Risk Tip 15 – Parent and Child Risks – Keeping it in the family
Paladin Risk Management Services is about to release its newly developed software system for the management of risk: Gladiator GRCTM. in the new year.
This software will be just the ticket for anyone wanting to make their risk management lives easier and first cab off the rank will be a risk register and control register – the most important tools an organisation needs to minimise risk.
To explain how effective it is, I’m using the concept of parent and child risks. Whilst the use of the term is not unique, the way I apply it certainly is with the software designed around the concept.
The observations that that led me to this body of work were:
1. The first observation was that organisations were rolling up “themes” and purporting these to be “Enterprise Risks” (and in some cases they were calling them Strategic Risks). Examples include:
- a. Failure to provide a safe working environment;
- b. Inadequate security requirements;
- c. Inadequate ICT infrastructure to support operations;
- d. Inadequate personnel resources to support operations;
- e. and the list goes on
2. The second, and most important observation: they are not risks.
3. The third observation: they cannot be managed.
As a result of this, organisations struggle with the ability to manage risk holistically at the Enterprise level.
There seems to be a perception that it is not possible to get an Enterprise view of risk within an organisation without “drilling down into the weeds”.
This is not the case. “Themes” can still be captured as events
The Parent Risks
The following are the parent risks that I have developed which will apply to almost all organisations:
- PR 1: Unauthorised release of/amendment to/use of and/or loss of corporate/confidential information
- PR 2: Incorrect, incomplete or untimely information provided to a critical stakeholder
- PR 3: Disruption to critical business function for a period in excess of specified Maximum Acceptable Outage
- PR 4: Fraudulent/corrupt behaviour by a member of staff and/or 3rd party
- PR 5: Incident occurs that threatens the health and/or safety of staff (workers as defined in the WHS Act), visitors, and/or the public.
- PR 6: Organisation delivers a project/program that is not fit for purpose or of poor quality
- PR 7: At fault/avoidable/contributory Incident occurs that threatens the environment
There are then Parent Risks that will be common across a range of industries:
- PR 8: Incident occurs that threatens the health and/or safety of xxxx
- PR 8: Clinical incident occurs that threatens the health and/or safety of patients (hospital)
- PR 8: Incident occurs that threatens the health and/or safety of residents (aged care facility)
- PR 8: Incident occurs that threatens the health and/or safety of children under care .etc (child care centre/school)
- PR 9: At fault aviation incident (organisations that fly aircraft)
- PR 10: At fault incident at (organisation) run facility (e.g. for Council it might be caravan park/childcare centre/aged care centre/cemetery .etc.
- PR 11: Incident occurs at an event run by (organisation) or by a 3rd party for the benefit of the (organisation) e.g. fundraising event
Once we have identified the parent risks, we can now capture the Child Risks.
The Child Risks
It needs to be recognised that the Parent Risks are the “headline risk” and, as such, they are not assessed. It is the Child Risks which are assessed, with the Parent Risk adopting the risk level of the highest-level Child Risk (explained further later).
So, let’s look at some example child risks for a couple of the parent risks identified above.
|PR 1||Unauthorised release of/amendment to/use of and/or loss of corporate/confidential information|
|CR 1-1||Unauthorised release of/amendment to/use of corporate/confidential information stored electronically|
|CR 1-2||Unauthorised release of/amendment to/use of corporate/confidential information stored in hard copy|
|CR 1-3||Loss of records maintained electronically|
|CR 1-4||Loss of records maintained in hard copy|
|CR 1-5||Unauthorised release of/amendment to/use of corporate/confidential information in the custody of a 3rd party (electronic and/or hard copy)|
|PR 4||Fraudulent/corrupt behaviour by a member of staff and/or 3rd party|
|CR 4-1||Fraudulent/corrupt behaviour by a member of staff involved in procurement activities (up until the point of contract)|
|CR 4-2||Fraudulent/corrupt behaviour by a member of staff involved in management of contracts/service agreements (e.g. not declaring the hiring of family/friends – conflict of interest)|
|CR 4-3||Fraudulent/corrupt behaviour by a member of staff involved in accounts payable. receivable and/or payroll|
|CR 4-4||Theft or inappropriate disposal of organisational assets by staff member|
|CR 4-5||Member of staff receives benefits to which they are not entitled (e.g. leave, inappropriate use of credit card etc.)|
|CR 4-6||Contractor paid for services not delivered or not to the required standard|
|CR 4-7||Theft of Council equipment/supplies by 3rd party/s|
|CR 4-8||Theft of Council consumables by a member of staff (including replacing consumables with sub-standard products)|
|CR 4-9||Member of staff accepts benefits for approvals|
|CR 4-10||Unauthorised personal use of organisational equipment/vehicles/assets by a member of staff|
|CR 4-11||Unauthorised after-hours entry into organisational facilities|
As you can probably see, these child risks will also apply to multiple organisations across multiple industries. Not only will the risks be the same, but also the causes and the controls.
So, what does this mean?
It means that the way the risk is managed in one organisation should be similar to the way it is managed in another organisation.
Of course, in some organisations, the consequences are going to be more severe so the preventative control environment and assurance needs to be more robust, but the baseline level of controls should be relatively standard.
Recording the Parent and Child Risks
As previously mentioned, the level of risk for the Parent Risk will be derived from the highest level of Child Risk related to the Parent.
Reporting this way allows the Executive/Board to drill down to the Child Risk/s that are of concern.
The following is the output from my newly developed software system for the management of risk: Gladiator GRCTM.
I truly believe that the biggest reason that organisations struggle with risk management is that they do not have the “right” risks in the risk register.
I have now developed parent and child risks for a number of industries which is continually expanding.
Organisations will be able to purchase these illustrative risk registers from early 2021. Enquire now and kickstart your risk management program in 2021.
0400 666 142