Risk Tip # 13 – “Rolling up” of Risks
I recently supplied consultancy support to an organisation that involved a review of their risk register. A not so quick scan showed they had 330 risks contained in the risk register. I was exhausted just at the thought of that number! Upon further analysis though it was clear why: there were a number of risks that appeared multiple times in the register, with one of them appearing, with the same wording, 25 times! What was also interesting was that those 25 risks had – you guessed it – 25 different owners!!!! The letters F-T-W came to mind, in a slightly different order!
I have already talked about risk ownership in a previous blog (see Risk Tip #7 – Risk Ownership), detailing how it is not possible to manage risks at the lower levels of an organisation due to the fact that the majority of the controls reside at the lower levels of the organisation.
In this blog, I will use the same risk examples, but in the context of ‘rolling risks’ up to the appropriate levels of an organisation.
What do I mean by ‘rolling up’ risks?
If you were to look at the range of risks in your risk register, I am sure for many of you, you would quickly be able to identify the same risk appearing multiple times. But how is it possible to manage those risks when they have multiple owners and the controls aren’t owned at those levels?
Let us take the example of a Council with the following organisational structure:
We will focus on the Aged and Disability Services Branch:
The In-Home Meal Delivery Section is not the only part of Community Support Programs Directorate where staff/volunteers provide services within clients’ homes. It is also not the only section within the Directorate where vehicles are used or where catering is provided.
To that end, we could roll up the risks to a Directorate level as shown below:
Why can we do this? The main reason is that for these risks, the majority of the causes and controls are the same. There may be causes and, therefore, controls that are unique to only some parts of Council – or even to just one part of Council, but that does not mean the risk is unique, and it does not mean it is a different risk. These unique aspects can be incorporated into the risk at the corporate level.
So, the rule of thumb that I use is as follows:
Some other examples are as follows:
- Rather than having the following risk for each piece of infrastructure, within a Council or similar: collapse or catastrophic failure of ,,,,,, the following risk would be appropriate: collapse or catastrophic failure of infrastructure used by the public.
- Rather than having the following risk for differing types of hazardous substance within an organisation: worker or member of the public exposed to ,,,,, the following risk would be appropriate: worker or member of the public exposed to toxic or hazardous substance.
- Rather than having the following risk for each platform on which a worker works at heights: worker falls from roof/ladder. etc ,,,,,, the following risk would be appropriate: worker falls from height.
Taking an approach such as this:
- Considerably reduces the number of risks in the organisation’s risk register;
- Reduces duplication; and
- Allows the organisation to assign ownership at an appropriate level of authority and control.
See how much duplication your organisation has and see whether rolling up is possible.