Risk Tip 15 – Parent and Child Risks – Keeping it in the family

Paladin Risk Management Services is about to release its newly developed software system for the management of risk: Gladiator GRCTM. in the new year.

This software will be just the ticket for anyone wanting to make their risk management lives easier and first cab off the rank will be a risk register and control register – the most important tools an organisation needs to minimise risk.

To explain how effective it is, I’m using the concept of parent and child risks. Whilst the use of the term is not unique, the way I apply it certainly is with the software designed around the concept.

The observations that that led me to this body of work were:

1. The first observation was that organisations were rolling up “themes” and purporting these to be “Enterprise Risks” (and in some cases they were calling them Strategic Risks). Examples include:

  • a. Failure to provide a safe working environment;
  • b. Inadequate security requirements;
  • c. Inadequate ICT infrastructure to support operations;
  • d. Inadequate personnel resources to support operations;
  • e. and the list goes on

2.  The second, and most important observation: they are not risks.

3. The third observation: they cannot be managed.

As a result of this, organisations struggle with the ability to manage risk holistically at the Enterprise level.

There seems to be a perception that it is not possible to get an Enterprise view of risk within an organisation without “drilling down into the weeds”.

This is not the case.  “Themes” can still be captured as events

The Parent Risks

The following are the parent risks that I have developed which will apply to almost all organisations:

  • PR 1: Unauthorised release of/amendment to/use of and/or loss of corporate/confidential information
  • PR 2: Incorrect, incomplete or untimely information provided to a critical stakeholder
  • PR 3: Disruption to critical business function for a period in excess of specified Maximum Acceptable Outage
  • PR 4: Fraudulent/corrupt behaviour by a member of staff and/or 3rd party
  • PR 5: Incident occurs that threatens the health and/or safety of staff (workers as defined in the WHS Act), visitors, and/or the public.
  • PR 6: Organisation delivers a project/program that is not fit for purpose or of poor quality
  • PR 7: At fault/avoidable/contributory Incident occurs that threatens the environment

There are then Parent Risks that will be common across a range of industries:

  • PR 8: Incident occurs that threatens the health and/or safety of xxxx
  • PR 8: Clinical incident occurs that threatens the health and/or safety of patients (hospital)
  • PR 8: Incident occurs that threatens the health and/or safety of residents (aged care facility)
  • PR 8: Incident occurs that threatens the health and/or safety of children under care .etc (child care centre/school)
  • PR 9: At fault aviation incident (organisations that fly aircraft)
  • PR 10: At fault incident at (organisation) run facility (e.g. for Council it might be caravan park/childcare centre/aged care centre/cemetery .etc.
  • PR 11: Incident occurs at an event run by (organisation) or by a 3rd party for the benefit of the (organisation) e.g. fundraising event

Once we have identified the parent risks, we can now capture the Child Risks.

The Child Risks

It needs to be recognised that the Parent Risks are the “headline risk” and, as such, they are not assessed.  It is the Child Risks which are assessed, with the Parent Risk adopting the risk level of the highest-level Child Risk (explained further later).

So, let’s look at some example child risks for a couple of the parent risks identified above.

PR 1Unauthorised release of/amendment to/use of and/or loss of corporate/confidential information
CR 1-1Unauthorised release of/amendment to/use of corporate/confidential information stored electronically
CR 1-2Unauthorised release of/amendment to/use of corporate/confidential information stored in hard copy
CR 1-3Loss of records maintained electronically
CR 1-4Loss of records maintained in hard copy
CR 1-5Unauthorised release of/amendment to/use of corporate/confidential information in the custody of a 3rd party (electronic and/or hard copy)
PR 4Fraudulent/corrupt behaviour by a member of staff and/or 3rd party
CR 4-1Fraudulent/corrupt behaviour by a member of staff involved in procurement activities (up until the point of contract)
CR 4-2Fraudulent/corrupt behaviour by a member of staff involved in management of contracts/service agreements (e.g. not declaring the hiring of family/friends – conflict of interest)
CR 4-3Fraudulent/corrupt behaviour by a member of staff involved in accounts payable. receivable and/or payroll
CR 4-4Theft or inappropriate disposal of organisational assets by staff member
CR 4-5Member of staff receives benefits to which they are not entitled (e.g. leave, inappropriate use of credit card etc.)
CR 4-6Contractor paid for services not delivered or not to the required standard
CR 4-7Theft of Council equipment/supplies by 3rd party/s
CR 4-8Theft of Council consumables by a member of staff (including replacing consumables with sub-standard products)
CR 4-9Member of staff accepts benefits for approvals
CR 4-10Unauthorised personal use of organisational equipment/vehicles/assets by a member of staff
CR 4-11Unauthorised after-hours entry into organisational facilities

As you can probably see, these child risks will also apply to multiple organisations across multiple industries.  Not only will the risks be the same, but also the causes and the controls.

So, what does this mean?

It means that the way the risk is managed in one organisation should be similar to the way it is managed in another organisation.

Of course, in some organisations, the consequences are going to be more severe so the preventative control environment and assurance needs to be more robust, but the baseline level of controls should be relatively standard.

Recording the Parent and Child Risks

As previously mentioned, the level of risk for the Parent Risk will be derived from the highest level of Child Risk related to the Parent.

Reporting this way allows the Executive/Board to drill down to the Child Risk/s that are of concern.

The following is the output from my newly developed software system for the management of risk: Gladiator GRCTM.

Software system for the management of risk: Gladiator GRCTM.

I truly believe that the biggest reason that organisations struggle with risk management is that they do not have the “right” risks in the risk register.

I have now developed parent and child risks for a number of industries which is continually expanding.

Organisations will be able to purchase these illustrative risk registers from early 2021.  Enquire now and kickstart your risk management program in 2021.

rod@paladinrisk.com.au

0400 666 142

SUBSCRIBE TO OUR NEWSLETTER
Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
FREE RISK MANAGEMENT E-BOOK
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.
{Download-submit}