What is a risk?
Hello again and welcome to this session.
Today I’m going to discuss one of the most fundamental parts of risk management; “what is a risk?”
As you can imagine, over time in the risk management game, I have reviewed so many risk registers. What I tend to find is that there is confusion out there between what are causes and what are consequences. I’ll explain. What we need to be focused on in our risk register are events.
Now, let’s look at this in light of an example. Lack of maintenance, lack of training, pilot error. All of those things are potential causes for an actual event. The event being an aircraft mishap or an aircraft crash. So what we need to do in our risk registers is focus on the event. What is it that we are trying to guard against?
The next thing we ask, is what would cause it to occur? And that’s where we start to see things like; lack of maintenance, lack of training, pilot error. All of those things form the basis for the causes because if we identify what would cause the event to occur, we can put controls in place to try and stop it happening. It’s fundamental, and in about 80% of cases you can’t do anything about the consequences of the event. What you are trying to do is stop the event happening in the first place. So every cause that you identify is an opportunity to stop that event happening.
The next thing we do is identify the consequences What would the impacts be if that event did occur? And we list those qualitatively. Just so we get a full idea of the breadth of the consequences that could come from that risk. Because then we ask ourselves “are there any things we could put in place to reduce the consequences?”
Finally, and most importantly, we look at what are the current controls in place and how effective those controls are. Because there is a direct correlation between the likelihood of that occurring and the effectiveness of those controls. What I tend to see happen (and this is getting off track a little bit) is organisations are very quick to come up with new risk treatment strategies that may not be necessary if they made sure that the current control environment they are in is actually effective. So your first step always should be to do that.
I’ve talked in another blog about post event analysis. The way I look at risk identification is this; risk identification is asking, “what could go wrong?” Post event analysis on the other hand is asking “what has gone wrong?”
With risk analysis or risk identification we ask “what could cause it to go wrong?” In post event analysis, we ask “what did cause it to go wrong?”
We ask in risk analysis, “what would he consequences be?” In post event analysis we ask “what were the consequences”
In essence, what you need to understand is a risk assessment is a post event analysis without the impacts happening or the event occurring So all we are doing is looking at the risk and asking the question, “if this happened, could I conduct a post event analysis on it to understand all of those things?”
Now if you look at your risk register, and it’s the same for many organisations, you will see things like lack of staff, lack of training, lack of competent staff, lack of resources as risks. They are not risks, or risk events! They are causes to broader risks. And yes, those causes, could actually contribute to multiple events. Focus on what it is that could go wrong, but make sure that it is an event and not a cause.
Here are two PowerPoint slides, which shows the difference between a risk assessment and a post-event analysis and also the similarities between the two.
If you have any questions, please contact me, but as always, be careful out there.