Hmmmm. Just looking at that word ‘risk’ gets me a bit scared. It’s silly really. There are tiny risks, infinitesimally unlikely risks, funny risks and risks so intriguing that whole science fiction series have been spawned on them. There is the risk that the very word has literally bored you to death and you will never come back to read another blog post ever again.
But there is the flip side of the coin too. Those risks that are massive, imminent, unforeseen, insurmountable and not quite unbelievable.
Risks – in themselves a concept of fiction – get an awful lot of money, energy and thought put into them. And maybe that’s why they can be scary. Because you can spend all your time, money and effort combatting ‘risks’ and still miss a risk that eventuates and undoes everything. And yet you can also spend a whole lot of resources on addressing risks that at the end of the day would never have eventuated and lose focus on what you are trying to achieve. It is all a matter of balance!
I mentioned in a recent post that I hadn’t worked out where risks belong in a process management framework, but I realized that ignoring them is like ignoring the dragon in the room. So today we are to deal with them for once and for all. To put them in their right place, manage them good and proper and shrink their management down to an appropriate part of everyday business instead of leaving it as such a frightening beast.
We’ll start today by looking at how I would apply the commonly accepted risk management standard used within Australia and New Zealand – AS/NZS ISO 31000:2009. It is a standard that can apply universally, regardless of industry, and seems to be commonly accepted by both private and public sector and defines risk as the “effect of uncertainty on objectives” (see reference in end note, although this was apparently a quote from the standard itself). Interestingly this can be both positive and negative effects, but I think it is enough just to think about the negative side of risk for today, more specifically coined “threats”. There is just so much one can think through in a single sitting!
I think the process that (my understanding of) the standard sets out for undertaking a risk assessment is useful. Here is my take on the most important of the high level steps for managing risk:
1. Establish the context – this is about setting up the framework around how you will assess risks in your particular situation. You can really think about this as project planning as it includes identifying the purpose, scope and criteria for the risk assessment. Where this risk assessment is going to happen multiple times I would prefer this to be about setting up the ongoing procedure.
2. Identify the risks – it’s pretty self-explanatory what this is about. Framing risks seems to be an art form in itself though with potentially many statements about “there is the potential that…”. What can be tricky is identifying what is a real risk and what is just fantasy, framing all the risks consistently, getting full coverage and reflecting in the description what causes the risk where there are multiple factors at play.
3. Analyse the risks – this is usually done through a rating of likelihood, impact and overall risk. The ‘establish the context’ stage is important because this is where the criteria for the ratings is set. Do you call a high likelihood of a risk occurring once in a week, once in a year or once in every 5 thousand products manufactured? This will depend on the business you are in. Similarly, do you call a high impact of a risk a cost of $1000 or the loss of human life?
At this stage, according to the standard, you would also identify what control or prevention measures are already in place and rate those same risks given the existence of the measures. This enables you to go on to the fourth step of treating the risks based on an accurate picture of what the current risk is, rather than a hysterical one which doesn’t reflect the effect of the safeguards in place and wants to duplicate these same safeguards.
4. Evaluate the risks – The ‘establish the context’ stage also gives you the opportunity to decide objectively what level of overall risk is acceptable – with or without treatment – or not. If you have managed to do this upfront it makes the evaluation part of the risk assessment very easy. Based on the ratings you have given the risk it should be very black and white whether you don’t actually mind if a risk eventuates (so infrequent or insignificant to worry about), if a risk needs (further) treatment (regardless of what the final treatment measure may be) or if you need to abort all plans that may in any way trigger the risk. The ultimate determination of whether each risk needs to be treated gets made at this stage though.
5. Treat the risks – I think this is the most fun bit if you ever get there! This is where you devise your cunning tactics for addressing those risks that your assessment has told you need sorting. It may be that you have picked up some suggestions as you went through the other stages of the risk assessment, it may be that you need to talk to your stakeholders or run some workshops, it may be that there is a very clear, logical and/or industry standard measure for treating such a risk… However you get there, this is the stage that you say: “Right – you there, risk, hey you. We’re going to deal with you like THIS.”
6. Develop a risk treatment plan and implement – here you tie all the risk treatment measures together. This can be a pretty fun stage if you like a bit of analysis and project planning. Here is when you take that portfolio of risk treatment measures, map them against each other so that you can throw out any duplicates and align them so as to be as efficient as possible, and then plan how to put them in place. And then you implement. The reference (see end note) I was using as my guide for the standard did not include this step, so maybe this is one of my own creation – but obviously it is a step that you need to go to.
These are very high level steps that probably make it look simpler than it often will be. For example, depending on the complexity of the area you area you are working in, the assessment of risks can be a huge task. Just framing the risks in an unambiguous and consistent way, let alone collecting the data required to assess the risk can be huge. But that should not put you off – not if the risks you are dealing with can cost lives, environmental catastrophe, big bucks, or other dramatic outcomes.
I should probably also note that I have omitted a couple of steps included in the standard which I make no apologies for. Communication, and monitoring and review, should be embedded within pretty much every process, and risk management is no exception.
I see one of the biggest challenges in risk management is in how you draw the line and say yes we address this and no we don’t address this one (or even do we go ahead with this at all). To do this – even in terms of the ‘establish the context’ step – I think it is worth taking a step back and taking a system view of your organisation’s activities and getting some perspective on where risk management really fits. This is so that you can really put the particular activity or event you are assessing into perspective.
How do you incorporate risk management into the running of your organisation? I see there will generally be three main ways.
Firstly, through risk assessment processes. This is about defining the standard (such as AS/NZS ISO 31000:2009) by which risk assessments are carried out as part of project management or prior to undertaking other processes. This is most easily done by creating a standard operating procedure (possibly quite high level) for how risk assessments are carried out within your organisation.
Secondly, by connecting the dots between all your core business activities and ensuring that the relevant activities link to or divert from these risk assessment procedures. Where a full risk assessment has already been undertaken early on in a chain of procedures, you may need to also have a ‘review risk assessment procedure’ too.
Then thirdly, by ensuring that all the risks which the decision maker/s have decided to address ARE addressed and in accordance with the decided risk mitigation measures. It is important to realise that many of these measures are not (or should not be) one-off measures that are undertaken or constructed. They will often be ongoing measures that need to be built into the organisation’s procedures, whether as procedures in their own right or steps in existing procedures. Where possible, the risk management measures, need to be proceduralised.
So maybe that context does help in completing a risk assessment. It is good to know that an initial risk assessment for an activity that goes ahead is not the be all and end all and that the risk assessment will be reviewed on a regular basis. It is also helpful to know how the risk mitigation measures will be built into your organisation on an ongoing basis (and what the additional costs or resources may be associated with that).
However, the other matter to help provide context is to – as always – go back to the depiction of all your organisation’s activities, ideally set out in a value chain style. This should help to determine whether the activity which is the subject of your risk assessment is so pivotal that it is worth pursuing at all costs (including putting measures in place to address all the main risks). Or whether the activity adds so little value that it is not worth accepting any risks or bearing the costs of addressing the risks at all.
Hmmm risks don’t sound so scary to me now!
What do you think?
How does your organisation assess and address risks? Do risks freak you out? And how much of this post relates to positive risks (opportunities)?
Key reference: Victorian Government, ‘Victorian Government Risk Management Framework’ (Mar. 2011), URL: http://www.dtf.vic.gov.au/files/d8012780-85db-4411-a918-a1cd00b55f20/Vic-Gov-Risk-Management-Framework-April2011.pdf as accessed 13 January 2014.
Disclaimer: Please don’t take any of this as fact. I have not read the AS / NZS ISO 31000:2009, but have read the above reference and, over the last few years, several other frameworks and documents based upon this standard (which I cannot get my hands on at the moment and only have fuzzy recollections of). This blog post only presents my perspective on how to undertake a risk assessment and risk management generally based on this combination of sources – if you are really interested I suggest you go to the standard itself 🙂