Managing Individual Risks

Background

Following AS/NZS 4360 or ISO 31000, it is usual to identify risks to objectives and then to analyse, assess and treat each risk in turn.  In this process, the most significant "highest risk rating" risks are generally given priority.  However using real examples of organisational risks, it is possible to quickly and conclusively show that this approach to managing risks is at best sub-optimal and that at worst it leads to perverse, undesirable outcomes.

A systems thinking view of organisational risks is that it is natural to expect them to be interconnected and interdependent.   Since humans are involved, it can also be expected that risks will  be complex, often intangible, and very often 'wicked' in nature.  This explains why it is ineffective to seek to understand and manage each risk separately, and why by treating one risk in isolation it is likely that the real outcomes will be problematic.

In this context, it is necessary to view organisations as whole systems and to consider each to be 'unbounded' because of complex connections between every organisation and its larger environment.   However it is not possible to understand a system without first understanding its parts and how they interact.  For this reason, identifying and understanding individual risks is a valuable part of systemic risk management approaches. 

A Systemic Definition of Risk

ISO 31000 defines risk as "effect of uncertainty on objectives".  This definition is intended to encompass both (negative) threats to objectives and (positive) opportunities, and uses "objectives" as the point of reference for risk assessment.  Despite being the basis for ISO 31000, this definition:

• fails to recognise the full range of uncertainties possible
  
  
• does not recognise the additional value to be gained by assessing risks to purpose rather than to objectives
  
  
• uses the term risk in a way that is not recognised in common language worldwide
  
  
• does not directly deal with risks that are 'certain' to occur but where the impact remains uncertain.

From a systems thinking perspective, a more appropriate risk definition is:

"a risk is a threat to the maximum possible achievement of the purpose where the final impact is uncertain"   


This definition is more powerful and is more universally applicable than the ISO 31000 definition: 

• It does not require users to think of risk as 'positive', and yet it still deals with opportunities and innovations as well as threats.
  
   
• It seeks to identify risks to the 'maximum achievement of the purpose', rather than to objectives.  This includes the requirement to consider threats, opportunities and innovations to the purpose, not just to the particular strategy and objectives currently in place.
  
   
• It makes it clear that ultimately the only uncertainty that matters is uncertainty in effect or impact.  The event or factors leading up to the effect may or may not be uncertain.  As long as the final impact is uncertain and it is a threat to the purpose, it is a risk.  

This  systems thinking definition of risk is less constraining and contains less assumptions than the definition used by ISO 31000.  It is also clearer in its intent and meaning, and allows the term 'risk' to be used in the way that almost all people feel comfortable with.

Risk Representation using Risk Maps

Many, perhaps most, organisational risks are far too complex to be effectively described in a few words in a risk register.  The same complexity also means that it is very difficult to ensure that stakeholders have a shared, deep understanding of risk drivers, risk impacts and their inter-relationships.  

Risk maps provide a method of graphical representation that:

• encompasses much more of the complexity than is possible with text
  
  
• is easily shared and reviewed to enable dialogue and hence shared understanding
  
  
• helps to identify gaps and overlaps in the risk information, and to focus risk inquiry
  
  
• helps to identify meaningful responses to complex risks

Simple, tangible or technical risks may be sufficiently clear directly from the data or from technical analysis and in such cases the effort involved in creating a risk map may not be justified.

A simple example of a risk map follows. 

The Use of Risk Maps as the Basis for Risk Analysis

When dealing with a single risk, a risk map is often  the most effective basis for understanding what is happening, and how best to respond.  Using risk maps as a shared reference for dialogue with stakeholders increases the quality of understandings and response.

When taking a systemic approach, it quickly becomes clear that calculating risk ratings in order to prioritise risks is in most cases pointless and can be seriously misleading.   At best it causes sub-optimal risk responses.  For this reason, systemic risk analysis does not include calculating likelihoods, impacts or risk ratings for individual risks.

Given this, creating, sharing and improving a risk map for a particular risk is in itself a process of risk analysis.  At the end of the work of creating a risk map, leaders are able to identify appropriate risk treatments (responses) just as they would for any organisational problem or opportunity.

Risk Responses

As noted above, for individual organisational risks the most effective way to identify appropriate, effective, sustainable risk responses is to use a risk map for a dialogue between stakeholders.  The aim is to identify where on the risk map the best leverage can be applied to the risk.

Once points of leverage are identified, desired risk repsonses can be added onto the risk map in exactly the same way as other elements of the risk map.  For clarity, the convention is to show risk treatments in a red text box, with red arrows indicating the point of leverage.   This is illustrated in the risk map above.

When a risk map is complete with risk responses, it is a powerful representation not only of the nature of the risk, but also of how and why that risk is being treated.