How we frame risk
Well hello and welcome to this session.
One of the things that I’ve been tossing around, and I’ve discussed this in blogs previously, is how we actually frame a risk and I’ve talked about risks being events. Well one of the things that I have noted is that when it comes to putting together risk statements, often organisations will put a cause and a consequence as well as the risk all into one statement.
I’ll give you an example of a couple ones that come to mind. Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to freedom of information requests. Now, I’m not even sure what that’s saying but another one a department may not have a business process in place to adequately manage the programs which may lead to weakened results.
Now given what I’ve talked about on other blogs, I wouldn’t even see those as risk statements. However what we’ve got there is we’re trying to put a cause and event and a consequence into one risk statement. The problem with that is, I see it is there is no such thing as a one cause event nor is there what any such thing as a one consequence event. If you identify an event, a risk, you will find that there are a range of causes and I’ve talked about this before that it’s a system breakdown.
There are multiple causes and even if we have a risk which results in injury or death do somebody there are other consequences such as negative impact on reputation, we might have issues with the regulators, we might have legal action taking against us.
So there is no such thing as a one cause event or one consequence event. If we put our statements together such that we’ve identified a cause and a consequence in with the risk, what we’re doing is actually limiting our ability to treat that risk properly because we haven’t identified all of the causes. We haven’t identified all of the consequences and it’s only through identifying all of the causes that you can truly start to identify whether you have adequate controls already in place or whether we need to put additional treatments in place.
When you look at your risk statements, identify what the event is but then go though and list all of the causes, all of the consequences, the controls and their effectiveness and this is when you have an adequate statement or a statement able to be treated effectively or managed effectively.
So that’s all for this session and hopefully those of you who haven’t already done so could download my e-book. It’s got some information in there on that particular topic. So as always, let’s be careful out there.