#1 – REFRAMING RISK – ED PERKINS – WORK@RISK™

By Ed Perkins
e.perkins@ieee.org

We hear lots of advice on how things now are being “reframed” in terms of risk.  But what does this mean? How would I know that if I saw it? It helps to be an educated observer so you can tell when someone is ‘walking the talk’ vs. ‘blowing smoke’.

First, let’s look at how a risk view is different from the usual and customary. Every day we hear and read about many factors of concern.  Here are some examples that quickly come to mind:

  • Quality: zero defects, customer satisfaction, user-friendly, process in control
  • Cybersecurity:  threats,  anti-virus,  intrusion detection, compliance, authorization, access, integrity, hacking,
  • Operations: reliability, responsiveness, schedule, viral marketing, shipments, milestones, dependencies

These factors are weighted towards transactions and outcomes, in other words, organizational objectives, which is the primary goal of any organization.

If we step back a bit, and look up at a bigger picture, we see that all these factors of concern are based on ensuring a positive outcome or avoiding a negative outcome. We want to avoid defects, have happy customers, be in compliance, be immune from threats, have reliable products, meet schedules, achieve milestones, and have positive results from the things we have to depend upon.

What about risk? When we think about risk, we tend to think of danger and peril, although there also is risk-reward, taking a risk, going out on a limb, etc. So risk is both bad and good? No, risk is risk; it is the possible consequences of the risk that can be bad or good.

Which brings us back to reframing things in terms of risk. If we switch to a risk perspective, these factors  can be restated as (reframed):

  • zero defects as risk of defects
  • customer satisfaction as risk of customer dissatisfaction
  • compliance to risk as non-compliance
  • process in control as risk of uncontrolled process variance
  • reliability as risk of product unreliability
  • access as risk of security breach
  • milestones as risk of not achieving milestones.

Or in other words, in the risk domain, failure to achieve objectives.

Thus in the risk domain, the focus is not on the objectives per se, but on the risk to achieving the objectives. Risk Management is applied to control the risks and enhance the likelihood of achieving the objectives. Risk can be looked at as a two-sided coin: opportunity or danger. Either way, the same approach can be used to manage risk.

To determine if you or your organization are reframing things in terms of risk, or operating in the risk domain, look for this evidence. Do discussions of objectives cover risk? Is the likelihood and consequence of risk factored into decision making? Is any attention paid to assessing likelihood of risks happening, and if the consequences are severe, is any effort put into determining risk management and mitigation options.

Leave a Reply

Your email address will not be published. Required fields are marked *