Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Naturally, a lot of time and effort in risk management goes into understanding the risks that you face. After all, if you don’t understand what you’re up against, there’s not a lot of risk management to be done. However, even when you complete a comprehensive risk assessment, this is just the beginning of the process. Now the real work starts and you have to answer the big question.
What do we do next?
At this point, things become very subjective. Not only does the risk depend on your particular situation, but so does the most appropriate response. That’s one of the reasons that it’s so hard to develop a one-size-fits-all set of mitigation measures because the ‘right’ answer will differ, company by company. So instead of a simple ‘if you have A, then do B’, approach, you have to customize the response to meet your specific needs.
This isn’t dissimilar to what you will see in a gym. Imagine a group of people who all want to lose weight and get fit. They will all be given different workout and diet plans to meet their specific needs. They will all have very different paths to get to them to a similar goal: there’s no one-size-fits-all plan.
However, despite the customization, there will be some common elements in each plan: healthy eating, regular aerobic exercise, cut back on PopTarts (my weakness).
It’s going to be the same when you start thinking about what to do about a risk. There will be common approaches that you can use to address a risk even though the exact mix – the specific strategy – will be unique to your organization.
Before I jump into the details, one point on terminology. I call this ‘addressing’ the risk rather than ‘managing’ the risk just to differentiate this particular step from the overall practice of ‘risk management’. So you first understand the risk by assessing it, then you address the risks. (Read more on this basic approach here.)
When it’s time to ask ‘what do we do about this risk?’, your options broadly fall into one of five categories
These options (A4T) give you five top-level strategies for addressing a risk which you can then develop into specific measures as part of a detailed risk management plan. Here’s a little more detail on each but also keep in mind that you may well combine several of these to tackle a single risk.
This means that you don’t engage with the risk in the first place. If you were considering a new project in a location where there was civil unrest, you might decide not to go ahead at all. Likewise, you decide to not add a new feature to a piece of software because the associated privacy issues outweigh the benefits of the upgrade. The key thing here is that you haven’t engaged with the risk yet so you can avoid it altogether.
However, if you are already exposed to the risk, then you have the option to terminate that specific activity and remove the risk altogether. So if you discovered that an existing software feature was now an issue because of new privacy legislation (hello GDPR!) you might terminate that. Or if civil war broke out in a previously stable location where you were operating, closing everything down removes that risk. You terminate the activity that exposes you to the risk.
If a risk falls within acceptable parameters then you can tolerate the risk and there’s no additional action to take that at this stage. There are two key ideas to keep in mind here
- Your risk appetite is the amount of risk you are comfortable with for the long-term.
- Your risk tolerance is the amount of risk that you are willing to bear in the short term. This is usually greater than your risk appetite unless you have an extremely cautious organization where it might be the same.
So to tolerate a risk, it has to be below your risk appetite threshold. It either already falls into this bracket or you use one of the other A4T options to reduce to an acceptable level. Keep in mind that it might take a while to reduce a risk but it’s usually OK to tolerate a higher risk as long as you are actively working to reduce it.
Treating the risk is when you use specific mitigations to bring the risk into line with your levels of comfort (your risk appetite). Treating the risk should make it tolerable (see above) as you are aiming to bring it into line with your risk appetite. Ideally, you are striving to get to the point where it is as low as possible (here the term ALARP is often used – as low as reasonably possible). We often jump right to treatment when we start to plan our risk strategy but make sure you don’t overlook the other options available and remember that a mix of techniques might be appropriate.
Finally, you can transfer the risk elsewhere. Buying insurance or contracting someone else to conduct higher risk activities are forms of risk transfer. Just be careful that you don’t end up with a false-transfer where it looks like you transferred a risk but you remain exposed. For example, if you retain responsibility for the actions of sub-contractors, you haven’t transferred your risk. (In fact, you’ve increased it but that’s a discussion for another day).
Now you have five general strategies that you can use to start to consider how to address each risk: avoid, terminate, treat, tolerate and transfer. But remember, this isn’t a one or another choice: mix and match the A4T strategies to get your risks to an acceptable level. For example, it’s very common to have insurance – risk transfer – in addition to other A4T options as part of the strategy for a single risk.
So keep these in mind when you next look at your risks and are deciding what the next steps should be. These five options will help you develop some top-level strategies for what to do before you start working on detailed treatment plans
This is an excerpt from Beyond The Spreadsheet: A Practical Guide to Understanding Your Risks. You can learn more about the book here and CERM-RI subscribers get a special 25% discount if they use this link.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.
Andrew has distilled these experiences down to first principles to develop the KISS Risk Management framework, a straightforward, effective and robust approach to risk management. This aims to make high-quality risk management tools, resources, and training accessible to as many people as possible, particularly those starting out in the field of risk. He has also developed the dcdr.io risk management software platform and several online assessment tools to complement the KISS framework.
Andrew has an MSc in Risk, Crisis and Disaster Management from Leicester Univerity and has written articles for several publications including the RUSI Journal, ASIS Security Manager Managzine and the International Association of Emergency Managers Bulletin.