Risk Tip # 9 – Describing Risk Treatments
I love reading risks treatments in risk registers – they are always so descriptive. Some of the treatments I have taken from risk registers over time are shown below:
- better communication;
- training in contract management;
- rolling fraud audit program;
- additional physical security;
- more management oversight and action;
- better change management; and/or
- recruit additional staff.
- increased monitoring and inspections;
- improved control systems;
- business plan;
- project planning;
- budget and planning processes;
- … and I could go on.
I am even more amused when I review risk registers and I see something like this:
Unfortunately, when assigned ownership of a treatment such as this, the Treatment Owner is unlikely to have any clue where to start in terms of developing and implementing the treatment. This gives rise to treatments never actually being completed.To that end, we need to consider the development and implementation of a risk mitigation as being akin to undertaking a project, that is, there is a beginning and an end, and, like a project, we need to allocate:
- Timeframes;
- Human resources;
- Financial resources;
- Performance measures and key performance indicators.
There are two categories of treatment. The first category is one where there is a start and an end, but the treatment does not become a control as depicted in the diagram below:The second category of treatment involves developing a treatment that, once implemented, becomes a new ongoing control as shown in the diagram below:The risk level in the risk register cannot be reduced until the control has been deemed effective.Given the project like nature of the treatments, the wording is critical. We need to be able to allocate a resource to undertake the treatment, performance measures as well as manage a budget and timeline. To do this we must ensure that the wording of the treatments supports this. The key here is to avoid what I term “fluffy” treatments.If we identify poor communication as a cause for one of our risks, better communication is not a treatment strategy.Let’s look at the examples from the introduction using what might be more appropriate wording:
- Better communication
-
- Develop and implement a communication strategy to ensure more effective communication with the stakeholder community
- Training in contract management
-
- Design, develop, deliver and evaluate a training package aimed at improving the contract management skills of contract managers within the department
- Rolling fraud audit program
-
- Develop and implement a fraud audit program with the purpose of identifying any instances of organisational fraud as early as possible
- Additional physical security
-
- Conduct a security review to determine whether improvements in physical security are required
- Based on the review, develop a business case for recommended security improvements
By wording treatments in this manner, it means that they can be captured as line items in a corporate plan and a budget. I contend that better communication is too vague in a corporate plan and does not provide enough information to allocate resources to it. But you could develop and implement a communication strategy to ensure more effective communication with the stakeholder community and then get a better picture about what this entails – resource-wise.Have a look at the treatments in your risk register and see where they sit on the “fluffiness scale”.
Cause | Treatment | Owner | Timeframes |
---|---|---|---|
Poor communication | Better communication | All | Ongoing |
Unfortunately, when assigned ownership of a treatment such as this, the Treatment Owner is unlikely to have any clue where to start in terms of developing and implementing the treatment. This gives rise to treatments never actually being completed.
To that end, we need to consider the development and implementation of a risk mitigation as being akin to undertaking a project, that is, there is a beginning and an end, and, like a project, we need to allocate:
- Timeframes;
- Human resources;
- Financial resources;
- Performance measures and key performance indicators.
There are two categories of treatment. The first category is one where there is a start and an end, but the treatment does not become a control as depicted in the diagram below:
The risk level in the risk register cannot be reduced until the control has been deemed effective.
Given the project like nature of the treatments, the wording is critical. We need to be able to allocate a resource to undertake the treatment, performance measures as well as manage a budget and timeline. To do this we must ensure that the wording of the treatments supports this. The key here is to avoid what I term “fluffy” treatments.
If we identify poor communication as a cause for one of our risks, better communication is not a treatment strategy.
Let’s look at the examples from the introduction using what might be more appropriate wording:
- Better communication
-
- Develop and implement a communication strategy to ensure more effective communication with the stakeholder community
- Training in contract management
-
- Design, develop, deliver and evaluate a training package aimed at improving the contract management skills of contract managers within the department
- Rolling fraud audit program
-
- Develop and implement a fraud audit program with the purpose of identifying any instances of organisational fraud as early as possible
- Additional physical security
-
- Conduct a security review to determine whether improvements in physical security are required
- Based on the review, develop a business case for recommended security improvements
By wording treatments in this manner, it means that they can be captured as line items in a corporate plan and a budget. I contend that better communication is too vague in a corporate plan and does not provide enough information to allocate resources to it. But you could develop and implement a communication strategy to ensure more effective communication with the stakeholder community and then get a better picture about what this entails – resource-wise.
Have a look at the treatments in your risk register and see where they sit on the “fluffiness scale”.