Shared Risk in Risk Management
Well hello and welcome to this session. What we’re going to talk about is shared risks. Now for those of you in federal government, the public governance performance and accountability’s act and the Commonwealth risk management policy actually explicitly address the management of shared risk. Well, what is a shared risk? The first thing is that you need to understand is that a shared risk is a risk or event whereby the control of that particular risk or the consequences of that particular risk actually fall upon multiple functional areas in one organisation and/or multiple organisations.
Now of course that leaves us with quite the challenge. So let’s say we’ve got a shared risk that is going across particular organisations, there are some challenges there. First and foremost who owns that risk and secondly how is it that if we are a risk owner in one organisation and we’ve taken responsibility for the ownership of that risk, how can we assure ourselves that the controls that are aimed at reducing the likelihood of that risk occurring are actually being managed effectively in other organisations that we have no power over or no responsibility for.
It is a very, very big challenge. What we tend to find in shared risks is a lot of assumption. Well I’m assuming that that organisation is doing what we said they’re going to do, if we’ve even documented it in the first place. Let’s look at an example, so the risk event might be the introduction of foot-and-mouth disease into Australia, which would have a devastating effect on our country. The problem there is that there are multiple agencies who are responsible for some of the controls that keep that risk at bay. I don’t believe that anyone is centrally managing that risk and has taken ownership of that risk and so how do we actually know that those controls are effective.
The problem comes, of course, with the government makes a decision that reduces the funding to any one of those organisations and they make a decision to take resources away from something that is a control for that particular risk, the likelihood of that event occurring has actually just gone up. But if nobody’s got visibility of it, then how do we know and how can we make arguments to government to say well if you do that here are the consequences, you have actually just raised the likelihood that we’re going to see foot-and-mouth come into this country.
How do we manage these shared risks? First and foremost we obviously need to identify and allocate a risk owner. In my view, the risk owner should be the organisation or someone within the organisation for which the consequence will be the highest and if we’ve got this allocation then they can start to form together stakeholder groups around the whole of the risk. They can identify not only what controls are in place but they can also identify who was responsible for the effectiveness of that control and we can start to put it in place some key performance indicators and performance measures whereby that risk owner can satisfy themselves those other agencies are effectively managing those controls. The risk owner should also be the one who is providing reports to their management but also to the higher levels outside of the organisation. They become risk owner and coordinator for the whole of the approach to the risk.
It is a very, very difficult situation to find yourself in because ultimately with no control over these other organisations and there may be some challenges around communication, there might be some disputes, there might be some old rivalries that don’t allow for us to make active decisions and discussions. It is a really important thing and what we do need to understand it is an event and we as a collective, whether it be at an organisational level or at a community level are going to see the consequences if that risk is not managed effectively.
Given the world and the way that it’s so entwined now with technology and free trade and supple and so on and so forth, we need to understand that shared risks are becoming more and more common and so the approach to managing those needs to also develop as well.
That’s all I’ve got for this session, as always let’s be careful out there.