Risk Management 101 – what is risk and why do we need to manage it


Whenever we develop a plan, we are attempting to predict the future. We are claiming that by executing a series of steps, we will achieve a desired outcome at some point in the future. Unfortunately, predicting the future is an uncertain business at the best of times. It involves making assumptions about how things will be in the future: how people will behave and perform, what potholes and unexpected roadblocks might be found on the way, how markets will evolve, what materials will cost, how reliable the supply chain will be, etc. etc. Assumptions that can be wrong: a little bit, or a lot.

If the assumptions aren’t right, then the outcomes will probably be different. For some assumptions, a minor change can have dramatic effects on the end result; for others, even quite a big change might have only a minor effect. The questions that arise are:

  • What assumptions have we made when developing the plan?
  • How uncertain are we about the values of those assumptions, over what range might they vary?
  • What effect could that uncertainty have on our desired outcome?
  • What can we do to reduce the level of uncertainty?

This is where the practice of risk management comes in.

Risk Management

We (actually ISO) define Risk as being “the effect of uncertainty on an objective“. The “effect” is usually seen as a deviation from the expected objective (e.g. lower, or higher, sales), and often occurs as a result of a change to one of the assumptions that was embedded in the planning (e.g. the increased competition, reduced availability of product, changes to the regulatory environment, loss of experienced staff, natural disaster).

All this sounds a bit esoteric, but the fact is that we do this ALL the time; mostly without thinking about it. Here’s an example from everyday life that should help to illustrate the risk management process.

Meet Stacy Elliot

Stacy wants to travel from her home in Watford (on the outskirts of London, UK) to Manchester for a lunchtime meeting on a Wednesday in January. As Stacy lives close to the M1, she decides to drive there in her own car. The previous evening, she uses Google Maps to choose a suitable route (M1, M6, M60) and sees that the target driving time is about 3h30. She needs to be in Manchester for 1PM, so decides to leave at 9AM, allowing 30mins for any delays.

Sounds simple, and it is. It’s a process most of us go through many times a week: whether it’s going to a meeting or just driving to work. But there are assumptions built into the plan that could be wrong, and the effects of those assumptions being wrong could have an effect on the expected arrival time. i.e. there is risk.

Let’s look at some of the assumptions, Stacy has made:

  • Her car won’t break down.
  • The car has sufficient fuel to drive to Manchester.
  • 30 mins is sufficient buffer against potential delays.
  • She knows how to navigate her car to Manchester.
  • She is a safe driver who can drive for 3h30, maybe 4h without requiring a break.

Risk Identification

Any one of these assumptions could be wrong to some extent, so let’s identify some risks associated with those assumptions.

  • The car fails to start due to cold weather, resulting in a 2h delay whilst the AA attends and fixes the problem.
  • The car breaks down on the motorway because of poor maintenance, resulting in a 4h delay whilst the car is recovered.
  • The car runs out of fuel, resulting in a 2h delay whilst the AA attends and fixes the problem.
  • A major accident en-route shuts part of the motorway and results in a 4h delay.
  • Bad weather slows traffic speeds and adds an extra 30m to the journey time.
  • Stacy needs to take a break en-route, adding 15m to the journey time.
  • Due to a change in the road layout, Stacy misses the turn for the M6 and has to continue up the M1 to the next junction, adding 20m to the journey.Etc. etc.

(Incidentally, these are also examples of well-described risks: <cause><event><impact>)

Risk Analysis

None of these risks is highly improbable. There are no Black Swans in there.

Each risk has a greater or lesser likelihood of occurring, and the impact also varies. Some are unlikely to occur, but could have a major impact if they did (e.g. car breaking down); others are very likely to occur, but with only a minor impact (e.g. slow traffic).

However we can adopt some form of ranking system to identify the most important risks (probably the accident on the M6; which is medium likelihood and high impact).

Risk Evaluation

Next, we can examine what steps Stacy has already taken to manage the level of some of these risks. These are known as Controls.

  1. Stacy knows that cars can break down, but the car is fairly new and is serviced regularly by a qualified mechanic. She checks her fluid levels and tyre pressures regularly and has a spare wheel just in case. Stacy is pretty confident she could change a wheel in an emergency, so she’s pretty sure she won’t be stranded by the side of the road.
  2. She topped up with fuel yesterday and she knows the range of her car on a full tank is 600 miles. Manchester is only 200 miles.
  3. The car has a built in Sat Nav, though the maps are out of date and it doesn’t get live traffic updates.
  4. Stacy has already built in a buffer of 30m for traffic delays.
  5. Stacy has a mobile phone and is a member of the AA.

Has she done enough? Is the residual risk (the level of risk remaining after considering the effectiveness of the existing controls) acceptable?To answer this question, we need to know the Risk Tolerance: how much can arrival time deviate from target before Stacy has a major problem on her hands? In this case, how late is too late?

To answer this we need to know why Stacy is going to Manchester and how important it is that she gets there for 1PM. i.e. what is the higher level objective? Let’s consider two scenarios:

  1. Stacy is on holiday and she’s driving up to Manchester to meet her sister.
  2. Stacy is the CEO of a FTSE 100 company and she’s driving up to Manchester to sign a multi-million pound deal.

In the first scenario, it isn’t the end of the world if Stacy doesn’t get there for 1PM. Provided she lets her sister know and gets there some time, no problem.

Not so in the second. Stacy must be there no later than 1:30PM or her company will be embarrassed and the previously announced press conference will have to be delayed.

Risk Treatment

If it’s the second scenario, we can probably say that the residual risk is still too high. What other controls can we introduce to Treat or change the level of risk and improve the certainty of being in Manchester for 1PM?

Treatment Controls can be divided into a number of broad categories:

  • Those that avoid the risk altogether.
  • Those that transfer the risk or share it with somebody else (e.g. outsourcing and insurance).
  • Those that reduce the likelihood of the risk event occurring.
  • Those that reduce the impact if the event does occur.

The most important risk in this case is that of a major accident that closes a motorway and causes a 4h delay.

  • Stacy could leave earlier and reduce the impact;
  • she could choose to go by train or fly and thus avoid the risk altogether (though this does introduce other risks); or,
  • she could travel up the previous night and avoid the risk altogether. (at an increase in cost).

There are other potential controls, but you get the idea.

Which control she finally chooses to implement would be based on a balance between the cost of implementing the “control”, and the benefit that accrues after taking into account the importance of the objective. However the end result, should be a more robust, and resilient, travel plan that reduces the uncertainty of not being in Manchester for 1PM to an acceptable level.

Agdon Associates and Business Continuity UK are no longer in business. This website is not being updated: it has been left online solely as a source of useful information on Business Continuity.

If you found this article interesting, please help me by clicking the Google +1 button and/or the Facebook Like button. If you wish, you could Tweet it as well.
Thank You

Who has access to your systems?

Do you change system passwords when an IT person leaves? If not, why not? An article in today’s Register highlights the need to have a Leavers’ policy within all organisations and for that policy to be enforced. The article relates a recent court case where an ex-employee logged into his previous employer’s computer network and…

Does your Business Continuity Plan have one of these?

A Risk Matrix should form the core of your Business Continuity Plan The image above shows an extract from Suffolk County Council’s Community Risk Register (CRR) in the form of a matrix. (Click to see a larger version)  It shows the probability and impact of a number of potential events that might create an adverse…

Why you need to engage a telephone answering service

I just received a well-timed email from the excellent people at telephone-answering.biz who answer my ‘phone if I’m not around or busy. The salient paragraph reads: When bad weather is predicted remember that by diverting your lines to us before you leave the office, if you are unable to get in then we can still…

Would you know what to do if…

Business Continuity Planning is about knowing what to do when something bad happens   There are many definitions of Business Continuity Planning, but the essence is that people must know how to react when something untoward happens in the business. That way, they can take immediate action to: ensure everybody and everything is safe; prevent…

Case Study – why business continuity is more than disaster recovery

This study illustrates why business continuity is more than just disaster recovery. Although business continuity developed from the IT focused world of disaster recovery, it covers a much wider scope. An over concentration on IT can be short sighted, as this case study illustrates. The subject The subject of the study is a medium sized…

I get knocked down, but I get up again!

Knowing that you can restore your website quickly brings enormous peace of mind and keeps you in business When did you last have to restore a functioning website? Thanks to an unwanted guest last night, I had to perform a full restore of my website this morning. You may have noticed a somewhat changed look…

Why do people risk their business survival?

Survival of your business should be of paramount importance, so why do so few invest in Business Continuity? Humans are inherent risk takers. They are also optimists on the whole. It’s therefore not surprising that business owners fail to take planning for Business Continuity seriously. I was listening to The Today programme on BBC Radio…

Tip – Have your “Grab Bag” ready

Incidents and disasters are unexpected – by definition. You aren’t going to get any warning of the need to execute your emergency response and incident management plans and you won’t have time to gather together the things you need to be able to execute the plans. Therefore, it is important that you have prepared for…

Stay calm under pressure

I love the smell of lycopodium in the morning It’s probably not the case anymore, but as I understand it, Lycopodium was used as a fingerprint revealer by the Police. I mention this because I woke up this morning to find that my car had been broken into whilst parked in Manchester and it was…