One of the things that I’ve been tossing around is how we frame a risk. Risks are events. But when it comes to putting together risk statements, often organizations will put a cause and a consequence as well as the risk all into one statement.
I’ll give you an example: "Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to freedom of information requests." Now, I’m not even sure what that’s saying, but here's another one: "A department may not have a business process in place to adequately manage the programs, which may lead to weakened results."
Now, given what I’ve talked about on other blogs, I wouldn’t even see those as risk statements. However, what we’ve got there is: We’re trying to put a cause and an event and a consequence into one risk statement. The problem is that there is no such thing as a one-cause event, nor is there any such thing as a one-consequence event. If you identify an event, a risk, you will find that there are a range of causes. It’s a system breakdown.
And even if a risk results in injury or death, there are other consequences, such as harm to reputation, perhaps issues with the regulators and maybe legal action taken against us.
So, if we put our statements together such that we put a cause and a consequence in with the risk, we’re limiting our ability to treat that risk properly. We haven’t identified all the causes. We haven’t identified all of the consequences. And it’s only through identifying all the causes that you can truly start to identify whether you have adequate controls already in place or whether you need additional ones.
When you look at your risk statements, identify what the event is, but then go though and list all the causes and all the consequences, plus the controls and their effectiveness. This is when you have a statement able to be managed effectively.
As always, let’s be careful out there.