There’s no such thing as a Safety Risk (or a security risk, or a reputation risk ….)
If you are like most organisations that I have engaged with, you will most likely have multiple risk registers. Separate risk registers will likely be maintained for two or more of the following categories of risks:
- Operational risks
- Financial risks
- Security risks
- Safety risks
- Compliance risks
- Reputational risks
- Environmental risks
- IT risks
Whole industries have been built around the management of risk by category. In my previous blog I highlighted that cyber attack was not the risk – it was just a cause – and yet billions of dollars have been spent on “cyber risk”. Billions of dollars are spent on safety risks and security risks and the like, but here in lies the controversy in this blog:
There is no such thing as a safety risk, or a security risk, or a reputation risk – they are just risks
Here’s the thing, a risk is a risk – there are just multiple consequences every time a risk materialises.
Where are we now?
As previously stated, organisations, for the most part, maintain multiple risk registers. How have we ended up here?
- ‘Patch protection’;
- Organisations not structured to manage risk holistically; and
- Belief that all risk types are different.
In my observation, this has led to:
- Risks that are not actually being managed;
- Significant duplication;
- Significant control ‘gaps’; and
- Additional controls being introduced in one area that increase risk/s in another area.
What is the reality?
One event – multiple consequences
The reality is that, when an incident occurs (i.e. a risk materialises), there are consequences, but these consequences do not mean that the risk can be categorised. The reason? There is no such thing as a one consequence risk.
Let’s use a real-life example – the Deepwater Horizon tragedy. The risk in the risk register would (or should) have been: Explosion on the oil rig.
Fast forward to 20th April 2010 when the risk exploded. Let’s have a look at the consequences:
So here is my question. What category of risk was it and, therefore, what risk register would this risk have been captured in?
All Risks are Shared Risks
In Risk Tip # 6 – Managing Shared Risks, I highlighted that in organisations of today there is no such thing as a risk that isn’t a shared risk. There would be very few organisations where the ownership of the risk, the ownership of the controls and those affected by the consequences would reside in one functional area.
Even risks that would be considered “safety risks” have controls that cross organisational boundaries and have consequences other than death or injury. That is why it is critical that risks are described in such a way that consequences are not captured in the risk statement.
As an illustration, a risk captured in the following way does not take into consideration that there are more than one potential cause and consequence: A faulty harness leads to a worker falling from heights resulting in death or injury.
If the risk is described in the following way, it becomes apparent that the consequences are more far-reaching than just potential death or injury:
|Risk Name:||Worker falls from heights|
So, the question, even for a simple risk like this, is: is it a safety risk, or a reputation risk, or a compliance risk, or a financial risk? The answer is that it is none of them – it is just a risk that, if it occurred would have multiple consequences.
I am currently working in a range of organisations where risks have been consolidated into just one risk register and are being treated as risks to the enterprise and not as safety or security or reputation risks.
So, the key messages?
- Remove causes and consequences from your risk descriptions;
- Consolidate risks into one risk register at the enterprise level and avoid categorising them.
Describing and managing risks in this manner provides for a more holistic approach and improves effectiveness significantly.