Proper risk management helps us understand which of the many risks we face are worth our attention, helps us decide how to focus our limited energy and time, and helps us think about how to prevent or reduce the chance of a risk being realised. Risk management done for any other purpose is a waste of time.
Following is a list of 5 common mistakes often made in managing risk, and suggestions on how best to avoid them that I've gathered from personal experience.
1. Mistaking risk documentation for risk managementMany organisations consider risk management something they have to do to achieve compliance with either an internal or external requirement. They conduct superficial risk assessments that are no more than documentation exercises, of little value to the business or its customers.
Others just don’t have the right skills to practice risk management in any meaningful way, and true risks are ignored. Simply capturing, documenting and reporting risks is not enough. What's worse is there is an illusion of risk management while real risks, which have the potential to damage the business and its reputation, remain undiscovered and unchecked.
In contrast, the use of a formal risk management process enables the structured and consistent identification and evaluation of risks based on the goals and needs of the organisation. It describes risks qualitatively and/or quantitatively through a common organization-wide risk taxonomy, and allows information about risks to be actively used to help make better decisions. Information from the outcomes of decisions then feeds back to improve future risk assessments and future decisions.
2. Defining risks in isolation from any specific desired outcome or functionHow do you decide what a risk is? What do you use as a starting point? How do you make sure you capture and consider the risks you should care about? Chances are, you can think of a few obvious risks relating to a specific project or piece of work, but the majority are identified ad-hoc, if at all. When working without a structured approach, risks may not be identified and may emerge later as issues because of a lack of mitigating actions.
By defining the desired states well, we can more easily determine what the undesired states might be. These undesired states are the descriptions of the risks we face, the catastrophes we might encounter. Once we have clear descriptions of undesired states, we can describe their effect on customers and evaluate the likelihood that we will get one or more of these states instead.
3. Subjectively evaluating the expected effect of identified risksMany organisations use a 5-by-5 matrix with high, medium, and low scoring systems to evaluate risks. While this appears to be a useful method to assess risks, it is at this point that risk management often fails.
These simple tools fail to provide sufficient discriminatory information to the risk practitioner. Picking a single score to represent the severity or consequences of the risk should it occur (and the likelihood of the risk occurring) based on a subjective high, medium or low measure is highly-susceptible to the subjective view of the practitioner and their biases.
Evaluating a risk is done to:
b) determine the likelihood of the risk occurring given the environment in which the risk exists.
An objective rating system, which associates practical descriptions of what each level of severity of the effect of risk really means to customers, is critical to proper risk evaluation.
Similarly, an objective rating system with descriptions of occurrence (how many issues in how many events) is needed to properly estimate the likelihood of the risk occurring. Together, these form a common, organisation-wide risk taxonomy used to ensure consistency of comparison.
Without these objective evaluation criteria, risks may be over or under-estimated. Over-estimation of risk can lead to over-engineering or unnecessary and wasteful activity that costs time, money and opportunity. Under-estimation of risk can result in a lack of suitable controls leading to the risk being realised to the detriment of the business and its customers.
4. Using an intended control to justify reducing the likelihood scoreThe objective of a risk assessment is to try, with some experience and imagination, to predict the future. Because we cannot say for sure what will happen, we use risk management tools and techniques to ask ourselves questions to determine what might happen.
Proper risk management requires that we evaluate the likelihood of occurring and the chance of detection assuming the intended control is in place. This is a true evaluation of the risk.
If we subsequently decide, through the risk evaluation process, that we need to improve the controls because the likelihood of occurrence is too high or our ability to detect the realised risk is too low, we improve from that point.
5. Missing the detection step in evaluating the priority of risks to addressWhile it is important to clearly describe the severity of effect of a realised risk, and the likelihood that the risk will be realised given the current controls, our ability to detect the cause or effect of a realised risk is often not considered. The irony is that many of the ‘go to’ controls put in place as a result of identifying risks, are detection controls. These include extra inspection, stage gate checks, approval workflows, and monitoring systems.
Our ability to detect the cause or effect of a realised risk is important to consider because there may be situations where a critical risk that could result in significant harm to customers, requires rapid response (and therefore some appropriate detection mechanism) as a control. In other situations, it may not be possible to prevent or mitigate a risk so the only control available is a detection control. For high-severity risks, we need to be confident we are implementing appropriate and effective detection controls.
When the risk assessment process indicates we have identified a potential risk that we do not have the ability to detect or detect reliably, the risk is likely to be higher on the list of priorities to address (in comparison to other risks where we are more confident we can detect the cause or effect).