Understanding where to focus resources?
The world is complex, risks are dynamic and so is the economy. So when the CEO asks where should the company focus its risk efforts what do you say? Is it always the top 10 risk you should focus on? And even if it is, which elements of the risk management process should I concentrate on?
Below I provide a model which is used to calculate a focus index. An indication of where potential issues can arise. Due to its modular structure, its easier to identify who needs to act to mitigate the issues.
The 5 key elements of managing risks.
From analysing many of the worlds biggest events over the last 20 years a number of key questions arise. Most of these events have happened before and will continue to occur. What made this particular event so critical? This was a small low risk event based on the risk register. Why did we underestimate it?
In the traditional risk management approach, we capture the risks that we have identified and the normal impact these can generate. These are initiators and impact factors.
Frequency (Initiator) X Severity (Impact) = Risk
Initiator: – Each event will have been identified through the normal ERM process and will be graded by parameters such as initial risk state, appetite, process safety maturity and an idea of “Do I have control?”
Impact: – For an event to be a risk it needs to impact something. There needs to be consequences. There are two second tier drivers that have influence over the outcome. The physical location and the proximity to important areas. Location covers social and political climate, legislation criteria and enforcement policy etc. Centres of population, natural resources, and socially sensitive areas all will have a role to play in the overall event magnitude.
The main reason smaller risks, or risks lower on the register, are suddenly key is because of three additional factors.
- Accelerators
- Resistance and
- Amplifiers
Accelerators: – Basically the main factor that can accelerate the events importance, and therefore its overall impact, is time. There are multiple ways to view time when considering risk management. There is the typical long-/short term, long-/short duration but in addition we also have multiple event history. If there have been a number of events already realised in the market, in say the last 24 months, similar to the risk you have in your register, then you are more exposed than if no similar event took place.
Resistance: – Company culture can provide significant resistance and prevent any event getting out of control. If well managed, then the event will stay small and be under control. If no resistance is provided, then the event gets out of control and impact will certainly be higher. Items such as knowledge capture and transfer, managing change and the coaching of the crisis teams all play a role in providing resistance.
Amplifiers: – World interest and the media can amplify any event and turn a relative normal event into a catastrophe. These go hand in hand and timing, is again, important. World interest covers the political, social, and economic climate and can vary from country to country but also globally. It also varies from business sector and country of event origin. Your internal and external communication policy plays a key role in media contact and information timing is vital. The risk of assumed knowledge and misleading, or fake news, needs to be managed fast.
Each of these elements requires a different management approach and we start to bring in words missing from many risk management assessments. The initiator and Impact factors use the normal severity and frequency measuring criteria used traditionally. The remaining three elements start to bring in resilience, flexibility and vulnerability.
A couple of other factors arise from this approach which are motivation for change. Firstly; the world does not wait for your quarterly risk meeting with the C-suit or management board. It’s actual and real-time. This means that if you are vulnerable in one area and an event occurs outside of your perimeter but in the same area then efforts should be focused to ensure your vulnerability is being managed.
Communications can be proactive to make stakeholders aware that you are aware and actively doing something about it. Even if an event does occur you will have provided some resistance reducing the overall potential event impact.
The traditional heat map is not flexible or dynamic enough to handle this input but the c-suit need information for decision making.
These are the Enterprise risk management process, the Risk Management process and the crisis or emergency management process.
A typical result is shown below where we would focus on Risk 1 and establish if funding needs to be allocated in this area to reduce potential consequences. The main reason for concern is the trend in recent global events accelerating the awareness of risk in this area.