The Risk Management Standard Strikes again – This time with the help of the Risk Management Handbook
I have previously discussed issues around the risk management definition within ISO 31000 and the fact that the definition itself has created uncertainty (for Blog click here).
Well – now I have another axe to grind – well two actually.
The first is the use of the term Likelihood in the Standard and the recently released risk management Handbook SA/SNZ HB436:2013 (guidelines to AS/NZS ISO 31000:2009).
The second relates to the wording of a risk as highlighted in the Handbook. These are fundamental issues in relation to the management of individual risk and I believe there needs to be some discussion on them – hence this blog.
SA/SNZ HB436:2013 states:
The level of risk is expressed as the likelihood that particular consequences will be experienced. Consequences relate directly to objectives and arise when something does or does not happen (i.e. there is an event or change in situation or circumstances that might occur at some point in the future). Therefore, the likelihood being referred to here is not just that of the event occurring, but also the overall likelihood of experiencing the consequences that flow from the event. (Page 8)
I certainly agree with the notion that we need to assess the Likelihood of the event occurring in the first place, however, I do not believe that the statement that the level of risk is expressed as the likelihood that particular consequences will be experienced provides a true reflection on what a risk is and how we assess the risk level.
In the good old days pre the ISO Standard we assessed the likelihood that the event would occur and what the highest level consequence against a range of impact areas would be and we entered them into a matrix, compared that with our risk appetite and then made decisions as to whether or not the risk should be treated or accepted. To me – that is still very much what risk management is about – but it would appear, based on the Standard, that this is no longer the case.
So herein lies the problem and the issue at hand.
If we are to follow the guidelines outlined in the Standard, Risk Management becomes an absolute mess – why – because we still have to assess our consequences against all of the impact areas, but rather than identifying the expected level of consequence against each impact area, we are now expected to look at the likelihood that each of the consequences will arise.
Confused? Me too. So let’s highlight an example to demonstrate what I am saying.
The risk I am going to use is: Food poisoning in a Kiosk at an aquatic centre.
Using our assessment of our current controls we should be able to determine the Likelihood of the event occurring (i.e. the stronger/more effective the controls, the lesser the likelihood that the event will occur). We would then assess our consequence against all of our impact areas to determine a level of consequence. In this case we will simply use four impact areas: safety, compliance, revenue and reputation. In a traditional risk assessment we would identify which of these had the highest level of consequence and that would be entered into the table with the Likelihood to determine the risk score.
If we take the Standard literally then we end up with something like the following table for each risk:
So my question is this ……… how in goodness name do we determine a risk level for this risk?
One way that I have found to be extremely useful when assessing consequence is to highlight the most plausible consequence against each of the impact areas.
In the example above (and using a consequence table that I have), the most plausible consequence against each of the Impact Areas would be:
- Safety – Minor;
- Compliance – Insignificant;
- Revenue – Minor; and
- Reputation – Insignificant.
Therefore, the highest level consequence is Minor. With a likelihood rating of Unlikely, in all probability the risk will be Low and will remain Low as long as the controls remain effective.
So that is my take on the issue of Likelihood in the Risk Management Standard – but wait – there is more ………
Describing a Risk
The Handbook to the Standard states that the risk description should also include the objective and the consequence against that objective. The example given is: The margin on sales is reduced by more than 5% as a result of shoplifting.
This description is making the assumption that there is shoplifting that is going on (so there is no real Likelihood of shoplifting here – it is 100% i.e. it is happening). Margin on sales is not an objective – it is a measure of effectiveness. The reduction of 5% is expressing a consequence level and I would assume that it is being suggested that the Likelihood of that consequence is to be assessed.
So this poses a further question to me ….. do we need to list more of these statements in the risk register to gain a better understanding of where the organisation sits in relation to this “risk”? I.e.:
- The margin on sales is reduced by less than 2.5% as a result of shoplifting.
- The margin on sales is reduced by between 2.5% and 5% as a result of shoplifting.
- The margin on sales is reduced by between 5% and 7.5% as a result of shoplifting.
- The margin on sales is reduced by between 7.5% and 10%as a result of shoplifting.
- The margin on sales is reduced by more than 10% as a result of shoplifting.
My next question is how is it treated? Are we treating the reduction in margin on sales or are we treating the shoplifting? What about the impact on other measures of effectiveness? We have only mentioned one here so do we need another risk that says: Shareholder value is reduced by more than 5% as a result of shoplifting?
And so it goes on.
I contend that it would be better, perhaps, to look at shoplifting as the event and then describe/capture the risk like so:
We then assess the effectiveness of the controls and determine the Likelihood and Consequence of shoplifting based on the effectiveness of the controls. To my way of thinking, describing a risk in this manner allows a full assessment/analysis of not only the risk level but also the control environment, what would lead to it happening and the consequences if it did happen – without confining it to a single objective or consequence.
In conclusion, I continue to be somewhat baffled by the Standard (and now the Handbook) as I struggle to comprehend what they are trying to say.
Risk management is simple – what can go wrong? What would cause it to go wrong? What are the consequences if it does go wrong? What do we already have in place to stop it going wrong and how effective is it? What do I need to stop it going wrong.
To me, the Standard and the Handbook have taken away that simplicity, created confusion and (in my humble opinion) made it less likely that organisations will take up the mantle and use risk management to create value to their organisation.
As always, let’s be careful out there.