Does ‘Risk Velocity’ have a place in risk management?

I have discussed the various elements involved with evaluating risk before but have recently just came across the term ‘risk velocity’ and this caught my attention; enough to make me do a little research and talk to other professionals on their understanding.

My initial research identified this as an element of risk management used in the realms of financial risk but not from what I can gather in any other risk areas, whether these areas are based on enterprise risks or general safety topics etc.

So what is risk velocity and does it have a place in general risk management?

If we look at the term velocity a quick Google search provides the following as the definition of velocity ‘the speed of something in a given direction’. Using this definition therefore when or if we are going to assess the velocity of the risk, we are assessing how fast it can be felt or can cause the impact we have identified.

A few examples exist that I have found (it must be noted that I am just scratching the surface with my initial research that I have so far conducted into this matter) of this terminology being used outside of financial risk circles come across more as individual businesses coining their own phrases, rather than an actual industry standard phrase.

Stripping down to the basics of risk, it is commonly stated as Likelihood x Severity = Risk.  So in the general likelihood x severity equation we are asking ‘How likely is it to happen?’ and ‘If it did happen what is the end of result?’; Risk velocity brings the element of ‘how fast will this risk develop or how fast will the impact be felt’. A new addition to an equation of which I personally think adds value and perhaps focus.

Imagine that you are presenting to your board or even senior management team on your corporate risks, you have a total of 10 risks identified (to keep it simple), 3 risks are deemed low, 4 identified as a medium risk and 3 stand out as being of a high risk to the business. Considering risk velocity can bring the following possible benefits.

Firstly, by looking at how fast a risk can develop or cause an impact another analysis can be conducted of the suitability of the control measures in place and the residual risk rating.  Imagine you have a reputation risk identified for the business and your current mitigation would be to consult an external company that you use for your public relations management in the event of a risk.  Have you accounted for how fast this can happen with social media? Hours, minutes will pass as bad publicity spreads, all while you are (if you are yet aware of the news) ringing an external agent in which to act on and initialise plans.  You may realise suddenly that a low risk is actually not so low because your controls are slower to respond than you first considered or evaluated. It could lead you to even ask questions of a supplier or consultant to establish how fast they can respond, especially in out of standard business hours and therefore be better prepared for any future risk.

Secondly, financial budgets are commonly restrained in all businesses and you need to focus on what you spend with any available budgets or what to advise your business on what to spend on certain risks. Evaluating risk velocity as an additional part of your risk equation will allow you to potentially have a differentiator between the 3 high risks.  One risk may take weeks or months to develop, another one days to weeks and the third hours to days.

Now, risk velocity is easier to think about and to look at than it is to actually add in to your risk assessment process and of course evaluate a suitable way of rating your risk levels.  One example I have observed that simplified this process was to score Likelihood x Severity then + Velocity so if you use a 5 x 5 matrix and the likelihood and severity was a 4, your initial score would be 16.

Rating velocity as Hours to Days = 3, Days to weeks = 2, and Weeks to months = 1, we now can evaluate the three risks, if they all scored 16 but yet each came in separately within the velocity scale we now have the scores of 17, 18 and 19.  This separates the risks and allows us to focus on them better and to gain I would argue a key insight and evaluation of risks that you have already identified.

I would personally recommend looking at risk velocity as I really think that this will push through into the main stream of risk management in the coming years and more importantly will provide a key tool in focusing and managing the subject of risk

Risk Perception and Tolerance – A starting point

In May/June of 2014 I completed my MSc with the University of Sunderland on the topic of Environmental Management and Assessment: Health and Safety.  One of the areas covered in this study was risk management; something I have already started discussing on this blog and another blog.  The other blog belonging to Shaun Sayers of Capable People; an enjoyable blog to read as well of which can be found here.

Ok, where am I going with this, well as part of this study was the chance to create a thesis and cover risk management even more; especially in light of this becoming a topic of interest.  My brain got whizzing around.  My mind thinking about what to do.  What could be vital to Risk Management? What will help me shape the management of risk in my organisation? What will give me a complete and better understanding? Hey Presto! Simply put it was on understanding on how people see risk.

Have you watched the home video clip shows? The likes of You’ve Been Framed? You can see no doubt clear as day people do silly things, take risks that you and I maybe would not; you of course maybe sat smiling thinking that you would or have.  This led me to look into the topic of risk perception and tolerance to try and find what makes people tick.

I was fascinated at my findings and I plan to discuss risk perception and tolerance as I continue to study this in my own time as a personal quest and thirst for learning to share on this blog, hoping that it is of interest to someone. So I will look to post and discuss my ongoing research as I progress, with a snippit below.

So what are the definitions that I would use for Risk Perception and Tolerance? Rosa (2003) defines risk as a situation of “an event where something of human value (including humans themselves) is at stake and where the outcome is uncertain”. Sjoberg et al. (2004) gives the opinion that risk perception is the subjective assessment of the probability of a specified type of accident happening and how concerned we are with the consequences. I think these two fit well together but perhaps would lean more with Sjoberg.

The specific definition of risk tolerance is unlike perception in that the literature tends to not be too opinionated on the specifics and is much in agreement; although the literature is heavily focused on the financial markets as an industry the definition is applicable to all scenarios.  Fox (2012) reflects on risk tolerance being the amount of uncertainty that is willing to be accepted in a particular risk category. This definition although not exactly word for word in the literature available is supported by the views of Lehmann et al. (2009).

So the big question is what can affect risk perception and risk tolerance? What do you think? We will look at this throughout the following posts and blogs over the next few weeks and months.

References

Fox, C. (2012) ‘Creating value with risk appetite and risk tolerance statements’, Financial Executive, November 2012, pp. 93-95.

Lehmann, C.C., Haight, J.M. and Michael, J.H. (2009) ‘Effects of Safety Training on Risk Tolerance: An Examination of Male Workers in the Surface Mining Industry’, Journal of SH&E Research, 4(3).

Rosa, E.A. (2003) The logical structure of the social amplification of risk framework (SARF). London: Cambridge University Press.

Sjoberg, L., Moen, B. and Rundmo, T (2004) Explaining risk perception: An evaluation of the psychometric paradigm in risk perception research. Trondheim, Norway: Rotunde.

Risk Management – ISO 31000 part 2

Although discussed on capable people as a guest post, I thought I would also post here.

Hopefully part 1 of my view on ISO 31000 has brought you back to look at part 2, albeit a little late in coming. In this part we are going to continue talking about the actual standard itself and then look to add a third part a little bit later down the line on what it all really means and not just a look at the standard.  This ensures these posts are kept hopefully short and sweet.

So if we now take the term risk, this is a term most people understand by the common definition of being known as the likelihood of harm being realised, normally shown as risk=  likelihood x severity.

ISO 31000 defines risk as ‘effect of uncertainty on objectives’; where an effect is a deviation from the expected and objectives having different aspects with examples stating financial, health and safety, and environmental goals.  This can be applied to different levels for example strategic, projects, products, processes or organisation wide. Although a different definition initially, the notes then talk about risk being categorised by reference to potential events and consequences or a combination of these and the associated likelihood.

Now I could try and list certain terms used in ISO 31000 as a blog post, it may however become long, boring and misses the point, so instead I will refer readers to the following website , http://www.praxiom.com/iso-31000-terms.htm,  which in plain English covers key terms of ISO 31000 .

The standard is focused on creating a framework for use, remember risk management is different to managing risks; see the first part on ISO 31000. A framework is the foundations and arrangements of the organisation.  It assists in the management of risks and ensures information about risk from the management processes is adequately reported and used as a basis for decision making and accountability.

To ensure a strong risk management approach exists and ensuring its on-going effectiveness requires a strong and sustained approach from management, combined with strategic and rigorous planning.  Part of this process should see management (4.2 Mandate and Commitment):

• Define and endorse the risk management policy.
• Ensure that the organisations culture and risk management policy are aligned.
• Determine risk management performance indications that align with performance indicators of the organisation.
• Align risk management objectives with the objectives and strategies of the organisation.
• Ensure legal and regulatory compliance.
• Assign accountabilities and responsibilities at appropriate levels within the organisation.
• Ensure that the necessary resources are allocated to risk management.
• Communicate the benefits of risk management to all stakeholders.
• Ensure that the framework for risk continues to remain appropriate.

In establishing this framework it is vital to ensure that an evaluation is made of the organisation and its context in which to provide an understanding of the environments both internally and externally that you are trying to achieve your objectives within.  Once the context is established then the risk management framework can be established.

Within the risk management process itself, we will revert to the adoption of risk assessment, a term used throughout industry to a large scale and sometimes the results, formats and information can be of quantity and not quality.  The risk assessment is the process and means by which you are going to identify your risks and this will influence decision making, therefore it is important to get this right.

Within the risk assessment process is a simple approach involving

Risk Identification – the initial risks being identified

Risk Analysis – Analysing the specific risks, how they are presented, influencing factors etc

Risk Evaluation – Evaluating the risk and making a decision using the information gained through the analysis of the risk.

Risk Treatment – Decision time is here, are you going to tolerate the risk and accept it, decide to further control the risk with different risk treatment, avoiding the activity altogether or transfer part of the risk through using a third party or obtaining insurance against any potential losses.

Note that when it comes to making a decision on risk we talk about risk appetite. I could of course again ramble on this point but will once again point you in the direction of a website that I think sums it up quite well. Although I have never used this product and do not know the company, they summarise the risk appetite point very well in my viewpoint and in trying to sell their product provide some pointers along the way, see http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/.

The above is a summary of the risk treatment options and stages of the assessment without going too in depth and detailed. The risk assessment process and the risk decision making of course needs to be recorded to show the decisions being made. As with all risk based decisions, risk very rarely remains static and therefore reviews need to take place, it may be that a risk increases resulting in a business deciding to stop a specific activity until it reduces.  A perfect example of this is airline movements into certain countries being stopped due to the perceived risk to the passengers, airline, crew, reputation etc.

One point I will make and one that is often overlooked in the management of risk is ensuring that the workforce is both consulted in the risk decision or information feeds and that they participate in the risk assessment process, this will tend to bring about a better quality assessment

ISO 31000 Risk Management

This is a link to a blog article I have written for Capable People (link below), more posts to follow!

ISO 31000 – Risk Management

Information Security – How to bypass and reset the password on every operating system

An article worth sharing around the topic of information security, something that can present a risk to certain organisations.

 http://www.howtogeek.com/192825/how-to-bypass-and-reset-the-password-on-every-operating-system/

Updates to International Standards (ISO9001, ISO14001 and BS OHSAS 18001)

Just a quick post t some videos on the revisions that are upcoming to the international standards. This is not an endorsement on BSI just a link to some information.

 

http://www.youtube.com/watch?v=a8JLWal2JvY&feature=youtu.be – ISO 9001

http://www.youtube.com/watch?v=1UU-5O8VKAU&feature=youtu.be – ISO 14001

http://www.youtube.com/watch?v=8i0fIhoLDOA&feature=youtu.be – BS OHSAS 18001 to ISO 45001

Planning, management and a little bit of assumption

We always hear that planning and management are key components of any successful business and as the saying goes if you assume, then you make an ‘ass’ out of ‘u’ and ‘me’.

This news article shows a disregard for correct planning and management as well as an assumption of the size of train platforms. A very costly decision it appears.

Could a good proactive culture in compliance have helped?

Would the culture have been more astute to planning and managing activities and looking for the potential pitfalls and risk?

Assumption about platforms in France