Risk Management

by Peter Parkes

Step 4: Taking action

Many perished from what they feared, but what good was fearing it when they took no steps to prevent it... It is not prudent to rush into troubles, but it is to meet them halfway, in order to conquer them.

Baltasar Gracián

Having taken measures to identify your risks, come to a view as to which ones are important, and communicated a map of risks to your team, you have moved a long way forward in understanding what you need to do.

Usually, if you have gone through an exercise to collect risks, you will have a big list in your risk register. But how do you start to address them all?

Our assessment of risks gives us a pecking order to work from. This is indicated by the likelihood of risk and the potential impact. For example, if we know that trains are running late today then it becomes more important to take some counter measures. Similarly, if we have an important meeting at the end of the train journey then we are more likely to take action. If we have the combination of increased likelihood plus increased impact, then we are more likely to take more decisive action, such as to go the night before or use an alternative means of transport. It is the same in formal risk management. Hence, our basic tools for communicating risk, such as the Risk register and Probability impact grid, indicate which risks to deal with first, especially when – as is usually the case – we have limited resources.

We can take several forms of action in dealing with risk:

  1. Accept risk
  2. Transfer the risk
  3. Reduce the probability of the risk
  4. Reduce the impact of the risk

Usually, a combination of these approaches is used.

1. Accept risk

We usually accept risk. The management science, or common sense, is in knowing which risks to accept and which to do something about.

It is a fact of life that sometimes trains are late and sometimes it rains. Yet we don’t always get to the train station an hour early or walk around with a raincoat and an umbrella. Will it matter if we arrive 20 minutes late or get wet? If we can live with the consequences, then we do not need to use resources in case they happen. If, on the other hand, it may rain when we have just come out of the hairdresser’s on our wedding day, then we will probably feel that we cannot accept the consequences and we will something about it, such as bring the hairdresser to us.

If a risk is thought of as very high – usually assigned as having a probability of over 90 per cent or nearly certain – then it is safer to take this as our basic scenario and give ourselves a low probability that we will see the favourable side.

In practical terms, a very low risk is one which we will capture and park; in other words, we will do nothing more about it unless circumstances change to increase its likelihood or impact.

2. Transfer of risk

We often try to transfer risk. In our home life, we are talked into insuring against every conceivable event. Most of us take out house insurance, car insurance, holiday insurance and so on. Similarly, in business we can insure against many events that threaten our operations. If we take it to the extreme, we can end up paying out all of our revenue on insurance against events which may never happen. Sensible money pays for those things which would destroy our business or lives – in other words, where we cannot reasonably accept the consequences and continue as we were before.

When we take contracts out with third parties, we are tempted to transfer the risk, so that if things go wrong, they will have to fix them. As many of us have found, however, something in the small print often means that this part of the engine isn’t covered, or we invalidated the warranty by taking the back cover off, or the double glazing firm has gone out of business, or the supplier just ignores us and we have to give up or go to court. Be aware of the true value that the piece of paper in your hand will have if the issues materialise. If you are the one who will suffer, then stay involved in the process.

Today, industry is becoming more specialised around core competences, and a high proportion of undertakings are carried out by consortia, joint ventures, partnerships, sub-contractors or through out-sourced contracts. A large proportion of contract negotiations revolve around the allocation of risk. Contract forms of the old style seek to push the risk down the contract chain so that the small guy at the end gets landed with little of the reward but most of the risk. If the risk event happens, the small guy is the most likely to go out of business and leave the consortium faced with the consequences. Modern contract forms use the notion of partnership and have three basic principles:

  1. The overall risk is owned by the client and they have to own the overall risk management process
  2. Individual risk should be allocated and managed by the party most able to do something about it
  3. Risk should be in proportion to the reward of individual parties.

3. Reduce the probability of the risk

If our assessment of risk indicates that we need to expend resources on reducing risk, then the easiest option is usually to take any opportunity to reduce the likelihood of a root cause precipitating a consequence.

For example, for modern data-centres (and many other important operations), a loss of power supply would result in an unacceptable level of service. Operators reduce the likelihood of loss of power by installing a dual supply, back-up generators or electrical storage until the likelihood reduces to acceptable levels for the consequences.

4. Reduce the impact of risk

We can’t reduce the likelihood of a train being late for our interview, but we can reduce the impact of a late train by taking an earlier train. Similarly, we can reduce the impact of a supplier delivering late by bringing forward the order date, so that a slippage would not affect our time for completion. Note that it was a traditional form of risk management to hold huge stocks of everything, but this has a financial impact on the business, so only critical components are now held in stock. The risk management process helps us to determine which components are critical.