Home > Risk > Do we understand what a Risk Event is?

Do we understand what a Risk Event is?

November 9, 2017 Leave a comment Go to comments

People talk about a risk event as if it is obvious what it is and what it means.

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization.  (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

Most often, people are thinking of a negative effect, something harmful that is the consequence of the event.

Examples of so-called risk events include:

  • The passing of new regulations
  • The loss of a key employee
  • An earthquake, hurricane, flood, or other natural disaster
  • A data center fire
  • An intrusion by a hacker

One of the things that concern me is that these events may have multiple effects or consequences, not just one.

Some of those effects might be positive.

For example, a new regulation might mean that sales are disrupted and additional costs incurred to bring a product into compliance. There is an increase in cash flow risk, revenue risk, customer satisfaction risk, and compliance risk. But, if the organization is sufficiently prepared and agile, it may be able to release a compliant product earlier than its competitors and gain market share. In fact, some competitors may not be able to adjust at all.

The loss of a key employee may be a risk to a project or other key activity, but it is also an opportunity to hire somebody with greater or different skills, making other things possible. It may even be an opportunity to reorganize for agility or efficiency.

The loss of a data center due to fire or flood may have multiple and diverse effects, but is also an opportunity to build a better one, financed by the insurance proceeds.

There are times when it may be to a company’s advantage to get new regulations passed, simply because they are better prepared to respond than their competitors! It also helps the company’s reputation to be seen as sensitive to the demands of the community – for example by adding safety features.

All of this needs to be considered: the likelihood of an event, the range of potential consequences and the likelihood of each, how the organization can be prepared, and how advantage may be taken.

The other thing that gives me cause for concern is that events are not the only source of risk.

Decisions have an effect as well. The action taken following a decision, for example the decision to read this article, can have an effect as well.

But let’s come back to events.

Years ago, when I was a VP in IT, I was responsible for data center disaster recovery and corporate contingency planning.

I learned that rather than building a plan for every event that could cause the data center to be out of commission, it was better to build a plan that addressed how to deal with the effect of those events.

In other words, we had a plan for the loss of a data center, rather than separate ones for loss due to fire, flood, and so on.

Similarly, many things can happen that might affect the achievement of an objective.

Shouldn’t we have plans that address how we respond to the effect rather than to every event?

If we are monitoring the likelihood of achieving an objective rather than simply the levels of individual risks, won’t that help the organization run the business to success?

Just thinking.

What do you think?

Advertisements
  1. Thomas
    November 9, 2017 at 7:12 AM

    I think we need both! A plan on how to reduce the probability of the event (taking the risk reward balance into considearation), e.g. fire walls, AND a plan on how to react if the event should occur (Business Continuity Management).

    • Norman Marks
      November 9, 2017 at 10:11 AM

      Why reduce the probability of an event if the net effect is positive? Why not reduce the likelihood of an adverse effect and increase that if a negative effect?

  2. November 9, 2017 at 9:59 AM

    I think the bow tie concept works here where the event is in the middle and we have the causes and preventative on left side and then the mitigation and impact or consequence left side

    Cause- prevention measures – EVENT– Mitigation – consequences.

    • Norman Marks
      November 9, 2017 at 10:10 AM

      I’m not sure how the effect on each objective is captured. I like bow ties though

      • Jonathan Whitham
        November 14, 2017 at 2:22 AM

        Don’t you just map them? You might not capture them all, but you can capture most. The others you’ll have to deal with on the fly, but allying on those with suitable experience can help with this.

  3. Nik
    November 9, 2017 at 10:40 AM

    To me the problem is not whether we understand events, it’s that we talk about them as if they are binary… A new regulation may be passed in any manner which may have all different kinds of effects. An earthquake can have many kinds of consequences depending how large it is and how far we are from the epicentre. A fire may be small, large, confined to one floor, etc. All the different outcomes from a regulation/earthquake/fire/etc have different probabilities and different impacts.

    It’s more useful to see these things in a more rounded way. Probability distribution curves are one way to imagine the possibilities.

    And Norman is right. The really important thing is the effect. Which is also not binary, and will have its own probability curve.

  4. Venkatesh S
    November 9, 2017 at 6:23 PM

    Dear Mark, a simple shift in thinking changes perspective. Your article did this to me🙂. I think we should follow your suggestion wherever possible. At the moment I am not sure if there are scenarios where conventional thinking may hold good. But it’s definitely food for thought.

  5. Hans Læssøe
    November 10, 2017 at 1:08 AM

    Hi Mark,

    I have three comments to this.

    The potential multi-faceted effect of a risk materializing is exactly why ISO states “affect on objectives” (in plural). They then miss, that the risk affects performance, not necessarily the objectives – but that is another story.

    The second element is about looking at the opportunities that comes from potential risks. Asking yourself – if this happens, how can we make this a benefit for us – despite some bad things are embedded. And true – this covers events as well as decisions made.

    Finally. Looking at uncertainties and seeking to invoke those which you are prepared for, and which may provide you with a strategic advantage (it may hurt you, but it will be very hard on unprepared competitors). That is “intelligent risk taking” – in some instances also known as disruptions.

  6. November 11, 2017 at 10:31 AM

    Norman, I think your philosophy can be summed up as, ‘Every cloud has a silver lining’. I can understand your point that if a risk occurs we should look for that silver lining.

    I think one of the best characteristics ascribed to a risk is that when a risk occurs, it always results in a loss, thus distinguishing a risk from a lack of controls. (An opportunity therefore always results in benefits.) I like to word risks to clearly indicate the loss which will occur. This has the advantages of forcing me to consider the objective being threatened and removes the need to identify the cause of the risk.

    Thus, ‘The passing of new regulations’ might become, ‘Additional cost of reformulating products due to new pharmaceutical regulations’. ‘Loss of a key employee’ becomes, ‘Delay in bringing new products to market due to the patent officer leaving’. Defining risks in this way can help determine the response to the risk.

  7. Jonathan Whitham
    November 14, 2017 at 2:25 AM

    Reckon we need to be careful not to overthink this.

  8. Eng. Misana Mutani
    November 16, 2017 at 4:28 AM

    I like the way you can explain things with such simplicity, opening minds of many. I totally agree with you, it is not such difficult as others tried to pose arguments here.

    • Norman Marks
      November 16, 2017 at 5:50 AM

      Thank you!

  1. No trackbacks yet.

Leave a Reply to Jonathan Whitham Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: