Whenever we develop a plan, we are attempting to predict the future. We are claiming that by executing a series of steps, we will achieve a desired outcome at some point in the future. Unfortunately, predicting the future is an uncertain business at the best of times. It involves making assumptions about how things will be in the future: how people will behave and perform, what potholes and unexpected roadblocks might be found on the way, how markets will evolve, what materials will cost, how reliable the supply chain will be, etc. etc. Assumptions that can be wrong: a little bit, or a lot.
If the assumptions aren’t right, then the outcomes will probably be different. For some assumptions, a minor change can have dramatic effects on the end result; for others, even quite a big change might have only a minor effect. The questions that arise are:
- What assumptions have we made when developing the plan?
- How uncertain are we about the values of those assumptions, over what range might they vary?
- What effect could that uncertainty have on our desired outcome?
- What can we do to reduce the level of uncertainty?
This is where the practice of risk management comes in.
We (actually ISO) define Risk as being “the effect of uncertainty on an objective“. The “effect” is usually seen as a deviation from the expected objective (e.g. lower, or higher, sales), and often occurs as a result of a change to one of the assumptions that was embedded in the planning (e.g. the increased competition, reduced availability of product, changes to the regulatory environment, loss of experienced staff, natural disaster).
All this sounds a bit esoteric, but the fact is that we do this ALL the time; mostly without thinking about it. Here’s an example from everyday life that should help to illustrate the risk management process.
Meet Stacy Elliot
Stacy wants to travel from her home in Watford (on the outskirts of London, UK) to Manchester for a lunchtime meeting on a Wednesday in January. As Stacy lives close to the M1, she decides to drive there in her own car. The previous evening, she uses Google Maps to choose a suitable route (M1, M6, M60) and sees that the target driving time is about 3h30. She needs to be in Manchester for 1PM, so decides to leave at 9AM, allowing 30mins for any delays.
Sounds simple, and it is. It’s a process most of us go through many times a week: whether it’s going to a meeting or just driving to work. But there are assumptions built into the plan that could be wrong, and the effects of those assumptions being wrong could have an effect on the expected arrival time. i.e. there is risk.
Let’s look at some of the assumptions, Stacy has made:
- Her car won’t break down.
- The car has sufficient fuel to drive to Manchester.
- 30 mins is sufficient buffer against potential delays.
- She knows how to navigate her car to Manchester.
- She is a safe driver who can drive for 3h30, maybe 4h without requiring a break.
Any one of these assumptions could be wrong to some extent, so let’s identify some risks associated with those assumptions.
- The car fails to start due to cold weather, resulting in a 2h delay whilst the AA attends and fixes the problem.
- The car breaks down on the motorway because of poor maintenance, resulting in a 4h delay whilst the car is recovered.
- The car runs out of fuel, resulting in a 2h delay whilst the AA attends and fixes the problem.
- A major accident en-route shuts part of the motorway and results in a 4h delay.
- Bad weather slows traffic speeds and adds an extra 30m to the journey time.
- Stacy needs to take a break en-route, adding 15m to the journey time.
- Due to a change in the road layout, Stacy misses the turn for the M6 and has to continue up the M1 to the next junction, adding 20m to the journey.Etc. etc.
(Incidentally, these are also examples of well-described risks: <cause><event><impact>)
None of these risks is highly improbable. There are no Black Swans in there.
Each risk has a greater or lesser likelihood of occurring, and the impact also varies. Some are unlikely to occur, but could have a major impact if they did (e.g. car breaking down); others are very likely to occur, but with only a minor impact (e.g. slow traffic).
However we can adopt some form of ranking system to identify the most important risks (probably the accident on the M6; which is medium likelihood and high impact).
Next, we can examine what steps Stacy has already taken to manage the level of some of these risks. These are known as Controls.
- Stacy knows that cars can break down, but the car is fairly new and is serviced regularly by a qualified mechanic. She checks her fluid levels and tyre pressures regularly and has a spare wheel just in case. Stacy is pretty confident she could change a wheel in an emergency, so she’s pretty sure she won’t be stranded by the side of the road.
- She topped up with fuel yesterday and she knows the range of her car on a full tank is 600 miles. Manchester is only 200 miles.
- The car has a built in Sat Nav, though the maps are out of date and it doesn’t get live traffic updates.
- Stacy has already built in a buffer of 30m for traffic delays.
- Stacy has a mobile phone and is a member of the AA.
Has she done enough? Is the residual risk (the level of risk remaining after considering the effectiveness of the existing controls) acceptable?To answer this question, we need to know the Risk Tolerance: how much can arrival time deviate from target before Stacy has a major problem on her hands? In this case, how late is too late?
To answer this we need to know why Stacy is going to Manchester and how important it is that she gets there for 1PM. i.e. what is the higher level objective? Let’s consider two scenarios:
- Stacy is on holiday and she’s driving up to Manchester to meet her sister.
- Stacy is the CEO of a FTSE 100 company and she’s driving up to Manchester to sign a multi-million pound deal.
In the first scenario, it isn’t the end of the world if Stacy doesn’t get there for 1PM. Provided she lets her sister know and gets there some time, no problem.
Not so in the second. Stacy must be there no later than 1:30PM or her company will be embarrassed and the previously announced press conference will have to be delayed.
If it’s the second scenario, we can probably say that the residual risk is still too high. What other controls can we introduce to Treat or change the level of risk and improve the certainty of being in Manchester for 1PM?
Treatment Controls can be divided into a number of broad categories:
- Those that avoid the risk altogether.
- Those that transfer the risk or share it with somebody else (e.g. outsourcing and insurance).
- Those that reduce the likelihood of the risk event occurring.
- Those that reduce the impact if the event does occur.
The most important risk in this case is that of a major accident that closes a motorway and causes a 4h delay.
- Stacy could leave earlier and reduce the impact;
- she could choose to go by train or fly and thus avoid the risk altogether (though this does introduce other risks); or,
- she could travel up the previous night and avoid the risk altogether. (at an increase in cost).
There are other potential controls, but you get the idea.
Which control she finally chooses to implement would be based on a balance between the cost of implementing the “control”, and the benefit that accrues after taking into account the importance of the objective. However the end result, should be a more robust, and resilient, travel plan that reduces the uncertainty of not being in Manchester for 1PM to an acceptable level.
Agdon Associates and Business Continuity UK are no longer in business. This website is not being updated: it has been left online solely as a source of useful information on Business Continuity.