We are all faced with risks every day; with decisions that can have potentially catastrophic consequences. Assessing risk is something we have been coached to do on a daily basis from a young age: Is this wall too high to jump off? Can I cross the road? Is it too icy to drive? Should I lend my friend £50? Shall I accept this job offer? Nowadays the management of risk dominates industry and new laws and regulations continue to be introduced that require organisations to establish and improve good risk management practices. Those skills we unknowingly learnt growing up are now the tools of our trade at work.
‘Health & Safety’ is probably the most widely recognised risk management practice in industry; unfortunately its reputation is often knocked for introducing onerous or obstructive ‘rules’ where the focus has been on preventing something being done unsafely, rather than finding a way to do that thing safely. Regardless of your feelings about Health & Safety, the practice in the UK has formalised many concepts that are now prevalent across the risk management universe. However, there are still situations where a common understanding is not that common.
We are so familiar with the term ‘Risk’ we don’t stop to analyse what we mean when talk about it. Risk is often used as a synonym for one or more elements of its composition, the Threat, Cause or Consequence and how they are linked:
- Threat (or hazard) is a circumstance that may negatively impact a situation or activity
- Cause is the event or conditions that trigger the threat
- Consequence is the outcome of the threat being triggered
These, along with the likelihood (probability) of the threat being triggered and severity (impact) of the consequences, provide a complete view of the risk.
At this point it is worth mentioning that probability is not frequency. Probability is the number of occurrences (failures, incidents, events etc) over a total number of attempts, whereas frequency is the number of occurrences over a given time frame. However they can be linked, for example, if a business process typically fails once every 100 times it is performed then there is a 1% probability of process failure. If this process is run 20 times a day then the process is likely to fail once every five days – a frequency of ‘weekly’ if the business operates a five day week.
When referring to a risk it is quite common to single out a threat, cause or consequence or use them interchangeably, for example the risk of crashing when driving, the risk of redundancy, the risk of data corruption or credit risk and reputational risk when running a business. The table below shows how these examples map to Threats, Causes and Consequences.
|Situation or activity||Threat||Cause||Consequence|
|Driving a car||Loss of control||· Driving too fast
· Drink driving
|Accident or crash|
|Having a job||Dismissal or redundancy||· Poor personal performance
· Employer downsizing
|Data backups||Un-restorable backups||· Undetected backup failures
· Corrupted backups
|Loss of data|
|Lending money||Unpaid/unrecoverable debts||· Ineffective credit assessment
· Ineffective credit control
|Running a business||Bad publicity||· Unethical business operations
· Non-compliance with regulations
This is all well and good but how does it help? We have got along perfectly well talking about risks without always analysing the composition and just the fact that we talk about risk means we are all the more mindful of it.
“Understanding Threats, Causes and Consequences means we can focus our efforts where they will best eliminate or reduce risk and this is by addressing the Causes.
Threats and Consequences can vary depending on individual perspective but Causes largely remain unchanged if the root or underlying Cause is identified. With the ‘ineffective credit control’ example above, asking ‘Why are credit assessments ineffective?’ or ‘Why is credit control ineffective?’ may reveal that there is a lack of training. Drilling down further may reveal a lack of training budget or even ineffectual management that doesn’t recognise the value of training employees. Depending on your perspective, you may be concerned about a less severe Threat such as delayed payments rather than unpaid debts. Similarly, the Consequences could be missed revenue targets rather than poor profitability. Either way, by focussing on the Causes and remediating them to an acceptable level, the Threats and Consequences can be reduced.
By Rick Warley, Managing Director of Mavintree Limited. Mavintree are a management consultancy specialising in operational risk, business continuity and crisis management.
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.