the risk altogether. (You can actually also transfer the risk to someone else but that is outside the scope of this short blog post). E.g. you may accept the risk if the risk event value is low e.g. someone might chip a nail, you will likely want to minimise the risk of falling for someone working up a ladder, and will want to eliminate a risk entirely if there is a high chance of death. Only after carrying out a full TOR exercise can you begin the next step.
Right, i've done my TOR exercise and decided which risks need some attention, now what?
You are almost there in your risk management plan. The next step is to decide what resources are required to reduce or eliminate the risks you have identified in your TOR exercise. This is a fundamental part of risk management and is termed Risk Control. Controls are "things" put in place to reduce a risk i.e. they can either reduce the probability of an event happening or equally, they can reduce the impact of the event if it was to happen. The reason I said "things" is because a risk control can be anything at all put in place to reduce risk and can range from physical barriers and equipment, to training and man management.
Are risk controls quantifiable?The answer is yes, they are, and this is an important point when you put controls in place. There is no point putting a control in if it is ineffective (i.e. it won't reduce the probability or impact enough to satisfy your TOR). Take a man working up a ladder. Clearly if he falls, the impact is high - this is a high risk event. An ineffective control would be a sign at the bottom saying "Be careful - it's high up there!" as this will not reduce the impact of a fall and only marginally reduce the probability by making the worker more aware. Indeed, a much more effective control would be the provision of a harness and other PPE as well as the sign. Here you are reducing probability as well as impact. So, in terms of risk controls, the more the merrier, but only if they are effective high quality and reliable - all these can be quantified (control effectiveness, control reliability, control failure on demand, control risk reduction power) but that is outside the scope of this post. Well, when I say "the more the merrier", this is only true to a certain extent. There is no point spending hundreds of thousands of pounds on risk controls designed to stop a fire in a building worth tens of thousands. After the addition of each control you must decide whether you have reduced the risk to As Low As Reasonably Practicable (ALARP) - in fact this ALARP region is quantified and is part of your TOR. ALARP dictates the point at which you need to reduce the risk, but only to a point where the amount of risk controls put in place is not grossly disproportionate to the amount they reduce the overall risk by. Monitoring and regular review of controls is also essential however I won't discuss this here.
The importance of risk communication
There is no point having a risk management plan unless it is clearly understandable and accessible by all relevant people. After all, risk management is about managing people and their activities as much as it is about controlling equipment, infrastructure and processes. Different parties have different needs when it comes to risk communication. E.g. board members may be only interested in the overall operational risk of large sections of the business, whereas personnel on the "shop floor" may only be concerned with the risks posed to them during their day to day activities on specific tasks. It is entirely up to you how you communicate your risk management plan throughout your organisation but if you stick to the principle that clear, concise contextual communication counts
you will not go far wrong.
In summary, if you want to efficiently and effectively maximise gain whilst minimising loss in your organisation, you must take a structured approach to risk management by using quantifiable techniques to assess and control risks and importantly, make all relevant stakeholders aware of your risk management plan through clear and concise risk communication.
Topics discussed in this post: risk assessment, risk prioritisation, tolerability of risk (TOR), risk control, as low as reasonably practicable (ALARP), and risk communication.