How to derive risk treatments for a particular risk
Well hello and welcome to this session.
What we’re going to talk about is how we actually derive risk treatments for our particular risk. Now, one of the things I see is risk plans all over the place is all high end risks ought to be treated unless its cost is not cost-effective to do so, medium risks may not be treated and lows, we will just park those and keep monitoring and reviewing.
But what we need to understand is that not every risk has to have a treatment allocated to it. What we should actually be doing is asking a series of questions once we have identified the risk.
Now the first question that we ask is: Can I avoid the risk altogether by not undertaking the activity? and therefore, obviously avoiding the likelihood of having those consequences. Now the reality is there are very, very few things particularly at a bureaucratic or government department or whether it be local government, state government, or even a company.
The reality is that it’s not very often that you’ve got the ability to avoid that risk by not doing the activity.
The next question that I like to ask is: Can I reduce the likelihood of the risk occurring by strengthening or ensuring the effectiveness of the controls that I’ve currently got in place?
Now what you will find if you go to colonial enquirers and court cases and audits and so forth, what you will find is that when something happens, it is very rarely because of the lack of an absence of controls. Often, more often than not is actually because there were controls in place and they failed. So when we’re doing our risk analysis and the likelihood of that particular risk, we ask ourselves how effective others currents controls.
So the question I have is why would you do and put more treatments in place if in the first place what we do is strengthen the control environment that we’ve got already.
Now if you identify those controls and you believe in your measured the effectiveness of those and you still think that the risk is above a target level for risk, then you can ask yourself the question: Can I reduce the risk or the likelihood of the risk by adding more treatments? Now as I’ve said, we really need to be more careful about adding more treatments because ultimately they become additional controls that you have to put resources against, that you have to measure the effectiveness of and the difficulty with that is then we might get a situation where we’re over controlled and we put bureaucracy, which actually stifles innovation.
So first and foremost, can I avoid it? And secondly, can I reduce the likelihood by strengthening the controls? Or can I reduce the likelihood by adding new treatments if needed?
The forth question we ask is: can I actually reduce the consequence if that event does occur? And we could do that through strategy such as a business continuity plan and a disaster recovery plans, insurance and the like. But of course what we need to focus on first is trying to stop the event happening in the first place.
If we are enacting a business continuity plan or disaster recovery plan, that means that the event has already occurred and we’re starting to see those consequences. Obviously as an organisation we want to try and avoid that’s as much as possible.
The reality is focus a lot more on the likelihood and focus on those current controls first. I actually like to do it as a step process. First thing, make sure that our control environment is effective and that we can demonstrate its effectiveness, not just sit in a workshop and say “well yep, that controls effective because nothing’s happened”.
I think I’ve said this before that an absence of the incident does not mean that your control is effective. Often it means that you’ve just been lucky.
So, can I strengthen the control environment? Do that first and then after you have brought it up to a level above effectiveness, then maybe consider looking to see if the risk needs to be brought down any further and then think about treatments.
You don’t have to go into a workshop one day and come out on that same day with a whole list of treatments. I think, as a whole, we are trying to do risk management too quickly, a lot of these risks are very, very complex and they need to identify or you will need to identify not only the controls you’ve got in place and their effectiveness but the stakeholder involvement, what their expectations are and start to understand how that risk is going to be managed as a system.
Well that’s all I’ve got for this particular topic. As always, let’s be careful out there.