Ensuring there is a shared understanding of what we mean when we describe risks as “Severe” or “Material” or “Low” is a perennial problem for every risk manager. These words tend to get bandied about like they’re going out of fashion in risk meetings by people who don’t seem to care that they represent a technical concept. I’ve spent a lot of time this week hammering home the terminology in various meetings, but never more so than when we are talking about business continuity.
“But the risk of flood is low” the Sales Director said impatiently.
“But it could cause massive damage to the operation” the Facilities Director interjected, “so how can it be low?”
“But it won’t happen. Move on!”
It is at this point where I, the world weary risk manager, stepped in to explain that yes, whilst the probability of a flood occurring is classified as Unlikely, the impact is classified as High and since we talk about risk as a combination of those two factors, our technical definition of that particular risk is that it is “Material” to the organisation, not “Low”. This means we need to take it seriously and have a think about whether we are controlling it appropriately.
I’ve had this conversation a lot: impact multiplied by probability/likelihood equals risk. Each of these concepts sits on a scale and has clear working definitions attached. Look the rating up on the grid. I’ve had the conversation gently and I’ve had it forcefully. There have been so many occasions when I’ve thought I’ve drummed it in and then a fortnight later realised I haven’t that I’ve been forced to take a look at my own controls relating to the risk of the risk framework failing to embed.
This concept of controls to manage the risk of risk management not embedding is so circular that it even blows the minds of some of the people in my team.
These principles have been included in mandatory annual training programmes. The risk methodology is updated annually and approved by the very directors sat in the room having the conversation which is putting our risk terminology through the mangle. These are my own controls to ensure the risk framework is understood. I am not always convinced they are adequate. But then wrapping the risk methodology round a brick and tossing it through every director’s window isn’t really sanctioned, and getting the risk assessment grid tattooed on my face isn’t really an option I want to consider.
Anyway, we ploughed on and there was minuted agreement that as the risk is unlikely to occur, it is not a valuable use of time or resources to invest further in preventative measures. Facilities Management agreed to implement a monitoring KRI to ensure the local river levels are regularly reported alongside weather forecasts and it was agreed that the business continuity plan associated with this higher risk site should be strengthened and subject to more a more frequent refresh regime than is standard.
This feels like an appropriate risk action plan to me. The Facilities Director agreed and said she would be able to put her concerns to one side once the actions were complete.
“It’s still a tiny risk and this is a bloody waste of time” muttered the Sales Director, as he packed up his iPad and his mont blanc pen to leave the meeting. There were a couple of private smiles exchanged. You cannot win them all, not least of all when someone is managing the risk of damage to their own ego above all else.
Who is the Secret Risk Manager?
The Secret Risk Manager is a senior risk professional working in the City. Over the years, they’ve seen a variety of risk practices - good, bad and ugly - across a variety of industries.
Like many risk professionals, the Secret Risk Manager’s CV has a large unspoken element. They are called upon to be in turns, therapist, coach, detective, mediator, behavioural scientist, parent, mind reader, futurologist, story-teller, philosopher and diplomat.
These articles do not pretend to constitute advice, but only to provide a frank and hopefully thought provoking look into the often frustrating world of those people who help organisations manage their risks. The subject matter is experience based, but fictional.
Any resemblance to actual incidents or persons living or dead is purely coincidental. But let’s face it, there’s not much new under the sun so you’ve probably seen it before.