Most small to medium enterprises are poor at understanding risk. Some large organisations are poor at understanding risk. For many, completion of a probability and impact matrix is enough to convince themselves that they understand their risks. They are wrong.
What is a risk?
Risk is the combination of a source of risk and an event that gives rise to a consequence which we might consider as abnormal. Risks may be positive or negative.
For example, we may run the risk of being profitable (consequence) if we have very competent people (source) completing a sales process (event) that causes people to move through their buying process.
Or, we may run the risk of a catastrophic release (consequence) of flammable liquid (source) if an earthquake ruptures (event) our four hundred tonne tank of petrol.
A spark (event) from a non-flameproof electrical switch may ignite (consequence) the flammable liquid (source) which has been released from the storage tank.
The source is the intrinsic thing which may cause harm.
The event is the something that occurs such that the risk has the impact it does.
The consequence is the outcome or impact of the risk.
To correctly describe a risk, the source, event and consequence must be stated.
For example, a poor set of banking controls (event) may give rise to a dishonest employee (source) stealing money from our account. A poor selection process (event) may give rise to having dishonest employees (consequence) being selected from a pool of people which will contain on average more than 20% dishonest people (source).
Ideally, a description of risk will also contain within it, when and where the event could occur.
For example, our reputation will be sullied (consequence), if we do not react within the first hour (when) of a spill (event) in our factory (where) in getting information to the public in order to stop misinformation (source) spreading.
If possible, a risk description will include a cause and any controls which exist.
For example, the tank may explode (consequence) inside our factory (where) during repairs (when) if the tank is not vapour free as per policy (control) due to a failure in our training and controls (cause) and a spark (event) generated by the cutting gear ignites the vapour (source).
It is not necessary to put all of this into one sentence as I have done for illustration. It is necessary, as much as possible to think through a risk in those terms, however.
By describing a risk fully, assessing, evaluating and treating risks is much easier to do. Further, the treatment plans generated to mitigate risk are more likely to be robust.
Describing risk in these terms is still not enough. To truly understand their risks, organisations must determine the context in which the risks are being identified. The context determines an organisation’s view of the sources and the criteria by which consequences are later ranked.
The internal context is usually a combination of a goal and objectives, culture and structure. For example, a goal of profit versus a goal of return on capital employed will give rise to different sources of risk, as well as overlapping ones. A highly inventive, empowered culture will give rise to different sources of risk to a conservative slow-to-react culture.
The external context will include the political, economic, social, technical, legislative and environmental aspects as well as key stakeholders and business drivers. For example, an organisation executing a project sensitive to the impact on a local community will concern themselves with sources of misinformation that may give rise to a community backlash. An organisation which was not so concerned about the impact on the local community would not.
A risk is not just the probability and impact of the risk occurring. Thinking of risk in this way exposes organisations to the risk that unforeseen events will occur, unleashing unidentified consequences from unknown sources at a time and place they have not thought of because they were poor at risk identification.