“Fluffy” Risk Treatments
Hello again, in this session what I want to talk about is risk treatments. In particular, what I want to talk about how we frame our treatments so that they are not, as I term it, “fluffy treatments.”
So we might have in our risk register as an example, that a cause of a particular event is poor communication or lack of compliance. And what I see in many risk registers is things like better communication or be more compliant.
Well they in, and of themselves, are not treatments. How do you actually put in place better communication? What does that mean? Who is responsible for it?
So when we actually do our treatments or frame our treatments what we want to try and focus on is looking at, can this treatment be put in place? Somebody understands what it is that they need to do and after it has been put in place, it becomes an ongoing control.
So if we look at this cause is lack of communication or poor communication, the treatment that we might come up with is develop and implement a communication program. So we actually see that treatment as having a start point and an end point, the development and then the implementation. After the implementation it becomes an ongoing current control. The problem as I see in many risk registers is that some of the treatments or a lot of the treatments they have next to them ongoing. Well if it’s ongoing it needs to be a current control, it can’t be a risk treatment.
Risk treatments always have an end point. That’s why we actually allocate resources to undertake the risk treatment, that’s why we should always give a time frame for the treatment. Ongoing is not a treatment or not part of the treatment life cycle, it has to have a start and an end point. So please I ask you, if you do have, or go back to your risk registers and if you do find that you have got some of these what I call “fluffy” treatments or treatments that you’ve got as ongoing, start to look at how you frame them. And as I said, develop and implement, conduct a study to and present the findings. Develop, implement and asses a training package in relation to the thing that’s going wrong.
All of those have a start point and an end point we can allocate a resource to them in terms of personnel, we can allocate resources in terms of financial resources and we can allocate a time frame to it.
Once we have put, let’s say that training package in place then it becomes one of our current controls where we put a control owner to that control and they are responsible for the ongoing maintenance of that training program.
Hopefully that makes sense to you that we need to have that start and that end point and that every treatment has a life cycle to it.
That’s all I got for this session, I look forward to seeing you again next time, and as always let’s be careful out there.