#145 – DEMYSTIFYING RISK – LIFE VS. DEATH – GREG CARROLL

Posted on by

GregCarrollRisk management is suffering from too much consultant-speak – mystifying what is a standard business practice. When inducting new staff in the concepts of risk management, I use the most obvious analogy which clarifies the issues simply: that of our own mortality.

Risk Identification

Do we worry about being hit by lightning? No, but we don’t go playing golf in a thunderstorm (most don’t anyway). We do have insurance though, in case that once-in-a-lifetime (black swan) event occurs. So, every day we easily identify what is worthy of noting, managing, or avoiding. It’s not much of an extension to apply those same principles to what we do at work. The main need is to take the time to do it.

Risk Assessment

The irrelevance of the Risk Matrix and Heat Maps.

How would you feel if you had a risk of dying that is “3” or colour-coded yellow? Your risk of death is neither finite nor static, so allocating a value or mapping it onto a heat map does nothing to aid in your understanding or treatment of the risk. So why would it be any different in business? Most people know they should eat better, exercise more often, drive slower, and not play golf in a thunderstorm. Think, when have you changed your lifestyle?

Risk Drivers & Influences

Risk of death is affected by the state of your health, lifestyle choices, environmental factors and what happens around us. Once we decide to do something about our risk, we start by identifying the key things that result in risk, be it cholesterol, anxiety, where we live, etc. These are the risk drivers and we monitor their effect on us (Key Risk Indicators or KRIs). This is the first step in managing risk. To understand these drivers, we then look at what (Risk Influences) causes them to move up or down, and by monitoring or working on those influences – be it fat intake, stress, or political action – we move to prevention.

Mitigation vs Hierarchy of Controls

Controls are what we put in place to protect against the threat where mitigation is minimising the effect/impact. So controls are about prevention, and mitigation about reaction. To prevent getting hurt we remove the threat, put safeguards in place, or wear protective clothing. Obviously it’s better to removing the threat than just protecting yourself, so we arrange the possible options in order of benefit (Hierarchy of Controls) and then select the most cost practical required (applying controls).

This highlights the problem with most ‘traditional’ risk management systems. Do you wear a helmet to drive a car? What about on a race track or in a mine? It’s not risk you manage – it’s the event!

This highlights the problem with most ‘traditional’ risk management systems. Do you wear a helmet to drive a car?  What about on a race track or in a mine?  It’s not risk you manage – it’s the event!

Risk Events & Incident Management

How many so-called risk management systems even manage risk events? Look at your Risk Register. Does it register possible events or just static impacts? The risk of a car accident has many contributing factors from where, when, how, who, etc, etc. The Risk Events Register should cover multiple scenarios, with appropriate controls for each, and methods of identifying which are applicable. You then have pro-active risk management. As the old adage goes: “If you can’t measure it, you can’t control it.” Recording incidents in concert with risk events enables a true closed feedback loop to ensure your risk management continues to evolve.

Scenario Analysis & Aggregation

Finally, if you want to have a risk management system that adds value to the business – not just an overhead – it needs to be a tool for better and faster decision-making. This means going further than risk registers and heat maps to providing operational management with insight and options. By adding contributing factors to your risk events, and using Neural Networking technique, you can quickly identify the current possible outcomes. Using Bayesian mathematics (add-in to Excel), you can easily see the compound effects (risk aggregation) of these current possible outcomes and identify the most vulnerable parts and areas of your business.

Summary

Like getting fit, having a destination goal is a strong motivator. Perhaps Scenario Analysis and Aggregation are beyond your present capabilities. Knowing what’s available once you have mastered the other principles can motivate you to adopt this more proactive approach to risk management.

Bio:

Greg Carroll 
- Founder & Technical Director, Fast Track Australia Pty Ltd.  Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.

In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.

Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks.   Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.

Leave a Reply

Your email address will not be published.