Technology strategy
Risk-based failure modelling for increased resilience
Risk management. There's a tool for that. In fact, there are many tools you can use to document and visually represent information. It really doesn't matter which one you use, what matters is the quality of information captured, the nature and structure of thinking used to analyse the risks, and the decisions the thinking facilitates.
Proper risk management helps us understand which of the many risks we face are worth our attention, helps us decide how to focus our limited energy and time, and helps us think about how to prevent or reduce the chance of a risk being realised. Risk management done for any other purpose is a waste of time.
Following is a list of 5 common mistakes often made in managing risk, and suggestions on how best to avoid them that I've gathered from personal experience.
Others just don’t have the right skills to practice risk management in any meaningful way, and true risks are ignored. Simply capturing, documenting and reporting risks is not enough. What's worse is there is an illusion of risk management while real risks, which have the potential to damage the business and its reputation, remain undiscovered and unchecked.
In contrast, the use of a formal risk management process enables the structured and consistent identification and evaluation of risks based on the goals and needs of the organisation. It describes risks qualitatively and/or quantitatively through a common organization-wide risk taxonomy, and allows information about risks to be actively used to help make better decisions. Information from the outcomes of decisions then feeds back to improve future risk assessments and future decisions.
By defining the desired states well, we can more easily determine what the undesired states might be. These undesired states are the descriptions of the risks we face, the catastrophes we might encounter. Once we have clear descriptions of undesired states, we can describe their effect on customers and evaluate the likelihood that we will get one or more of these states instead.
These simple tools fail to provide sufficient discriminatory information to the risk practitioner. Picking a single score to represent the severity or consequences of the risk should it occur (and the likelihood of the risk occurring) based on a subjective high, medium or low measure is highly-susceptible to the subjective view of the practitioner and their biases.
Evaluating a risk is done to:
An objective rating system, which associates practical descriptions of what each level of severity of the effect of risk really means to customers, is critical to proper risk evaluation.
Similarly, an objective rating system with descriptions of occurrence (how many issues in how many events) is needed to properly estimate the likelihood of the risk occurring. Together, these form a common, organisation-wide risk taxonomy used to ensure consistency of comparison.
Without these objective evaluation criteria, risks may be over or under-estimated. Over-estimation of risk can lead to over-engineering or unnecessary and wasteful activity that costs time, money and opportunity. Under-estimation of risk can result in a lack of suitable controls leading to the risk being realised to the detriment of the business and its customers.
Proper risk management requires that we evaluate the likelihood of occurring and the chance of detection assuming the intended control is in place. This is a true evaluation of the risk.
If we subsequently decide, through the risk evaluation process, that we need to improve the controls because the likelihood of occurrence is too high or our ability to detect the realised risk is too low, we improve from that point.
Our ability to detect the cause or effect of a realised risk is important to consider because there may be situations where a critical risk that could result in significant harm to customers, requires rapid response (and therefore some appropriate detection mechanism) as a control. In other situations, it may not be possible to prevent or mitigate a risk so the only control available is a detection control. For high-severity risks, we need to be confident we are implementing appropriate and effective detection controls.
When the risk assessment process indicates we have identified a potential risk that we do not have the ability to detect or detect reliably, the risk is likely to be higher on the list of priorities to address (in comparison to other risks where we are more confident we can detect the cause or effect).
True accountability for risk requires that everyone is continually trained on how to manage risks, at all levels. Ultimately, this will lead to better decisions and better outcomes for the business and its customers.
Proper risk management helps us understand which of the many risks we face are worth our attention, helps us decide how to focus our limited energy and time, and helps us think about how to prevent or reduce the chance of a risk being realised. Risk management done for any other purpose is a waste of time.
Following is a list of 5 common mistakes often made in managing risk, and suggestions on how best to avoid them that I've gathered from personal experience.
1. Mistaking risk documentation for risk management
Many organisations consider risk management something they have to do to achieve compliance with either an internal or external requirement. They conduct superficial risk assessments that are no more than documentation exercises, of little value to the business or its customers.Others just don’t have the right skills to practice risk management in any meaningful way, and true risks are ignored. Simply capturing, documenting and reporting risks is not enough. What's worse is there is an illusion of risk management while real risks, which have the potential to damage the business and its reputation, remain undiscovered and unchecked.
In contrast, the use of a formal risk management process enables the structured and consistent identification and evaluation of risks based on the goals and needs of the organisation. It describes risks qualitatively and/or quantitatively through a common organization-wide risk taxonomy, and allows information about risks to be actively used to help make better decisions. Information from the outcomes of decisions then feeds back to improve future risk assessments and future decisions.
2. Defining risks in isolation from any specific desired outcome or function
How do you decide what a risk is? What do you use as a starting point? How do you make sure you capture and consider the risks you should care about? Chances are, you can think of a few obvious risks relating to a specific project or piece of work, but the majority are identified ad-hoc, if at all. When working without a structured approach, risks may not be identified and may emerge later as issues because of a lack of mitigating actions.Risk is a dance with uncertainty. If there is no uncertainty, there is no risk. But in most situations, there is some risk, some chance that the outcomes we get are not the outcomes we want. A good place to start in identifying risks is to be very clear about the outcomes we do want. These 'desired outcomes' are descriptions of state (not descriptions of actions) with clear measures of what we consider to be ‘good'.
By defining the desired states well, we can more easily determine what the undesired states might be. These undesired states are the descriptions of the risks we face, the catastrophes we might encounter. Once we have clear descriptions of undesired states, we can describe their effect on customers and evaluate the likelihood that we will get one or more of these states instead.
3. Subjectively evaluating the expected effect of identified risks
Many organisations use a 5-by-5 matrix with high, medium, and low scoring systems to evaluate risks. While this appears to be a useful method to assess risks, it is at this point that risk management often fails.These simple tools fail to provide sufficient discriminatory information to the risk practitioner. Picking a single score to represent the severity or consequences of the risk should it occur (and the likelihood of the risk occurring) based on a subjective high, medium or low measure is highly-susceptible to the subjective view of the practitioner and their biases.
Evaluating a risk is done to:
a) understand the relative effect of the risk on all customers (internal and external) reasonably expected to experience the risk, should it be realised
b) determine the likelihood of the risk occurring given the environment in which the risk exists.
b) determine the likelihood of the risk occurring given the environment in which the risk exists.
An objective rating system, which associates practical descriptions of what each level of severity of the effect of risk really means to customers, is critical to proper risk evaluation.
Similarly, an objective rating system with descriptions of occurrence (how many issues in how many events) is needed to properly estimate the likelihood of the risk occurring. Together, these form a common, organisation-wide risk taxonomy used to ensure consistency of comparison.
Without these objective evaluation criteria, risks may be over or under-estimated. Over-estimation of risk can lead to over-engineering or unnecessary and wasteful activity that costs time, money and opportunity. Under-estimation of risk can result in a lack of suitable controls leading to the risk being realised to the detriment of the business and its customers.
4. Using an intended control to justify reducing the likelihood score
The objective of a risk assessment is to try, with some experience and imagination, to predict the future. Because we cannot say for sure what will happen, we use risk management tools and techniques to ask ourselves questions to determine what might happen.In risk management, controls can be described as anything we do to prevent a risk occurring, anything we do to minimise the chance of a risk occurring, or anything we do to detect the cause or effect of a realised risk.
In some situations, where the effect of a realised risk is very severe, we may need to use multiple controls, both prevention and detection. However, the risk management process should never be conducted to justify the introduction of a control that we already intend to use. It is cheating to evaluate a risk and then introduce a control that we already intended to use to prevent or reduce the chance of the risk occurring, or increase our ability to detect a realised risk.Proper risk management requires that we evaluate the likelihood of occurring and the chance of detection assuming the intended control is in place. This is a true evaluation of the risk.
If we subsequently decide, through the risk evaluation process, that we need to improve the controls because the likelihood of occurrence is too high or our ability to detect the realised risk is too low, we improve from that point.
5. Missing the detection step in evaluating the priority of risks to address
While it is important to clearly describe the severity of effect of a realised risk, and the likelihood that the risk will be realised given the current controls, our ability to detect the cause or effect of a realised risk is often not considered. The irony is that many of the ‘go to’ controls put in place as a result of identifying risks, are detection controls. These include extra inspection, stage gate checks, approval workflows, and monitoring systems.Our ability to detect the cause or effect of a realised risk is important to consider because there may be situations where a critical risk that could result in significant harm to customers, requires rapid response (and therefore some appropriate detection mechanism) as a control. In other situations, it may not be possible to prevent or mitigate a risk so the only control available is a detection control. For high-severity risks, we need to be confident we are implementing appropriate and effective detection controls.
When the risk assessment process indicates we have identified a potential risk that we do not have the ability to detect or detect reliably, the risk is likely to be higher on the list of priorities to address (in comparison to other risks where we are more confident we can detect the cause or effect).
Summary
The importance of good risk management needs to be recognised at all levels of an organisation. The practice needs to be understood from the executives right down to the practitioners. It is not the domain of a risk assurance or risk reporting group. The process of assessing risks must be practical, effective, consistent across the organisation, and up-to-date risk profiles need to be actively maintained.True accountability for risk requires that everyone is continually trained on how to manage risks, at all levels. Ultimately, this will lead to better decisions and better outcomes for the business and its customers.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.
