myassignment.help.com.1.s3.amazonaws.commyassignment.help.com.1.s3.amazonaws.com/171364… · web...
TRANSCRIPT
TOPIC 1: THE HISTORY AND DIRECTIONS OF RISK MANAGEMENT
This provides an historic timeline (see Reading) and overview of the antecedents and concepts arising in risk management. Looking at the development of interests in gambling, probability, and economic decision theory and rationality, we consider how these approaches have influenced risk management and thinking. Current and future issues in risk management (such as behavioural, expectation risk, risk of risk management) are presented within the broad perspective of management practice and interdependencies within organisations, communities, Getting Down to basics
A central problem in risk management arises from the history and directions in which risk has undertaken over the last two thousand years. Two key problem clusters reside in the focus (in terms of central interests) and the ensuing lack of consistency in the use of terminology.
Focus. Primitive considerations of risk can be found between five and a thousand years ago, depending on which culture and region of world one considers. Until the last 500 years, these focal perceptions tended toward basic concepts of gambling (including 6-sided dice) and some consequential risk in insuring cargo (in the peak of the Roman empire). This focus on insurance continues through to today and is a deceptive distraction. Insurance is not risk management but rather impact cost management. In Western history, the evolution of mathematics prompted a parallel interest in risk in terms of statistical distribution of events, probability, and modelling outcomes. This continues today, with an assumption that risk events can be scientifically and objectively calculated. Interest in risk still covered issues in insurance (particularly in England where the emergence of Lloyd’s Coffee House into a large international insurance collective began). However, interest expanded to look at other governmental issues – such as
calculating the expected number of eligible males available for military service – and in terms of framing mathematical puzzles.
These interests continued to focus attention on financial protection (insurance) and on economic and government utility. About 300 years ago, probability and risk moved into ‘health’ projections. One example was the use of variation of samples of cholera victims to suggest the source of outbreaks in London (England) was some public water pumps. This began a focus on public health (and safety) which has continued into current times. In fact, too many decision makers and members of the public mistakenly perceive risk as essentially about money/insurance (financial management) or legislated health and safety requirements. Both overlook the central value concept of risk which is that risk is about loss of (or damage to) something that sentient beings (in our case, humans) value. This mistake is fairly easily explained, given both the historical focus of risk and the ease with which we can substitute money value (and thus the apparent certainty of figures) as a measure of value.
Value, however, is an intrinsic and thus subjective activity. Risk is shaped and changed in perceived threat and value of loss by how we as individuals, groups, communities and a people view a given loss or damage.
Thinking in risk has been dominated in the last 100 years by a combination of economic interests, psychological decision making research, and complex mathematical modelling. This has tended toward two assumptions worth noting and remembering. The first assumption is that risk can be objectively defined – and intrudes a science or engineering bias that de-emphasises the cognitive or behavioural components of risk. The second assumption is that one can use economic and aggregate mathematical models to predict specific, often singular, occurrences, events, or outcomes. In limited defined environments this can be quite accurate. In broad dynamic and human- influenced environments this approach falls short of accuracy. Behind the search for,
development of, and reliance on models are at least two assumptions and questionable expectations.
One of these is the almost human desire for predictability and control over the surrounding environment. There is an attractiveness and even beguiling appeal in the apparent factuality of mathematically and statistically produced outcomes. This is reflected in the anecdotal and cliché: ‘figures don’t lie’.
The other of these is a perception that figures provide factual and universal truths.This may appear so in counting finite physical entities but is less than so when considering less physical entities and such concepts as value. As an example, the value of a litre of unrefined oil will increase over time as we reduce the quantity of oil available. This reflects an economic slant that risk thinking can take. Value can be described in monetary terms. However, even this may have variations of outcome. Value depends on the frames of reference being used. From a global economic frame of reference developing viable alternative sources of energy and chemical manufacture is likely to reduce the utility and thus the value of the remaining oil. Human awareness of the rarity of the litre of oil may actually increase the attributed value assigned that litre – scarcity means rarity and uniqueness.
Lack of consistency in the use of terminology. A grey area in risk is what is meant by the word ‘risk’ and associated terms. Theorists, consultants and managers also confuse themselves and others by sloppy use of terms. For example, the frequency (or probability) of risk and the impact value of imputed to risk can be presented as ‘risk’. This may seem pedantic until we realise that we often shift attention from managing risk to managing the priority setting and political process of cost of impact of risk at the expense of actually managing risk.
Paul Slovic (a world recognised decision making researcher) observed that ‘trivial risks’ may prove to be the greatest of all risks. However, trivial risks may be ignored in favour of risks
perceived to have possible high levels of harm or damage or cost of impact in preference to those risks with greater frequency or probability but lesser possible levels of harm, damage, or cost. Slovic (1999) also states there exists a need to include perceived risk with any objective risk assessment.
SOME DIRECTIONS OF RISK
So where may risk and risk management be heading?
We will look a little more closely at this in Topic Eleven. Here, we can note that very slowly risk managers, organisations and communities are realising that risk is not as simple as they would wish.
There are four areas that need bearing in mind from the start. These are behavioural risk, expectation risk, the risk of risk management, and the interdependencies of these and other risk factors.
Behavioural Risk. As noted earlier, risk has tended to be argued in terms of scientific and objective – drawn from scientific knowledge, engineering, financial and insurance data. Setting aside that knowledge based in science tends to change over time – once a conference of world experts argued against meteorites and another conference in London in the early 20th
Century met to find solutions to the horse manure problem (‘by the middle of the century cities will be more than knee deep in horse manure’ – the reality is that sentient (human) perceptions and cognitions identify, shape, and even distort ‘objective’ risk.
Moreover, human reasoning and human interaction generates behaviour that in itself produces risk factors. Obvious factors from human behaviour include substance abuse, drink driving, and gambling. Other aspects include the risks that arise from crowd behaviour, from single focus groups, and the ways in which we fear risks. People adopt riskier (and more violent) behaviour when in groups – a probable mix of social conformity and from perceptions of being individually concealed by the
crowd. Single focus groups can move toward an exclusive us versus the rest mentality that adds risks. Unseen risks are rated (and reacted to) as riskier than seen or observed risks. We will look at these in more detail in a later topic.
Expectation Risk. This is a major emerging risk that comes from the cognitive behavioural aspects of risk. Essentially expectation risk describes risk factors that are brought into play or increased by the expectations people base on their beliefs and reasoning of these people. Inaccurate expectations obviously lead to riskier behaviours and outcomes. Expectations can be derived slowly by accretions of experience – whether real or vicarious. Consequently the continuous presentations of the opinions by news media, of time compressed and unrealistic movies and television, and the speed with which electronic media can present information are as likely to add to erroneous expectations as real time experience.
The errors come from imprecise experience, from the needs of entertainment over accuracy of presentation in movies and television, and the need for simplification in presenting complex news. At least three expectation risks are worth noting:
1. Expectations that society/governments will come to personally save us (especially in regional natural disasters).
2. Expectations that things should be fair and in alignment with the values of the holder of the expectations.
3. Expectations that are based upon continuously presented ‘facts’.
Recent examples suggest that particularly Western countries hold unreasonable expectations about response times and assistance in mass disasters. This leads to riskier behaviours in exposure to the risk and risk consequences, as well as false expectations when one looks at simple logistics and capabilities. A hundred hours of constant media presentation of lack of
assistance, however, builds a convincing picture of lack of response. Media influence of belief and expectation exists, particularly in the
USA. Within 14 weeks of continual challenge by media outlets, President Nixon sustained a reversal in public opinion over his involvement in the Watergate Scandal (a cover-up of involvement in party-based spying in his re-election campaign). As with propaganda and one-sided information management, frequently expressed opinion has a tendency to be regarded as fact.
Other expectation factors include connections between global warming and increased violent weather (when equally feasible explanations from multi-year cycles and even the onset of an ice-age. Likewise, perceptions of justice and fairness too often get extrapolated from one situation or country to another situation or country with little regard for context or culture.
One further aspect of expectation (linked with the reinforcement of marketing) is that organisations can massage the expectations of others to suit their own goals and purposes. By playing on a growing Western consciousness of pollution, retail organisations have been able to both increase future profit margins by ‘selling’ bags that substitute for less than 1 per cent of the non-biodegradable packing they use – and thus have avoided having to pay for set-up costs for biodegradable carrying bags. Expectation management can be used to both focus attention and avoid presenting alternatives.
Risk of Risk Management. The risk of risk management factors holds three central themes. First, any attempt at risk management (even of doing an initial risk assessment) is likely to change the nature and size of the riskiness of the situation. Not only are people cued into seeing (or not seeing) the risks around them and thus into changing their behaviours, but the shape and nature of risk factors changes with those changes in behaviour. Second, the belief that risk management is (somehow,
somewhere) in place often leads to riskier behaviours. The environment is either perceived as being safer or, perhaps more likely, behaviours that are not corrected are deemed as being consequently acceptable. In a sense, there is an implicit expectation (or even belief) that risky behaviours would be intercepted and stopped. Third, the risk (and risk priorities) identified by people in an organisation have a tendency over time to be viewed as the only risks in that environment by most if not all stakeholders. In this situation, changes in risk, new risks, and discounted or ignored risks have a tendency to activate and ‘shock’ the stakeholders in so doing.
Risk Interdependency. There still remain many people unable or unwilling to comprehend the complexities of risk. Few risks are actually unique and singular. Most risks depend on other factors and even other risk factors to activate. Risks are situational factors in environmental, temporal, and cognitive perspectives. Consequently we need to look for how risks may interdepend on each other, on how we assess and view those risks, and on the environmental factors surrounding the given risk.
TOPIC 2: FUNDAMENTALS OF RISK MANAGEMENT
This begins from the initial questions: ‘What is risk?’ and ‘What then is meant by risk management?’ From this, we articulate the concepts of risk source and whole risk and activated risk. Academic and practice provide two broad frames (or lenses) through which we navigate the mainstream and fringes of emergent risk management, leading to consideration of ‘basic risk management’ and ‘implications of complex risk’.
IN THE BEGINNING ...
Previously we used risk to cover the conventional frames for that term. In this sense we can see a risk as being the consideration given the onset or activation of an unwanted or undesired outcome. We tend to use some measure of frequency of
occurrence or activation, and frequencies tend to be used to indicate likelihood or probability of that happening. Thus an event that happens once in ten years has a likelihood or probability of happening of 0.10 (1 in 10 years). Note that the outcome (the onset or activation of the event) is unwanted or undesired – which means we often talk in terms of loss (loss, damage, monetary costs) and with regard to some situation or entity for which we humans (as sentient beings) value.
Risk is the likelihood of an activation of an event that has undesired or unwanted outcomes or consequences.
Risk can also be expressed as an estimate of the ‘chance’ that an unwanted event will happen within a given period in time. A meteorite hitting the earth’s moon or a distant star or planet in our solar system has a probability of happening but is not a risk unless the event threatens people or things at least one or more of us value.
Risk is everywhere and remains everywhere. Despite our loose language we cannot manage or change risk in the sense of total or complete risk. Overall risk remains the same (the probability of 1 or a 100% likelihood). Theoretically (and practically) when we do manage some risk factors other risk factors either emerge to fill the reduction and/or existing risk factors increase in probability or likelihood.
Risk cannot be created nor destroyed and can only be changed from forms and sources of risk to other forms and sources of risk.
If this is reminiscent of an old law of chemistry (‘Matter cannot be created nor destroyed but only transformed from one form into another form’) this is deliberately so. Risk is a universal concept. Eventually someone will form the equivalent of the Theory of Relativity and search for the unifying theory. This is particularly so when we realise that risk is also a descriptor of opportunity. If risk exists, then there is the opportunity of both obviating that risk (managing) and an opportunity for non-risk or desired and wanted outcomes to arise. For example floods due to cloud
precipitation or rain are a source or form of risk, yet without the floods and the rain we have no opportunity for damming the excess water or even agricultural existence.
Note that we have begun to use the concepts of form or source of risk. This makes more clear and consistent our use of language and we will use risk to mean total possible risk and risk source (or source of risk) to indicate a specified risk factor or risky event.
This means we can manage risk sources but not really manage risk in the entirety or completeness of risk.
Managers (and people in general) can create a sense of complacency and overconfident sense of control when using terms such as ‘eliminating’ or ‘removing’ risk. What we may be able to do something about are the sources of various risk events...
Risk management is the process of identifying sources of risk within our environment and then working to remove, reduce, re-direct, or contain that source and the event and the consequences that arise when that event happens or activates.
Note that risk management involves selecting sources of risk for management. There are few occasions where more than a limited number risk sources can be effectively managed in an given time. In this sense managers of organisations and communities seek priorities of sources for risk management. Getting this selection and priority setting ‘right’ is the key for managers – and this is a trade-off or balance between the costs involved, the goals of the organisation, stakeholder interest and support, and the risks that can be found surrounding the physical and non-physical aspects of the organisation. Risk management often becomes a risk balancing activity where cost-benefit approaches are used to decide which risk source or set of risk sources are addressed.
RISK MANAGEMENT AND RISK COMPLEXITY
Human societies have moved from simple ways of losing something of value, including life, to an increasing number of ways of doing this. The certainty of loss remains the same (a probability of 1.0) whereas the number of risk sources through which this can happen is increasing over time. Risk sources are no longer tenable as singular and separate in some linear and sequential path. Rather, risk sources are interdependent and complex. These sources are better visualised as surrounding us on all dimensions. Risk sources can be:
Catalytic (speed up the encounters with other risk sources and/or magnify the possible impact damage or loss).
Conjoint (causally tied to other risk sources such that both activate at the same time).
Embedded (emerging from within the risk source environment of the ‘parent’ risk source.
Precipitative (cause other risk sources to emerge or activate).
These aspects may be glimpsed in a simple activated risk source.
You are driving a car between two cities. As you turn a blind corner you just see a truck slewed on one side and your car hits a large metal drum before skidding off the road into an embankment. The drum lid comes off spewing a localised white-grey cloud of dust over your car. Paramedics note that the drum contained asbestosis dust.
Obvious risk sources threatening loss of car and possibly life include the risk of a road accident (actually a risk source cluster) and hazardous material. The road accident to the truck releases the drum of asbestosis dust (precipitative risk source). We need that drum to be there for an accident with asbestosis dust to become a risk (embedded risk source), and we need the collision of our car with the drum to create a road accident with hazardous
waste contamination (conjoint risk source). We need the exposure to the asbestosis dust to enlarge the risk of loss through asbestosis of ability to breathe (lung damage) and various nervous and cancerous disorders. Dealing with each as a singular risk source does not provide adequate proactive risk management. Each adds to the likely scale of loss, the types of loss, and the speed with which that loss happens. These are thus compound risks.
Should we try to manage each risk source separately we may fail to manage the combined risk. Without this bigger picture perspective we could fail to remove loss. For example, better driver training does not help if the truck has a mechanical failure.Better driver training and truck fleet maintenance does not help if the construction of the road 9is at fault. Better driver training, truck fleet maintenance, and road construction does nothing to relieve risk from proximity to asbestosis dust contamination. Any risk management – training, maintenance, construction, banning transportation of dangerous goods – leads to other risk sources. Cost increases in doing more and better training, maintenance, and construction, for example, means extra costs to customers or loss of profitability or fewer drivers, trucks, and roads. Preventing hazardous goods and waste from being transported simply increases risks of storing hazardous waste and goods.
PROBLEMS IN UNDERTAKING RISK MANAGEMENT
We confront a virtually infinite set of sources of risk – each member of each set has its own size, situational variation, and consequent variation in impact costs. This is one reason that we need to mentally separate risk as a concept from risk evaluation which is our need to create a physical picture of the costs in terms of a common terminology such as things – usually expressed as loss or cost in time and/or money.
This can lead to three conscious or unconscious limitations to our perceived management actions:
1. We forget that risk is in the eye of the percipient of a risk as much as risk is in scientific or ‘objective’ assessment. Good risk assessment and evaluation needs to involve objective measures and subjective insights.
2. We assume numbers are certain and true and thus bias our interpretations of risk information when likelihoods and impact costs are numerically presented. Risk estimates are just estimates. Managers and people tend to infer real and concrete facts from numbers that ‘describe’ possible risks and costs.
3. When we select a set of risk sources for management, we often forget the presence of the non-selected risk sources. Very rarely can an infinite set of risk sources be managed -- in most cases we handle the most obvious and/or the most costly in terms of loss, damage, or money.
WHOLE RISK MANAGEMENT
People need to understand the realities that risk source size, activation, and consequential impact cost varies over time and situations. Power failure to a computer network will vary in impact depending on the importance of that network to the organisation at a given time, the number of computers in use, the sensitivity of software and data, and the sensitivity of the computers to power fluctuations. The impact costs of such failure depend on type of organisation and human behaviours (before, during, and after), and consequential interdependencies on other organisations. Risk source estimates of impact and cost are thus a variable.
The size, nature, and probability of the risk sources associated with driving a car will change every minute the car is driven (or taxi, bus, aircraft, ship is used). Parts wear and get damaged risk sources change in moving from situation to situation and location to location, risk sources from other users and drivers change as vehicles approach and retreat, changes in weather and travel
conditions change risk sources and risk source sizes, and natural disasters and lover-the-horizon effects transform risk source estimates. Risk is dynamic.
Risk source assessments are average probabilities in themselves in terms of how these may actually activate, how these will be seen sensed by people, and how the impacts may arise.
The dynamic and variable nature of risk (and of risk sources) means that we need to evaluate our ability to manage the various choices and the outcomes of those choices as well as the sources of risk. This means looking more carefully at the possible outcomes or consequences for each decision choice with which we need to make – and consider these in terms of capacity and capability to manage when the outcome is favourable or unfavourable
We need to perform consequential evaluation of all options and consequences to some acceptable level of detail.
This evaluation needs to cover not only positive or success outcomes but also negative or failure (or onset of risk source event).
We need also to include human behaviour. Many risk management activities and programs do not integrate this component into their programs and suffer risk management ‘failures’ as a consequence. Reasons for not to incorporating human behavioural risk include:
the time taken to consult all stakeholders,
the confusion of perceived risk sources and risk source strengths in information provided by stakeholder feedback,
the lack of understanding of human behaviour, and,
the lack of will in most managers to add another layer of effort into the management process.
REFERENCES
Slovic, P (1999) ‘Are trivial risks the greatest risks of all?, Journal of Risk Research, 2(4), pp 281-288.
TOPIC 3: DOING RISK ASSESSMENT
We now look at basic risk assessment activities before moving on to consider the advantages and disadvantages of these approaches. This includes compiling risk catalogues and data bases, looking at frequency or probability estimates, considering priority matrices (such as the basic risk frequency by impact matrix), and considering the sensitivity and utility of various scales of measures used in risk assessment.
MAKING A LIST OF RISK SOURCES
WE now look at some basic risk management activities – compiling and assessing risk source list or catalogues. Unhappily, many approach this in a biased and spasmodic way – finding risks in so[s-and-starts and usually from their interpretation of what is meant by ‘risk’ and from their own sense of what is threatening. Such approaches to risk assessment tend to derive work interest dominated risk clusters and an underlay of obvious physical risk.
An accountant, for example, is likely to see mostly financial risk sources (cash flow, asset threats, fraud) and some related loss of asset or loss of money threats (loss of business, loss of structure or equipment, loss of labour). An engineer (depending on managerial position) will have a slightly different perspective with a commonality in terms of loss of structure and assets, but probably a more detailed classification into types of structure, objective measures of failure mode, and a larger hazardous materials set of risk sources. A social worker, on the other hand, may de-emphasise the asset and add human risk sources (health, substance abuse, relationship breakdowns).
Moreover we tend to have an operational or tactical ‘knowledge’ of risk, so we are likely to point to local failures – ones experienced at home or office or workplace. This tends toward a weak structure of obvious physical risks.
Risk Source Statements
Of course, before we rush around collecting sources of risk, we need to be able to communicate a meaningful statement when we identify and label a source of risk. Unhappily, common practice does not properly do this (and thus adds yet another set of sources of risk in lack of communication and understanding of the source identified as a risk). Thus we see ‘computers’ or ‘power’ or ‘computer failure’ or ‘power failure’ as entries in a risk list (technically called a risk catalogue). Should we thus have computers or power? Do we want these to fail?
We need to be more definite in our statements so that others (often not present in the environment within which the risk management is being undertaken AND often without much detailed knowledge of that environment) can ‘see’ the risk source picture and make effective risk management decisions.
What we first need to do is identify a source or location in which something can go and thus is a source of risk (that is, a threat to something we value). As an example, we can use ‘power failure’. So we have a source.
Now (as with most ‘sources’), there are a number of ways in which power may fail – within the immediate location only, outside the location, some distance away all of which may present different types of failure (and, more importantly for risk management, different types of impacts and thus different types of ‘fixing’). This forms what can be termed a source-based risk cluster. We can also cluster sources of risk in terms of type of failure (loss of structure, power failure, fire and so on), but we deal more easily with failure to an activity or physical object. Thus we link a source with the failure action. ‘Power failure leads to inability to teach in the seminar room’.
This on its own may not satisfactorily give the nature of the risk. After all, failure of power leading to teaching being stopped could be a benefit or an attraction rather than a loss or threat!
Thus we need also to identify an impact. This impact part of the statement becomes important as risk management of sources of risk is conducted on one or both of two levels – frequency of loss occurring and/or amount of loss (or impact). We will see use of these two aspects in the evaluation process where we attempt to identify priorities for risk management.
Thus a full Risk Source Statement contains identification of the source, the action causing loss, and the nature or type of loss involved. ‘Power failure’ or ‘computer failure’ thus becomes:
Loss of power in the seminar room leads to failure to finish course on time which can lead to loss of income
And/or
Power failure causes loss of information on computers.
And/or
Power failure causes loss of customer service on computers which leads to loss of income’
While the order of presentation can change, we need to present within a Risk Source Statement an identified source, the possible action that can cause loss, and the possible type of loss that may thus arise. With practice, this form of statement becomes natural and needs little concentration.
Undertaking a search for Sources of Risk
What we need is a systematic means of checking the spread and uniqueness of risk sources in a given environment.
To begin to see the large range of sources of risk, we can consider sources of risk from a big picture down to a small
approach. One means of readily doing this is to look at REAL Risk Sources. Another approach is to look at ‘what is at risk’ (PPPP approach). In fact we can (and will) combine these into a 16 cell matrix (REAL x PPPP).
First, we look at the REAL approach.
We can systematically evaluate risk across four broad groups:
R emote (far away risk sources that are clearly physically separate from the environmental system undergoing risk assessment -- ‘over the horizon’ sources. These can stem from a city to a region, to offshore, to beyond Earth – depending on the lens or frame of reference we use to explore the risk in the given location)
E xternal (separate systems that are not as distant as Remote – again depending on the lens or frame of reference being used)
A djacent (other systems that have close physical proximity, may have shared or linked risk sources, and which when encountering an activated risk themselves may have direct or indirect impacts on the system under assessment)
L ocal (these are the immediate and within system risk sources).
REAL needs to be understood in terms of the flexibility of the REAL categories. The meaning of the R, E, and A elements depends on the definition of the ‘L’ or Local category. For example, we could do a risk source assessment of the room within which we are sitting. At this level we can regard the rest of the building as Adjacent, the block within which the building is placed as External, and everything beyond that as Remote. On the other hand, we could consider the whole of the building as the environment or system under assessment. This would shift the A, E, and R categories out one size – Adjacent becomes the surrounding buildings (even the block), External would become the suburb or city, and Remote would become the systems beyond the city, we could consider the risk sources for a city –
and, again, the categories flex. The city becomes local, the surrounding region becomes Adjacent, the state or nation becomes external, and the rest of the world (and universe) becomes Remote.
REAL may be better noted as LAER (starting with the Local and Focal area or aspect under risk assessment and evaluation.
LAER evaluation enables us to focus on elements of the total picture in a guided and systematic fashion.
Using a systematic approach such as LAER, combined with PPPP – below) makes it easier to focus on (and look for) sources of risk, and makes it more likely that we identify a larger and more representative (if not exhaustive) list of sources of risk. One useful contribution in using the LAER approach is that we can also look at the identified sources of risk in terms of ease of being able to manage these from the perspective of the manager of the area or aspect under risk management assessment and evaluation. Local sources can often be directly managed, Adjacent sources may be strongly influenced by that manager (by discussing these through meetings OR by direct negation), External sources of risk become harder to manage or influence, and Remote sources of risk are nearly impossible to manage or influence (and thus become part of the contingency / business continuity / crisis planning requirements for the person, group, community, business, organisation involved).
The other interlinked approach considers elements of systems and is drawn from the systematic approaches used in investigating transportation accidents (especially within the aviation industry). Here, we look at the various key sub-systems through which the system under assessment can be viewed.
The PPPP approach positions risk sources in terms of the presence of these risk sources in People, Place, Process, and Product sub-systems.
People sub-systems include the cognitive and behavioural dimensions of humans interacting and working or living in the system under assessment.
Place covers two central sub-systems – place in the sense of system environment and place in the sense of physical structures. Hence one can look at weather and climate as well as structural integrity and safety.
Process covers all the sub-systems that operate in the system under assessment that contribute to the output or continued existence of that system. This thus entails obvious systems such as electronic communications, record keeping, production lines, and operational task activities.
Product covers output and services sub-systems for which the system exists to produce and perform.
Consequently one could assess an office in terms of staff and visitors (customers and other stakeholders) in the People category, the office, building, and physical climate in the Place category, the telephones and computers and task processes in the Process category, and the output and services supplied by that office in the Product category.
Let us consider the 16 cell matrix produced by assessing across REAL and PPPP categories.
Local
[literally ‘in this room’ or in big picture ‘in this unit or specified location’]
Adjacent
[‘next door’ in terms of small picture; adjacent organisations or structures in ‘big picture’]
External
[‘the suburb’ in small picture;town,city, or even region in big picture]
Remote
[‘the nation or state’ in small picture; literally ‘over the horizon’ or international and global in big picture]
People
[the human physiology (OH& S), psychology, and interactions in the organization]
Place
[the physical structures AND the surrounding physical environment]
Process
[the electronic and manual processes and procedures in an organisation; includes treasury]
Product
[services or physical commodities or intellectual property
FIGURE: 16 CELL RISK SOURCE MATRIX. NOTE THAT THIS DEPICTS THE 16 CELLS ON ONE PAGE – ACTUAL USE MAY NEED MORE THAN ONE PAGE FOR EACH OF THE 16 CELLS.
BASIC RISK IMPACT EVALUATION
At this point, we may have gathered a number of risk sources and classed them across a systematic category approach such as the REALK & PPPP model. Even as we gather this source information we are likely to also gather a sense of frequency (number of times the risk source activates and leads to unwanted loss over a given period of time) and some idea of the losses (in terms of monetary value, physical damage, or deaths and injuries). These two quantitative estimates provide a basic risk assessment measure that we can then use to evaluate the risk sources and determine some order of risk source management priorities.
We can gain information on frequency and impacts from:
records within the organisation, or within the industry group or association, or within government statistics.
records and statistics made available by insurance companies.
expert opinion (from real experts to averaged experienced opinions from workers).
assessor averaged opinion.
One can also evaluate scientific, engineering, economic, and psychological sources in terms of risk source activation, impact, and perception.
Do be aware that there can be differences in frequency and impact estimates between recorded and measured data and human memory, perception, and cognition.
Human-mental measures tend to be seen as subjective and science-based measures tend to be presented as objective. As noted in a later topic, both are prone to error because:
1. Objective measures are prone to mis-measurement and can be based on best knowledge at a given historic time.
2. Subjective measures reflect individual experience, fears, and biases – which is why we average these across a group.
3. Values are human in origin – and risk is thus a human-based concept.
4. Humans change the nature, size, and impact of risk sources by the ways in which they interact (or avoid interaction) with any risk source or risk sources.
RISK ASSESSMENT QUANTIFICATION AND SCALES
To some extent any imprecision (or lack of accuracy) about frequency and impact can be managed by using scales to separate groups based on frequency and on impact size.
The usual approach is to use a 5 point scale that ranges from ‘little or nothing’ through to ‘most or all’ in rating concept. This really is uninforming to any reader (and decision maker) and is not acceptable if we wish to perform effective risk management priority setting.
Nonetheless, for frequency we often see a scale that goes from:
1. very infrequent
2. low frequency
3. moderate frequency
4. high frequency
5. extreme frequency
For impact we can similarly derive a 5-point scale the goes from:
1. minimal to no impact
2. some impact
3. moderate impact
4. large impact
5. massive impact.
As noted earlier, these are still very general and thus meaningless to reader and user. We need to define the scales more precisely.
We need to clearly define the meaning of each level of the scale for others to understand and for standardisation.
For frequency or probability, we commonly use a time measure in terms of days/months/years, such as:
1. very infrequent more than one year per event
2. low frequency once a year
3. moderate frequency every three months
4. high frequency every month
5.extreme frequency every week or more than once a week
The scales can be varied to match the overall sources of risk and incidence counts. We try to keep the intervals fairly similar – or at least meaningful and with little distortion effect (biasing inclusion of items into a particular scale level).
We can drop the general frequency descriptors and use the more definitive time descriptors –
1. more than one year per event
2. once a year
3. every three months
4. every month
5. every week or more than once a week
This is the preferred scale definition for frequency.
We use the same approach to define an impacts scale. Instead of the above impact scale which carries little information, we use a common value of loss. This is usually expressed in financial units.
Thus, for example:
1. minimal to no impact $1000 or less
2. some impact $1001 to $99,999
3. moderate impact $100,001 to $999,999
4. large impact $1,000,000 to $1,999,999
5. massive impact $2,000,000 or more
Scalesreflects a small business environment.
Again, we can drop the general impact descriptors.
Thus the impact scale is defined as:
1. $1000 or less
2. $1001 to $99,999
3. $100,001 to $999,999
4. $1,000,000 to $1,999,999
5. $2,000,000 or more
This is the preferred definition of the impact scales.
Notice that the approach for both scale definitions is to state a continuing definition for Level 1 and Level 5 definitions. Level 1 is an amount and lower and Level 5 is an amount and higher. By doing this we can capture any level of frequency or amount of impact. The internal scales (Levels 2, 3, and 4) are then position so that each meets the end or start of the level below or above – thus giving a complete spectrum or continuum of values. The cut-off values for these are a balance between sensible values (say, increasing the values by a power of 10), and a need to spread the range of values in a meaningful, realistic, yet not biased way (statistically we call such bias as being skewed).
ISO 31000
Risk Evaluation and ISO 31000
ISO 31000 changed from the conventional risk evaluation in which users estimated frequency of happening or event and the impact cost of that event/happening as a means of identifying priorities. The panel forming this international standard considered that most people found difficulties in estimating infrequent or rare occurrences. They replaced the conventional approach with a combination of frequency of the impact (likelihood of that level of impact) and the impact cost of the consequences of those impacts. A possible outcome of this change may be that managers get directly towards consequence management rather than source of risk management.
Many of the members of the panel may have missed of the point the central rationale for doing risk evaluation or may have been distracted because of their backgrounds (engineers,
accountants, consultants, and academics) and by the need for accuracy in ‘evidence-based’ management. Indeed, a growing trend in both regulation and for impact are more difficult to get balanced in terms of interval. The above management requires collection and reference to evidence-based data. Given that risk evaluation is centrally used to assist the user (including management) in identifying appropriate courses of management attention and action, a degree of latitude exists for estimates for both frequency and impact. This is demonstrated in the above frequency and impact scale definitions.
Currently we will retain the frequency by impact approach.
Evaluation of Sources of Risk for Priority Management
The two separate values still lead to distracting groupings so we tend towards combing both ratings to give us a means of comparing the relative frequency impact levels for all the identified risk sources. Not surprisingly this comparison forms the basis for any risk source priority determination that may be undertaken.
To compare risk sources by frequencies, and impacts we multiply the frequency rating by the impact rating.
Thus a risk source with a frequency rating of 3 and an impact rating of 4 has a frequency impact range of 12, and a risk source with a frequency rating of 3 and an impact rating of 2 has a frequency impact measure of 6.
Care needs to be exercised in interpreting frequency impact scales as risk sources that are moderate to high in both frequency and impact may dominate the risk profile. Risk sources with extreme frequencies and very low impacts may prove to have a higher cumulative impact value over time. Similarly, risk sources with very low frequencies but extremely high impacts can be prohibitively costly (and even organisational killers) when these happen.
Approaches to Scales and Measures
Scale Size. While we usually employ a 5-point scale there have been usages and arguments for a 10-point scale. Advantages include greater precision about frequency and impacts and a greater consequent range from which to identify priorities and significant threats. Where multiplying two 5-point scales together gives a range from 1 to 25, multiplying two 10-point scales gives a range from 1 to 100. Disadvantages include the cumbersome figures should we insert more scales into our measure and the possible false sense of assurance that can come from supposedly more precise measures.
Variables being used as measures. Some confusion and imprecision arises once various organisations and industry groups begin to either use different labels for variables that mean the same thing, or use different variables to measure a risk source impact that appears to have more relevance for their concerns.
One such approach looks at probability and significance of impact. Thus: Impact (I) is equal to the likelihood of the incident (p) X the significance of the incident (S)
ie I = pS
Some then like to add a value (v) to reflect the cost of repair or replacement.
ie I = pSv
Another approach uses a notion of risk scores (RS). Here, a Risk Score [RS] is equal to the Probability of a (Risk Source) Event [P] multiplied by the Consequential Impact or Severity measure) [C] multiplied by the Exposure [E] of humans to the Event;
ie RS = PCE.
This approach adds a third layer that also indicates why a 5-point scale becomes easier to use than a 10 point scale, given that the
range for a 5-point scale works then from 1 to 125 and the 10-point scale works from 1 to 1000.
Some examples are depicted below:
Factor Probability Consequence Exposure
Scale 1 very unlikely minor rare
2 unlikely moderate some
3 likely serious moderate
4 very likely major high
5 extremely likely catastrophe constant
At times Frequency [F] and Injury [I] and Timeline Exposures [T] are used, where I = FIT
These are depicted below depicted below:
Factor Frequency Injury Time Horizon
Scale 1 rare very minor every so many years
2 low minor once a year
3 moderate serious several in a year
4 high many injuries monthly
5 very high deaths daily/weekly
Obviously these tend to show an Occupational Health & Safety perspective, and tend to reflect moderate to heavy industry requirements – although similar scales have been used in transportation and utility organisations.
Other approaches use sub-scales to design out the possible ‘rubberiness’ or inexactitude found in using 5 broad scales or
rating levels. We can design subscales to reduce this and harden the impact weights.
Example sub-scales include:
Financial loss
Recovery/Replacement cost
Work disruption
Impact on key stakeholders
Injury / Loss for staff / users
Impact on brand / image
Political Impact
Public Perception Impact
We do this not only to harden the specificity of the impact value (and weight) but also to standardise frames of reference. Moreover, specific frequency impact models enable better defensible risk management (the reporting and decision processes justifying actions undertaken and choices made).
Activity: Doing a Basic Risk Source Assessment
Use the REAL & PPPP matrix to identify up to 6 risk sources for each cell.
In so doing, underline or otherwise highlight the risk sources unique to that cell.
Local Adjacent External Remote
People
Place
Process
Product
TOPIC 4: DOING RISK EVALUATION
We move from risk assessment to considering the issues involved in risk evaluation. Here, we look at various ways of establishing criteria for priority setting and at the broad management methodologies conventionally used in risk (source) management.
Previously we have taken identified risk sources and looked at these in terms of frequencies or probabilities and impacts or costs. In so doing, we can see differences between possible risk source consequences that appear useful in terms of judging what we select to manage. This is part of risk evaluation.
Risk evaluation has two core clusters of activities – considering risk source information from a management perspective [content evaluation] and reconsidering or checking the processes by which the information is gathered and produced [process evaluation].
In many cases managers fail to adequately consider the processes producing risk information, and this enables errors upon which poor decision making will be inevitably undertaken.
THREAT CLASSIFICATION
One common way to quickly sort risks by consequences is to develop a ‘threat’ classification – one could call this equally a risk consequence classification. Note that threat consequences usually are estimated in terms of losses.
Content Evaluation. Threat classification has a 4-cell matrix that may be reminiscent with stakeholder maps for management action. The conventional matrix is presented below in the left hand matrix, where the vertical axis give a high or low frequency pair of rows, while the horizontal axis give a high or low loss reading. However, quick reading may lead to errors due to lack of consistency in direction of scale. A better matrix would have low measures in the bottom left cell and high measures in the top right cell. This is illustrated below in the right hand matrix.
High loss-High Frequency Low loss-High Frequency
High loss-Low Frequency Low loss-Low Frequency
Low loss-High Frequency High loss-High Frequency
Low loss-Low Frequency Low loss-High Frequency
Process Evaluation. As noted, the lack of symmetry in scaling the axes of the cells can lead to mis-reading. There are other possible flaws in evolving and using this approach.For example, we need to carefully consider how we sort the risk sources via consequences into each of the cells. Are the low loss and high frequency risk sources likely to accumulate into a
bigger loss? Are high losses and low frequencies possibly more significant because of the magnitude of the projected losses?
Moreover, as with any sorting process, we need to consider very carefully what constitutes the cut-offs for low and high on either the loss or frequency scales.
RISK SOURCE FREQUENCY IMPACT MATRICES
Another conventional way is to use the 5-point scales to develop a 25 cell matrix.
Content Evaluation. The 5x5 matrix allows us to quickly sort risk sources into their weighted outcomes (frequency level multiplied by impact level), as is depicted below.
We can then use more precise sorting criteria for priorities of attention. For example, we can designate 4x4 and above (scores of 16 or more) as high priorities, 3x3 to below 4x4 (scores of 9 to 15) as moderate priorities, 3x2 or 2x3 and below 3x3 (score of 6 to 8) as low priorities, and 2x1 or 1x2 as very low.
16
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 8 8 10
1 1 2 3 4 5
Frequency
Impact
1 2 3 4 5
Process Evaluation. There are at least three core issues we need to bear in mind when we use this sorting approach.
First, senior management and Boards of Directors tend to place pressure to reduce the number of risk sources classed as high priority. This stems from both an inner sense of being threatened by too many high priority risk sources and an outer perception that any public leak of this information will damage the value of the organisation. This latter reasoning is somewhat stupid as most if not all people are aware of the daily risk sources faced by themselves and the organisations within which they work and live.
Second, the cut-offs for what separates high, moderate, low, and very low bands need to be carefully considered and argued and recorded. The problem is two-fold. Firstly, we need to consider borderline cases and the ‘guessiness’ of the scale estimators. Cells (as shown above) with 5x3 or 3x5 combinations could be argued to be high to very high (given room for error in guessing). So we may place a band of high priorities somewhere in the 12 to 15 scores. Secondly, because of the ‘guessiness’ and thus soft information, cut-offs are legally and cognitively better if these are conservative (that is, lower in collective scores).
Third, sorting often leaves undifferentiated risk sources in each cell. Numbers of risk sources in a given can lead to inertia or lack of effective risk management. This is where we can use within each cell an appropriate different impact variable (such as one of those indicated at the end of the previous topic). We could take impact on cash flow or impact on image and brand to identify – within a cell – a further order of priority.
RISK ACCEPTABILITY
One post-sorting priority-setting approach is a little more psychological. This seeks to consider risk sources as having a range running from what is acceptable to what is not acceptable.
This leads to approaches such as ALARP (or As Low As Reasonably Practicable). This was primarily formulated by the Health and Safety Executive (HSE) in the United Kingdom – the equivalent Occupational Health and Safety agency for that country.
Content Evaluation. This process places level of risk against reasonable management. In essence, the users employ a risk tolerance scale that is often a guess based on historic ‘what was not punished’ records and within-organisation resource availability. The scale is more or less as follows:
High risk is seen as unjustifiable and not tolerated – and thus must be at least seen to be changed (or in the process of change) to a lower risk.
Medium+ risk is seen as tolerable only if the reduction of the risk source is either impractical or too costly.
Medium- risk is seen as tolerable if the cost of reducing the risk source is more than the amount of impact by which the reduction so gained.
Low risks are seen to need monitoring in case of changes in status, ALARP thus balances reasonableness and cost. Process Evaluation. The balance between organisational cost and tolerance of risk source becomes a central process issue. This tends to arise over both the definition or criteria used to define medium+ and medium- risks and the legal definition of reasonableness and toleration.
At least three factors need to be critically reviewed when using an ALARP approach:
1. We need to identify current and future legal contexts for defining reasonableness and toleration. These tend to change over time, usually toward more restrictive meanings.
2. We need to take into account organisational resistance and inertia. Management tends to not want to expend resources on reducing causes of possible loss. Further, group dynamics can tend toward a ‘take the risk of loss and punishment’ attitude as lower ranked managers try to guess the states of thinking of higher ranked managers, and as higher ranked managers get distracted by organisational goals and strategies.
3. We need to consider differences in interpretations of what is reasonable and tolerable between legislation, courts of law, organisational management, and stakeholders. The differences in expectation can lead to strikes by employees, boycotts by customers and users, and belated legislation by governments that have retrospective clauses. Again we encounter differences in expectation as a source of risk.
MORE PROCESS EVALUATION ISSUES FOR RISK EVALUATION
The conventional means of talking about risk and sources of risk is a use of a mix of likelihood or probability and impact damage or impact cost estimates. We need to be cautious in using these.
In many cases, likelihoods or probabilities are:
only best guesses or partially objectively measured.
often perceived by human users as being even in occurrence rather than an average of possible appearance or activation intervals. As an example, a 10% likelihood is seen as happening every 10 interval measures (such as years) in a 100 interval period. In fact we could see activation happen 8 times in a 10 interval period and only 2 times over the rest of the 90 intervals. In a sense, activation is random event.
poorly interpreted. Taking the a 10% likelihood example, users could argue that there is a 90% unlikelihood of
nothing happening in a given interval – and this can lead decision makers into a false sense of confidence in which failing no action about a source of risk is undertaken.
Similarly, impact damage or costs are:
only best guesses of perceived costs, based on either historic data or current apprehended costings, and are made in broad terms. Given the variable nature of where and how and when an activation arises, such consequent costs will also be variable.
often used on an average exposure. Activation may lead to different scales of impact, and this can make average spread cost approaches dangerous. Given a risk source of an activation probability of 20% or and an impact of US$1,000,000,000. many managers are tempted into taking the average over the five interval period as an indicative cost factor (that is, US$200,000,000). Some then reserve this amount of money – which means a cost when no activation arises, and an inability to meet the cost without further revenues for four out of five time periods
THE CONTEXT OF RISK MANAGEMENT AND RISK EVALUATION
At this point in time we can consider the full flow of the core activities undertaken by ant risk management team. We will re-visit this pathway in a later topic and expand on the technical components of such a process.
1 Identify Source and Event(s)
For each event, identify Outcomes
For each outcome of each event identify magnitude of outcome consequence
. 2 Estimate Probability of Event
. 3 Estimate Significance of Hazard/Threat/Risk
This is where ‘weights’ such as impact, costs, or losses are used.
. 4 Place in Risk-Source Consequence Database or Registers These databases can be:
Intelligent (able to present interrogation profiles)
Multiple Discrete Registers (based on clusters of same source or same consequence risk elements)
Singular Index Register (based on each possible activation event)
. 5 Perform Risk Source Evaluation
Classify or sort into a Risk Source Weighted Matrix (using impact or other scales)
Identify defensible cut-offs for levels of risk (very high, high, moderate, low, very low)
Look within each cell at the cluster of risk source weighted values, and conduct a further weighting if necessary to clearly identify priorities within a given cell.
Outline the priorities for management and undertake a process and outcome evaluation
Critically indicate assumptional and process weaknesses that need to be considered in making priority-setting decisions.
6. Consider the available resources and risk source management strategies.
Look at the core 4 clusters of Risk Source Management Strategies:
o Remove (Replace) – Design out or eliminate the risk source.
o Re-Direct (Transfer) – Get another party to manage the risk
source.
o Reduce (Modify) – Work to reduce frequent and impact/cost/loss.
o Ring-Fence – Design containment capabilities and features
Explore likely activated risk management strategies (contingency, business continuity, crisis management).
Look at the organisational resources available to do the above five activities and consider what can most effectively be done.
Look at risk acceptability (the legal, stakeholder, and organisational definitions for reasonable, tolerate, and duty of care).
Balance risk management strategy, available resources, and risk acceptability in a defined plan of priority risk source management.
7 Write up proposed Risk Source Management strategy Secure senior management, executive and Board agreement, commitment and sign-off.
8 Establish Risk Source Management Programs (RSMPs)
Note:
1. Record Decisions and the reasoning for these decisions for each step.
2. Remind all involved that this process is ongoing.
3. Undertake some simple checking heuristics (rules-of-thumb)
a. Check the logic of some sample sources and impacts against the assessors AND other referent people’s perception. This helps check for any calculation errors or thematic bias/distortion.
b. Check that labels (names) of risk sources and any terms used are clearly understood by users and stakeholders.
c. Check that the descriptor levels for any variable weight chosen (such as impact, cost, loss, reputation, injury) is understood clearly by users and assessors.
d. When RSMPs are in progress check that the sources are being managed, frequency and impacts (or other selected weights) are being reduced or contained, and that ‘new’ risk sources are not being brought into existence.
