Three ways to enhancing your risk registers
Jul 26th, 2017
We wrote a paper with 10 rules to enhance risk assessments and today we will focus on three ways to enhancing your risk registers, namely rules #3, 5, 6.
We have selected three rules out of ten of the original paper based on issues various delegates focused on at a recent conference. Of course we invite you to read the full paper and review your risk registers.
Your projects/operation/company will greatly benefit from this action once the dust settles.
Three ways to enhancing your risk registers: rule #3
- Always start by identifying hazards using threats-to and threats-from.
At the conference, but this was not the first time, we heard some delegates stating that “hazards” do not work. We heard some pleading for the “hazard step removal” as hazards are events and some risks arise without an event.
Let’s look at a case where “hazard” allegedly does not work: corruption. The delegates say that corruption is not amenable to a hazard, i.e. an “event” and then, of course it is not amenable in a quantitative risk register because it is “complex”.
Here is the way to overcome this difficulty, based on rule #3. The hazards to your project/operation/company are, for example:
- Organizations (mafia type, organized crime groups)
- Politically exposed people
- Government officials
Reasonable simplification is the key
One does not need to get bogged down naming them one by one: they are either threats-to to or threats-from. It is enough to develop “families of corruption agents”. Each family has a probability (quantifiable in each country, based on experience, with a range) of corrupting the system or being corrupted by the system, and the corruption has a potential consequence (legal, image, business interruption, HR, etc.) that can also be quantified with a range (look at Rule #7 in the original paper. Thus the “complexity” can be deconvoluted and uncertainty transparently stated. Note we use here the term uncertainty in decision making as a situation where:
- the current state of knowledge is such that the order or nature of things is unknown (in terms of deciding exactly who are the corruption agents),
- the consequences, extent, or magnitude of circumstances, conditions, or events is unpredictable (meaning difficult to predict with precision), and
- we cannot assign credible probabilities to possible outcomes with precision, only ranges are known or can be evaluated.
NB: The texts in parenthesis in the list above are comments we made to “link back to the subject at hand”.
Combining the elements
At this point it is possible to combine the various “elements of risk” and get to the aggregated corruption risk for your case.
One could write an entire book on this subject. Think about oil and gas or mining prospection: a dry well/borehole is a costly “failure” that many would claim has no hazardous event.
What are the threats-to the well/borehole? Many stem out of human error, omissions, geology, capitalization of the campaign. It is possible to prepare a list of those threats-to which constitute the hazard families list potentially hitting the well/borehole. You can certainly also build the threat-from list.
Now go back to the prior example (corruption)… define ranges of experience based probabilities, consequences, combine the individual threats and you will have the risks.
It is an enlightening exercise. Contact us for support!
Three ways to enhancing your risk registers: rule #5
- Always consider a range of probabilities in order to include the range of uncertainties.
For reasons unknown to us, as soon as someone talks about probabilities there is the temptation to give one “magic number” or to say that “the number is impossible to find, so better do nothing”.
Thinking about giving one precise value for the probability is a dangerous illusion. For instance, even if you have available large amounts of data from the past, you can never consider the past equal to the future. At best it can be used as a point estimate.
The reality is that uncertainties will always exist. So, consider the limits of our human capability to estimate events. Give one pessimistic probability, possibly Common Cause Failure based (i.e. in the case all redundancies fail because of a common flaw), and one optimistic probability with the foreseen mitigation active. If probabilities are transparently considered uncertain, then it is possible to implement a Bayesian update mechanism when new data become available.
Three ways to enhancing your risk registers: rule #6
- Always consider a range of consequences.
Giving one precise value for the consequences or selecting “the worst” among types of possible consequences (in the corruption case above, selecting the worst among, for example legal, image, business interruption, HR, etc.) are blatant mistakes.
The human brain is generally good at imagining the best and the worst scenario. However we see many times that people censor the range considered. In modern society, he who hides risks dies, sooner or later.
Uncertainties will always exist. Don’t censor!
At Riskope we work very hard to develop innovative and proven methodologies for supporting decision-making surrounded by uncertainties. We also recognize that many risk registers developed over time present some “aging ailments”.
In the last couple years we have performed many Risk registers third party reviews. These have lead to streamlining, focusing, more transparency. At the end they have allowed clients to focus on what really matters to succeed and thus to reach economic benefits.
This blogpost gives you some pointers. The referenced paper more details.
Contact us if you want us to support your business.
Tagged with: decision making, identifying hazards, risk registers, Threats from, Threats to
Category: Risk analysis, Risk management