Often when identifying a risk there is confusion about what should be captured in a risk register. The information actually captured in many organisations’ risk registers makes it very difficult to manage the risks.
There are a number of traps that organisations fall into:
#1 Trap for Players – the Broad Statement Risk Trap
Some organisations fall into the trap of capturing “risks” that are broad statements as opposed to events/incidents. Examples include:
- Reputation damage;
- Compliance failure;
- Fraud; and
- Environment damage
These tell you nothing and cannot be managed – even at a strategic level.
#2 Trap for Players – the Causes as Risk Trap
The most common issue with risk registers is that many organisations fall into the trap of capturing “risks” that are actually causes as opposed to events/incidents.
The wording that indicates a cause as opposed to a risk include:
- Lack of …. (trained staff; funding; policy direction; maintenance; planning; communication).
- Ineffective …. (staff training; internal audit; policy implementation; contract management; communication).
- Insufficient …. (time allocated for planning; resources applied).
- Inefficient …. (use of resources; procedures).
- Inadequate …. (training; procedures).
- Failure to…. (disclose conflicts; follow procedures; understand requirements).
- Poor….. (project management; inventory management; procurement practices).
- Excessive …. (reporting requirements; administration; oversight).
- Inaccurate…. (records; recording of outcomes).
These also tell you little and, once again, cannot be managed.
#3 Trap for Players – Consequences as Risk Trap
Another trap that organisations fall into when identifying risk is the trap of capturing “risks” that are actually consequences as opposed to events/incidents. Examples include:
- Project does not meet schedule;
- Department does not meet its stated objectives; and
- Budget overspend
Once again – these are not able to be managed.
If these are the traps that organisations fall into, then what should our risks look like? The answer is simple – they need to be events.
When something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud etc. it is always an event. After the event there is a post event analysis to determine what happened, why it happened, what could have stopped it happening and what can be done to try and stop it happening in the future. Risk management is no different – you are trying to anticipate and stop the incident before it happens.
The table below shows the similarities between risk management and post event analysis:
|
Post Event Analysis |
Risk Analysis |
| What happened? | What could happen? |
| What caused it to happen? | What would cause it to happen? |
| What were the consequences? | What would the consequences be? |
| What could we have done to stop it happening? | What can we do to try and stop it happening? |
| What could we have done to reduce the consequences? | What can we do to minimise the consequences if it does happen? |
To that end, Risk Analysis can be viewed as Post Event Analysis prior to the event occurring.
A good rule of thumb to use is that if the risk in your risk register could not have a post event analysis conducted – then it is not a risk!!!
If you are able to make all of your risks events you will:
- Reduce the number of risks in your risk register considerably; and (more importantly)
- Make it a lot easier to manage those risks.
Try it with your risk register and see what results you get.
Bio:
Paladin Risk Management Services is the brainchild of Rod Farrar, who founded the company in 2007 as a result of his passion and skill for managing risk. Rod’s extensive experience in assisting organisations to mitigate and eliminate professional risks they may encounter is at the core of Paladin Risk Management Services.
The core service offering is risk management training workshops.
The Risk Management Diploma is a broad based program aimed at risk management and business continuity professionals or those aspiring to fill roles in these industries. After the four day course, attendants have six months to complete the assessment activities, at which point they will be awarded the Diploma.
The Paladin Risk Management Academy Advanced Diploma of Governance Risk and Compliance is fully accredited by the Australian Skills Quality Authority (ASQA). The four day course is the only offering in Australia which covers governance, risk, compliance and business resilience.
If you have any burning questions on risk management, Rod Farrar is always ready for a friendly chat. Contact him at rod@paladinrisk.com.au or 0400 666 142.