The Benefits of Effectively Describing Risks
To introduce myself, I am an Internal Auditor with over 12 years’ audit experience, the last two years within the NHS. I also have around 10 years' financial experience, gained in a number of managerial roles including Finance Business Partner, Sales Ledger Manager and Financial Analyst. I am a Certified Risk Professional, having successfully undertaken the Institute of Risk Management’s (IRM’s) International Diploma in Risk Management; the IRM being the world’s leading professional body for risk management.
Risk Descriptions – Using the Bow Tie Method
We may think that describing a risk is easy…we all of course encounter risks in our everyday lives as well as whilst we are undertaking our work duties, and each of us could probably come up with a valid definition of what we mean by a risk. However for the purpose of this article we will start with the short definition used within the International Standard for Risk Management (ISO 31000:2009) which is that risk is the “effect of uncertainty on objectives”. The use of uncertainty here allows risk to refer to the positive consequences of uncertainty as well as the negative ones.
So, taking into account the above definition which of the following is a good risk description?
- A failed joint in a water pipe.
- Flooding at our place of work with loss of access.
- Failure to maintain our plumbing system.
Of course we could argue that they are all descriptions of a possible risk, but in reality then taken individually they are incomplete. A better risk description might therefore be:
A joint in a water pipe fails, due to inadequate system maintenance, resulting in flooding at our place of work with loss of access.
So, why is this a better description, and perhaps more importantly what benefits could result from describing the risk in this way?
Taking the risk description above we can see it has three parts to it:
|A joint in a water pipe fails||This is the risk ‘event’|
|due to inadequate system maintenance||This is the ‘source’ of the risk|
|resulting in flooding at our place of work with loss of access||This is the ‘consequence’ of the risk and relates to our work objectives – as should the workplace be under water we are clearly unlikely to be able to deliver on our responsibilities and duties.|
Together these three elements allow us to have a much better understanding of the risk in order we might identify those risk mitigations that would be most appropriate.
We clearly don’t want the risk event (i.e. the failure of the joint) to occur so we firstly consider the most appropriate mitigation(s) to address the source of the risk. In this example inadequate system maintenance is the identified likely root cause - so we might wish to put an improved maintenance regime in place. This is a ‘prevention’ type control given it will reduce the likelihood of the risk event transpiring.
However, it may take us some time to put the improved maintenance regime in place and, in the short term at least, there may still be a risk of a joint failing. By also considering the consequence therefore we can identify the mitigations we would deploy should the risk event happen. This may be, for example, by having arrangements in place for remote / home working in the event the workplace is not usable. This is a ‘contingency’ type mitigation – we may not have to use it, but we have planned our arrangements just in case in order we reduce the probable impact.
The scenario described is of course relatively simplistic – in real life for any one identified risk event there may be numerous risk sources and numerous potential consequences. The risk description methodology described should help allow us to identify each one of these sources as well as each of the potential consequences. For key risks these can then illustrated in a simple diagram as follows. This is often called the Bow Tie method – for obvious reasons.
So, when considering and describing the risks for your department, directorate or organisation aim to describe your risks using the following simple guide.
There is a risk that (the risk event) ……resulting from (the risk sources)….and leading to (the risk consequences).