New approaches to risk management continued: Are you getting these five things wrong too?
Published: July 05, 2019
Risk is everywhere, from the insignificant to the company killers (read Takata Corporation). Risk management is about understanding as much as we can about what we don't know; but knowing enough about what we can conceive or perceive to make informed decisions.
It’s important to suspend judgement and start by simply understanding the catastrophes that may lie in wait for us.
In my previous post, I talked about 5 common mistakes made by organisations as they strive to manage risk. In this piece, I cover 5 more.
Customers can be individuals or groups, internal or external, end-users, or subsequent processes or applications. They also include internal business standards and rules, external regulations and laws, and implicit moral and ethical standards that we hold ourselves to.
For good risk management, it is important to define who the customers, product or process are. For each customer, the effect of a failure may be different and it’s important to capture the effect for every customer who is reasonably expected to experience the failure.
Severity of effect can differ between impact groups, but capturing information for each customer tells a richer story. When prioritising risks for mitigation, the highest severity of effect scores are taken as the deciding factor.
As a result, the risk management activities focus on less severe risks or ones that are much less likely to occur simply because it is easier to determine appropriate mitigating actions.
Another common mistake in approach is to try to define the severity of effect, the likelihood of occurrence, and the controls for each risk individually line-by-line. This approach is incorrect and results in much fewer risks being identified. The severity of effect of all failures should be determined before evaluating the likelihood of each risk occurring.
Each aspect of risk (severity, occurrence, detection) should be completed before moving on to the next i.e. risk management should be completed vertically, not horizontally.
In the case of risk management, however, it's not ideal. It's easy to confuse the severity of effect of a failure (which might be high because the failure is particularly bad) with the likelihood of occurring (but is pretty unlikely) and use that likelihood to reduce the severity of effect. This creates an incomplete picture of the true risks we are exposed to and might result in a truly serious risk being incorrectly deprioritised.
The reason we need to objectively evaluate the severity is because the severity is the first quantitative score used to determine the priority of risks for mitigation. If we corrupt the severity by reducing it because 'it's not likely to happen' we may overlook critical risks that we should address.
In some cases there may be nothing that can be done to mitigate a risk and it is certainly good practice to highlight these high-severity risks to senior management. They should know and understand how such risks may affect the business and their likelihood of occurring. However, the majority of risks should be described qualitatively and/or quantitatively through a common organisation-wide risk taxonomy and mitigated through prevention and/or detection controls. Risk management is about action through evidence-based decision-making.
Typically, mitigating actions consist of prevention controls (actions that seek to reduce the likelihood of the risk occurring) or detection controls (actions that increase the ability and reliability of detection of the cause or effect of the failure). For critical risks, prevention and detection controls should be considered.
Note: reducing the severity of effect of failure is uncommon and usually requires a fundamental redesign of the product or process because the failure relates to an immutable characteristic of the product or process. Be on the lookout for risk assessments that arbitrarily reduce the severity of effect by mitigating actions - they are likely fake.
However, the job is not done once the new or improved controls have been implemented. The risk needs to be re-evaluated with the new controls in place to ensure that its overall risk has been reduced.
Missing this step means that the next highest priority risk may remain buried and may not be mitigated.
Feel the fear and do it anyway. Avoid simply transferring responsibility to someone else or talking yourself out of action. Ignore risks at your peril.
It’s important to suspend judgement and start by simply understanding the catastrophes that may lie in wait for us.
In my previous post, I talked about 5 common mistakes made by organisations as they strive to manage risk. In this piece, I cover 5 more.
1. Failing to consider all the 'customers' of a product or service
Customers are anyone or anything downstream who consumes a product or service and can reasonably be expected to experience the effect of a realised risk (a failure).Customers can be individuals or groups, internal or external, end-users, or subsequent processes or applications. They also include internal business standards and rules, external regulations and laws, and implicit moral and ethical standards that we hold ourselves to.
For good risk management, it is important to define who the customers, product or process are. For each customer, the effect of a failure may be different and it’s important to capture the effect for every customer who is reasonably expected to experience the failure.
Severity of effect can differ between impact groups, but capturing information for each customer tells a richer story. When prioritising risks for mitigation, the highest severity of effect scores are taken as the deciding factor.
2. Ignoring critical risks because they seem unmanageable
What do we do when we come across obvious critical risks that can have devastating consequences if realised, but are unlikely to be able to be mitigated? Surprisingly, these critical risks are often just ignored and left out of risk management because they are deemed 'too hard' or 'there's nothing that can be done'.As a result, the risk management activities focus on less severe risks or ones that are much less likely to occur simply because it is easier to determine appropriate mitigating actions.
Good risk management requires us to suspend our subjective brain and work to define and evaluate the risks as objectively as possible.
Another common mistake in approach is to try to define the severity of effect, the likelihood of occurrence, and the controls for each risk individually line-by-line. This approach is incorrect and results in much fewer risks being identified. The severity of effect of all failures should be determined before evaluating the likelihood of each risk occurring.
Each aspect of risk (severity, occurrence, detection) should be completed before moving on to the next i.e. risk management should be completed vertically, not horizontally.
3. Confusing the effect of a realised risk (a failure) with the likelihood of it occurring
As humans (and particularly as technical, problem-solving humans) our brains are wired to draw conclusions quickly from the available information, working in a linear fashion towards a conclusion. We use previous experience and heuristics to shorten the path which is useful for simple decisions we make every day.In the case of risk management, however, it's not ideal. It's easy to confuse the severity of effect of a failure (which might be high because the failure is particularly bad) with the likelihood of occurring (but is pretty unlikely) and use that likelihood to reduce the severity of effect. This creates an incomplete picture of the true risks we are exposed to and might result in a truly serious risk being incorrectly deprioritised.
The severity of effect of a failure is a way to describe how bad the failure of a characteristic of the product or the process might be. The characteristic is often immutable in that it is part of how the product or process works. The effect is determined objectively from the point of view of any downstream customer reasonably expected to experience the failure and has no relation to the likelihood of the risk occurring.
The reason we need to objectively evaluate the severity is because the severity is the first quantitative score used to determine the priority of risks for mitigation. If we corrupt the severity by reducing it because 'it's not likely to happen' we may overlook critical risks that we should address.
4. Substituting checks and approvals for real risk mitigation
Risk mitigation involves eliminating the risk by changing something fundamental about a feature or function (i.e. removing a specific feature to remove a risk) or reducing the risk by introducing some mitigating control or action.Simply having senior management 'sign-off' on risks up-delegates the responsibility for risks, should they be realised, and does absolutely nothing to actively manage the risks.
This so-called risk acceptance is a poor substitute for true risk management.In some cases there may be nothing that can be done to mitigate a risk and it is certainly good practice to highlight these high-severity risks to senior management. They should know and understand how such risks may affect the business and their likelihood of occurring. However, the majority of risks should be described qualitatively and/or quantitatively through a common organisation-wide risk taxonomy and mitigated through prevention and/or detection controls. Risk management is about action through evidence-based decision-making.
5. Missing the risk re-evaluation step
Risk management is not a one-off activity. It is a continuum; evaluating and prioritising risks, implementing mitigating actions, re-evaluating and re-prioritising risks, and continually reducing risk exposure by improving the controls.Typically, mitigating actions consist of prevention controls (actions that seek to reduce the likelihood of the risk occurring) or detection controls (actions that increase the ability and reliability of detection of the cause or effect of the failure). For critical risks, prevention and detection controls should be considered.
Note: reducing the severity of effect of failure is uncommon and usually requires a fundamental redesign of the product or process because the failure relates to an immutable characteristic of the product or process. Be on the lookout for risk assessments that arbitrarily reduce the severity of effect by mitigating actions - they are likely fake.
However, the job is not done once the new or improved controls have been implemented. The risk needs to be re-evaluated with the new controls in place to ensure that its overall risk has been reduced.
Missing this step means that the next highest priority risk may remain buried and may not be mitigated.
Summary
Managing risk requires a practical, effective, and consistent approach across the organisation. Have the courage to clearly describe the potential catastrophes you face BEFORE considering what can be done to mitigate them.Feel the fear and do it anyway. Avoid simply transferring responsibility to someone else or talking yourself out of action. Ignore risks at your peril.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.