Risk Treatments in Risk Management
In this session I’m going to talk about consequence.
In particular, how do we analyse consequence so that we can incorporate it into our risk register so that it’s meaningful.
I’ve come across many organisations who believe that what we need to put into our risk register is the worst case scenario in terms of consequences. There are some challenges there. If we do this, we tend to skew all of the risks in the organisation towards those worst case consequences and as a result, what we may end up doing is having to treat a whole lot of risks that aren’t requiring treatment.
I’ll give you an example of that. Let’s say one of the risks within your organisation (and it’s a risk in many organisations) are trips, slips and falls. Now, if you look at the statistics and we’ve had 100 slips, trips or falls in our organisation, we may not have had any deaths and we may have had one or two serious injuries which required long term hospital treatment. The majority will be in the minor area and maybe a couple in the moderate, but if we let people in the organisation state things like “well, in the worst case that person could trip over or hit their head on something and they could die.” Well, yes, but that is an extreme outlier.
If you do the analysis on those hundred, what you will find is that they will sit in that insignificant and minor area. So we’re not talking about worst case, we want to know what is the most plausible outcome. Because we are measuring a risk against all of our impact areas, all of our critical success factors in our organisation; safety, environment, reputation, financial. We need to do that for every single one of them. We need to make sure we identify what are the most plausible outcomes for the risk event that we have identified and in doing so we actually come up with a more appropriate risk register in terms of what the risk levels are.
One of the other issues or challenges with putting everything in that worst case scenario bucket is that it almost diminishes the risk register or the risk management process in your organisation because everything will start to say that everything is in the top box or the right hand corner if that’s what your matrix looks like and therefore we need to treat everything.
Worse than that, people will actually start to change their risk assessments so that it brings it down into that area that’s more in line with the risk appetite of the organisation.
So I think what we need to make sure we’re doing is look at the consequences in terms of their plausibility as opposed to their worst case. In doing so, you will have a more accurate risk register for your organisation.