Forum Replies Created
In this case it could be a cause for risks such as:
a. disruption to xxx critical business function for a period in excess of xxx
b. Loss of corporate records
It can also be a consequence for a risk such as:
a. Member of staff suffers work related psychological/mental health episode.
Hope that helps
The fundamental issue here Angus (and Peter) is that this reliance is borne out by the belief that ownership of the risk is at the lower levels of the organisation.
As I wrote in my blog: RISK TIP # 7 – RISK OWNERSHIP- LET’S TURN IT ON ITS HEAD – this belief that ownership resides at those levels is not only a fallacy, in the case of some very high profile incidents, it has proved deadly.
I am seeing more and more ‘risk champion networks’ springing up in organisations. My view is that, whilst the intent is well meaning, it insinuates that all of the risk management activities reside across functional areas. This is not the case.
Ask the Board and CEO of AMP who was held accountable for their failings. Ask CBA who was held accountable for the AML issues. Ask the Board and CEO of VW who was held accountable for their scandal.
The bottom line is this:
Just because the incident can (and will) happen within the functional areas – DOES NOT MEAN THEY OWN THE RISK. In every one of the incidents listed above it was the CEO’s responsibility to know what was going on but because risk management was left to individuals and champions outside of a well structured framework where assurance of conformance to controls is constantly monitored, when it came to light they had no idea.
Everyone has a role to play in the management of risk – but risk management is not everyone’s responsibility.
I have only read the draft, but to say I was underwhelmed is a complete understatement. I am sourcing a copy of the final version but if it the same as the draft I will be pretty much ignoring it.
I wrote a blog on it here: https://paladinrisk.com.au/rip-iso-31000/
You are absolutely correct – safety professionals do not own the controls – I misspoke 🙂
It is critical that the controls are owned by the managers of the process as you say.
Thanks for another great question brave_Michael.
You will remember on the course that I said that I don’t include risks with Minor or Insignificant consequences unless there is a cumulative effect (i.e multiple instances of the same issue could lead to higher consequences). This is an example of where this risk, despite each single occurrence being Insignificant, the cumulative effect could be catastrophic.
I like your suggestion for the consequence matrix in relation to a number of repeated events as this captures that cumulative effect. What it also does is potentially raise the consequence level. In this instance it appears that the controls (either preventative and/or detective) were ineffective which therefore raised the Likelihood to Likely/Almost certain. If we look at the cumulative effect of repeated occurrences, the consequence could easily be justified as at least Moderate, although, if left unchecked the consequences could be Major or Severe. What this would then do is raise the level of consequence so that it at least gets some attention in terms of assurance around the controls (we also covered Consequence Based Internal Audit).
The internal audit you conducted found that the consequences were Major but, if you hadn’t done that, there is every reason to think they could be Severe. And this makes sense – you are a fee for service organisation where overcharging could impact your reputation and undercharging impacts your bottom line. If it is your major/only revenue stream then what you charge for those services needs to be right.
As it stands right now I would assess this risk as Almost Certain/Major so it is likely to be a High Risk. What you need to do now, having identified that there are some issues is to strengthen the current controls or, if appropriate, implement new controls – preventative and detective. The strengthening of the preventative controls will reduce the Likelihood and the strengthening of the detective controls will reduce the Consequence (i.e. you will find it a lot earlier). This should then bring the risk down to Unlikely/Minor – which should bring it to be within your target level for financial risk. It only stays there, however, if the controls remain effective.
It is a very interesting one because, on the surface, it would appear to be a very low consequence risk, but repeated instances that then become systemic could seriously impact the bottom line of the company.
Hope that helps.
Thanks for question brave_Michael.
You are absolutely right, there are causes that relate to multiple risks. What we need to recognise, however, is that they may be the same causes but the controls will differ.
To illustrate: We have 2 risks in the same organisation:
Risk 1: Wrong body issued to a funeral home from the mortuary
Risk 2: Inappropriate invoices sent to next of kin
Both of these risks could have these causes:
a. Lack of training of staff
b. Lack of supervision and oversight
c. Failure to follow policies and procedures.
Where we see the delineation is in the controls.
In the first risk there would be very different training requirements to those in the second risk and these need to be highlighted specifically in the controls.
So let’s look at the specific examples you provided:
Inadequate change management is definitely a cause and not a risk, as is inadequate people management.
But as you point out – what is the risk?
I would have a broad risk in the risk register: XYZ organisation introduces a new capability or program that is not adopted or is not fit for purpose. The causes in this case could be:
a. Inadequate consultation with stakeholders in the development of requirements
b. Developed requirements do not adequately reflect the needs of the organisation
c. Inadequate change management
d. Lack of/ineffective training of staff
e. Lack of/ineffective communication of the program with the stakeholder community
I hope this helps a little bit and answers your question.
Sorry I haven’t gotten around to respond before now.
The first thing I will say is that I believe that the pre-start checklists are controls and not treatment plans. The review is just an improvement to the control.
For me – the safety department needs to own the controls and then coordinate the familiarisation, training and communication of the checklists with the operational managers being responsible for ensuring that the control is implemented each time the equipment is started.
The problem with having operational managers responsible for the development of the pre-checks and owning them is that the same equipment may be in use across the organisation and there may be inconsistencies which could lead to significant issues.
Hope that makes sense.