One of the things that I’ve been tossing around is how we frame a risk. Risks are events. But when it comes to putting together risk statements, often organizations will put a cause and a consequence as well as the risk all into one statement.
I’ll give you an example: “Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to freedom of information requests.” Now, I’m not even sure what that’s saying, but here’s another one: “A department may not have a business process in place to adequately manage the programs, which may lead to weakened results.”
Now, given what I’ve talked about on other blogs, I wouldn’t even see those as risk statements. However, what we’ve got there is: We’re trying to put a cause and an event and a consequence into one risk statement. The problem is that there is no such thing as a one-cause event, nor is there any such thing as a one-consequence event. If you identify an event, a risk, you will find that there are a range of causes. It’s a system breakdown.
And even if a risk results in injury or death, there are other consequences, such as harm to reputation, perhaps issues with the regulators and maybe legal action taken against us.
So, if we put our statements together such that we put a cause and a consequence in with the risk, we’re limiting our ability to treat that risk properly. We haven’t identified all the causes. We haven’t identified all of the consequences. And it’s only through identifying all the causes that you can truly start to identify whether you have adequate controls already in place or whether you need additional ones.
When you look at your risk statements, identify what the event is, but then go though and list all the causes and all the consequences, plus the controls and their effectiveness. This is when you have a statement able to be managed effectively.
The notion that by outsourcing or contracting you have transferred your risk to another party is a myth. Senior executives, both in government and private enterprise, say, “There is no need to worry about that risk – I have transferred that to the contractor.” This is simply untrue.
If you own the consequences (or at least part of them), then you own the risk.
In the TV series “Air Crash Investigation,” there is an episode titled “Dead Weight.” In this episode, maintenance staff working for a company that is sub-contracted to conduct maintenance on behalf of Air Midwest’s primary maintenance contractor skip nine of 25 steps detailed in the maintenance manual when adjusting the tension on the elevator control cable. As a result, the cable is unable to traverse through its full range of motion.
When Air Midwest flight 5481 took off overweight, the center of gravity shifted rearward when the landing gear was raised, which pitched the nose higher. Because of the issues with the elevator control cable, the pilots were unable to bring the nose down. The aircraft stalled and crashed into a hangar on the ground, killing all passengers and crew on board.
The issue arose because there was no contract oversight/assurance by either Air Midwest or the primary contractor.
A contract is a control — but a control is only as good as the measurement of its effectiveness. Organizations that outsource simply cannot afford to assume that, because there is a contract in place:
They have outsourced the risk to the contractor
The contractor’s performance will be as contracted and as reported.
This last point may seem a cynical one, but you need to accept that the primary driver for a contractor is to maximize profit. If shortcuts can be taken, they are likely to be pursued.
What is even more important for organizations to understand is that, if the function that is contracted is a compliance requirement, and if there is a compliance breach, it is the organization — not the contractor — that will be held to account.
So, what are the keys to reducing the outsourcing risks?
Firstly, the organization needs to ensure that, before developing the solicitation documentation for an outsourced function, the risks during the contracted period are identified and assessed and treatments (such as oversight and performance measurement) are fully built into the contract. It is absolutely critical that compliance risks with the highest-level consequences are included in this list.
Secondly, the organization needs to ensure that contract performance is actively monitored and measured (i.e. do not simply accept contractor’s performance reports as fact).
In essence, organizations need to remember that, although you can outsource responsibility for the management of functions, you cannot outsource accountability for the consequences of not managing risk. In simple terms, if the contractor fails, the organization fails. If an organization owns the consequence, it owns the risk.
If your organization is one where contact management and contract assurance are not front of mind, or yours is one where the assumption is that the risk has been transferred to the contractor, you are in a dangerous position.
These terms tell us nothing and cannot be managed – even at a strategic level. Knowing that you might face, say, reputation damage doesn’t help you understand what might hurt your reputation or how you prevent those incidents from happening.
#2 – Causes as Risk
The most common issue I see with risk registers is that many organizations fall into the trap of capturing “risks” that are actually causes as opposed to events/incidents.
The wording that indicates a cause as opposed to a risk include:
These “risks” also tell us very little and, once again, cannot be managed. Knowing that you might face a lack of training, for instance, doesn’t tell you what incidents might occur as a result or help you prevent them.
#3 – Consequences as Risk
Another trap that organizations fall into when identifying risk is capturing “risks” that are actually consequences as opposed to events or incidents. Examples include:
• Project does not meet schedule;
• Department does not meet its stated objectives
Once again – these are not able to be managed. Having a project not meet schedule is the result of a series of problems, but understanding the potential result doesn’t help you prevent it.
So, if these are the traps that organizations fall into, then what should our list of risks look like? The answer is simple – they need to be events.
I look at it this way – when something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud .etc. it is always an event. After the event, there is analysis to determine what happened, why it happened, what could have stopped it from happening and what can be done to try to keep it from happening in the future. Risk management is no different – we are just trying to anticipate and stop the incident before it happens.
The table below shows the similarities between risk management and post-event analysis:
To that end, risk analysis can be viewed as post-event analysis before the event’s occurring.
The rule of thumb I use is that if the risk in your register could not have a post-event analysis conducted on it if it happened – then it is not a risk!
If you apply this approach to your list of risks events, you will:
• Reduce the number of risks in your risk register considerably; and (more importantly)
• Make it a lot easier to manage those risks.
Try it with your risk register and see what results you get.
A Risk Is a Risk
Commonly, people talk of different types of risk: strategic risk, operational risk, security risk, safety risk, project risk, etc. Segregating these risks and managing them separately can actually diminish your risk-management efforts.
What you need to understand about risk and risk management is that a risk is a risk is a risk — the only thing that differs is the context within which you manage that risk.
All risks are events, and each has a range of consequences that need to be identified and analyzed to gain a full understanding. For example;
You have a group identifying hazard risks, isolated from the risk-management team (a common occurrence), and they tend to look at possible consequences in one dimension only – the harm that may be caused. Decisions on how to handle the risk will be made based on this assessment. What hasn’t been done, however, is to assess the consequence against all of the organizational impact areas that you find in your consequence matrix. As a result, the assessment of that risk may not be correct; for instance, there may be significant consequences in terms of compliance that don’t show up as an issue in terms of safety.
If you only look at risk in one dimension, you may make a decision that creates a downstream risk that is worse than the event you’re trying to prevent. For instance, you may mitigate a safety-related risk but create an even greater security risk.
The moral of the story: Managing risk in silos will diminish risk management within your organization.
In about 80% of cases, you can’t do anything about the consequences of the event; what you are trying to do is stop the event from happening in the first place.