Category: Blog
Risk and the meaning of life, the universe and everything
Well, not really, but risks do seem to be crowding in on us lately. Banks and insurance and financial companies have been failing and earthquakes, floods, and financial crises have dominated our lives for the past few years.
How might we effectively manage risks? The answer starts with deciding what we mean by risk.
Generally, risk is seen as some event that might happen in the future and affect something of value to an individual or organisation. One definition, drawn from the international standard on risk management (AS/NZS ISO 31000:2009 Risk management - Principles and guidelines), is "risk is the effect of uncertainty on objectives". For a specific risk this begs questions to be answered as part of a risk assessment.
Understanding what risk is means we can assess risks in the context of a specific organisation or society. Each will have its own combination of external and internal business environments that must be understood if its risks are to be managed. Understanding the environment will also help set criteria for risk analysis and evaluation. Criteria may be based on the risk appetite and tolerance of an organisation or society.
To identify risks, you need to use the best available information to find, recognise and describe possible events, their consequences and impacts on objectives. Risks can then be analysed so they are understood. Analysis will include a good understanding of the cause-consequence chain, the likelihood of each consequence and the effectiveness of existing controls.
Risk evaluation takes the results of a risk analysis and compares the findings with the risk criteria set earlier to decide if the level of risk is acceptable or tolerable. For major risks, an evaluation might include the following information.
- Did the analysis identify objectives? Your objectives and stakeholders' objectives may be quite different. Have the stakeholders been consulted and given information about the risks?
- Have the different aspects of your objectives been clearly set out (eg, financial, health and safety, environmental)? How do they apply at different levels (eg, strategic, organisation-wide, project, product, and process)?
- Were the criteria relevant and clearly expressed?
- Have significant potential events and their consequences (or a combination of these) been identified? How might they affect the achievement of objectives? Have possible changes in circumstances been considered?
- Has each risk been expressed in terms of a combination of the consequences (or a change in circumstances), and the associated likelihood of occurrence?
- What is the level of uncertainty about each risk? In other words, how much do you really know about the causes, consequences, their likelihood and their controls? Will the effects of uncertainty be positive or negative?
If the evaluation finds gaps in the analysis, revise the analysis to get the best available information.
If a risk is not acceptable it may need to be modified by some form of treatment. Here, keep in mind that positive risks may need modification to release their full opportunities.
What if the above process had been done before some of the disasters of the past few years? Even if the events had not been anticipated their negative consequences might have been better managed and opportunities taken. Which gets to the one reason for risk management: if there is no risk management, any risks that eventuate may overwhelm organisations and the societies they operate in.
Chris Peace