Does ‘Risk Velocity’ have a place in risk management?

I have discussed the various elements involved with evaluating risk before but have recently just came across the term ‘risk velocity’ and this caught my attention; enough to make me do a little research and talk to other professionals on their understanding.

My initial research identified this as an element of risk management used in the realms of financial risk but not from what I can gather in any other risk areas, whether these areas are based on enterprise risks or general safety topics etc.

So what is risk velocity and does it have a place in general risk management?

If we look at the term velocity a quick Google search provides the following as the definition of velocity ‘the speed of something in a given direction’. Using this definition therefore when or if we are going to assess the velocity of the risk, we are assessing how fast it can be felt or can cause the impact we have identified.

A few examples exist that I have found (it must be noted that I am just scratching the surface with my initial research that I have so far conducted into this matter) of this terminology being used outside of financial risk circles come across more as individual businesses coining their own phrases, rather than an actual industry standard phrase.

Stripping down to the basics of risk, it is commonly stated as Likelihood x Severity = Risk.  So in the general likelihood x severity equation we are asking ‘How likely is it to happen?’ and ‘If it did happen what is the end of result?’; Risk velocity brings the element of ‘how fast will this risk develop or how fast will the impact be felt’. A new addition to an equation of which I personally think adds value and perhaps focus.

Imagine that you are presenting to your board or even senior management team on your corporate risks, you have a total of 10 risks identified (to keep it simple), 3 risks are deemed low, 4 identified as a medium risk and 3 stand out as being of a high risk to the business. Considering risk velocity can bring the following possible benefits.

Firstly, by looking at how fast a risk can develop or cause an impact another analysis can be conducted of the suitability of the control measures in place and the residual risk rating.  Imagine you have a reputation risk identified for the business and your current mitigation would be to consult an external company that you use for your public relations management in the event of a risk.  Have you accounted for how fast this can happen with social media? Hours, minutes will pass as bad publicity spreads, all while you are (if you are yet aware of the news) ringing an external agent in which to act on and initialise plans.  You may realise suddenly that a low risk is actually not so low because your controls are slower to respond than you first considered or evaluated. It could lead you to even ask questions of a supplier or consultant to establish how fast they can respond, especially in out of standard business hours and therefore be better prepared for any future risk.

Secondly, financial budgets are commonly restrained in all businesses and you need to focus on what you spend with any available budgets or what to advise your business on what to spend on certain risks. Evaluating risk velocity as an additional part of your risk equation will allow you to potentially have a differentiator between the 3 high risks.  One risk may take weeks or months to develop, another one days to weeks and the third hours to days.

Now, risk velocity is easier to think about and to look at than it is to actually add in to your risk assessment process and of course evaluate a suitable way of rating your risk levels.  One example I have observed that simplified this process was to score Likelihood x Severity then + Velocity so if you use a 5 x 5 matrix and the likelihood and severity was a 4, your initial score would be 16.

Rating velocity as Hours to Days = 3, Days to weeks = 2, and Weeks to months = 1, we now can evaluate the three risks, if they all scored 16 but yet each came in separately within the velocity scale we now have the scores of 17, 18 and 19.  This separates the risks and allows us to focus on them better and to gain I would argue a key insight and evaluation of risks that you have already identified.

I would personally recommend looking at risk velocity as I really think that this will push through into the main stream of risk management in the coming years and more importantly will provide a key tool in focusing and managing the subject of risk

Advertisement

Risk Perception and Tolerance – A starting point

In May/June of 2014 I completed my MSc with the University of Sunderland on the topic of Environmental Management and Assessment: Health and Safety.  One of the areas covered in this study was risk management; something I have already started discussing on this blog and another blog.  The other blog belonging to Shaun Sayers of Capable People; an enjoyable blog to read as well of which can be found here.

Ok, where am I going with this, well as part of this study was the chance to create a thesis and cover risk management even more; especially in light of this becoming a topic of interest.  My brain got whizzing around.  My mind thinking about what to do.  What could be vital to Risk Management? What will help me shape the management of risk in my organisation? What will give me a complete and better understanding? Hey Presto! Simply put it was on understanding on how people see risk.

Have you watched the home video clip shows? The likes of You’ve Been Framed? You can see no doubt clear as day people do silly things, take risks that you and I maybe would not; you of course maybe sat smiling thinking that you would or have.  This led me to look into the topic of risk perception and tolerance to try and find what makes people tick.

I was fascinated at my findings and I plan to discuss risk perception and tolerance as I continue to study this in my own time as a personal quest and thirst for learning to share on this blog, hoping that it is of interest to someone. So I will look to post and discuss my ongoing research as I progress, with a snippit below.

So what are the definitions that I would use for Risk Perception and Tolerance? Rosa (2003) defines risk as a situation of “an event where something of human value (including humans themselves) is at stake and where the outcome is uncertain”. Sjoberg et al. (2004) gives the opinion that risk perception is the subjective assessment of the probability of a specified type of accident happening and how concerned we are with the consequences. I think these two fit well together but perhaps would lean more with Sjoberg.

The specific definition of risk tolerance is unlike perception in that the literature tends to not be too opinionated on the specifics and is much in agreement; although the literature is heavily focused on the financial markets as an industry the definition is applicable to all scenarios.  Fox (2012) reflects on risk tolerance being the amount of uncertainty that is willing to be accepted in a particular risk category. This definition although not exactly word for word in the literature available is supported by the views of Lehmann et al. (2009).

So the big question is what can affect risk perception and risk tolerance? What do you think? We will look at this throughout the following posts and blogs over the next few weeks and months.

References

Fox, C. (2012) ‘Creating value with risk appetite and risk tolerance statements’, Financial Executive, November 2012, pp. 93-95.

Lehmann, C.C., Haight, J.M. and Michael, J.H. (2009) ‘Effects of Safety Training on Risk Tolerance: An Examination of Male Workers in the Surface Mining Industry’, Journal of SH&E Research, 4(3).

Rosa, E.A. (2003) The logical structure of the social amplification of risk framework (SARF). London: Cambridge University Press.

Sjoberg, L., Moen, B. and Rundmo, T (2004) Explaining risk perception: An evaluation of the psychometric paradigm in risk perception research. Trondheim, Norway: Rotunde.

Risk Management – ISO 31000 part 2

Although discussed on capable people as a guest post, I thought I would also post here.

Hopefully part 1 of my view on ISO 31000 has brought you back to look at part 2, albeit a little late in coming. In this part we are going to continue talking about the actual standard itself and then look to add a third part a little bit later down the line on what it all really means and not just a look at the standard.  This ensures these posts are kept hopefully short and sweet.

So if we now take the term risk, this is a term most people understand by the common definition of being known as the likelihood of harm being realised, normally shown as risk=  likelihood x severity.

ISO 31000 defines risk as ‘effect of uncertainty on objectives’; where an effect is a deviation from the expected and objectives having different aspects with examples stating financial, health and safety, and environmental goals.  This can be applied to different levels for example strategic, projects, products, processes or organisation wide. Although a different definition initially, the notes then talk about risk being categorised by reference to potential events and consequences or a combination of these and the associated likelihood.

Now I could try and list certain terms used in ISO 31000 as a blog post, it may however become long, boring and misses the point, so instead I will refer readers to the following website , http://www.praxiom.com/iso-31000-terms.htm,  which in plain English covers key terms of ISO 31000 .

The standard is focused on creating a framework for use, remember risk management is different to managing risks; see the first part on ISO 31000. A framework is the foundations and arrangements of the organisation.  It assists in the management of risks and ensures information about risk from the management processes is adequately reported and used as a basis for decision making and accountability.

To ensure a strong risk management approach exists and ensuring its on-going effectiveness requires a strong and sustained approach from management, combined with strategic and rigorous planning.  Part of this process should see management (4.2 Mandate and Commitment):

• Define and endorse the risk management policy.
• Ensure that the organisations culture and risk management policy are aligned.
• Determine risk management performance indications that align with performance indicators of the organisation.
• Align risk management objectives with the objectives and strategies of the organisation.
• Ensure legal and regulatory compliance.
• Assign accountabilities and responsibilities at appropriate levels within the organisation.
• Ensure that the necessary resources are allocated to risk management.
• Communicate the benefits of risk management to all stakeholders.
• Ensure that the framework for risk continues to remain appropriate.

In establishing this framework it is vital to ensure that an evaluation is made of the organisation and its context in which to provide an understanding of the environments both internally and externally that you are trying to achieve your objectives within.  Once the context is established then the risk management framework can be established.

Within the risk management process itself, we will revert to the adoption of risk assessment, a term used throughout industry to a large scale and sometimes the results, formats and information can be of quantity and not quality.  The risk assessment is the process and means by which you are going to identify your risks and this will influence decision making, therefore it is important to get this right.

Within the risk assessment process is a simple approach involving

Risk Identification – the initial risks being identified

Risk Analysis – Analysing the specific risks, how they are presented, influencing factors etc

Risk Evaluation – Evaluating the risk and making a decision using the information gained through the analysis of the risk.

Risk Treatment – Decision time is here, are you going to tolerate the risk and accept it, decide to further control the risk with different risk treatment, avoiding the activity altogether or transfer part of the risk through using a third party or obtaining insurance against any potential losses.

Note that when it comes to making a decision on risk we talk about risk appetite. I could of course again ramble on this point but will once again point you in the direction of a website that I think sums it up quite well. Although I have never used this product and do not know the company, they summarise the risk appetite point very well in my viewpoint and in trying to sell their product provide some pointers along the way, see http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/.

The above is a summary of the risk treatment options and stages of the assessment without going too in depth and detailed. The risk assessment process and the risk decision making of course needs to be recorded to show the decisions being made. As with all risk based decisions, risk very rarely remains static and therefore reviews need to take place, it may be that a risk increases resulting in a business deciding to stop a specific activity until it reduces.  A perfect example of this is airline movements into certain countries being stopped due to the perceived risk to the passengers, airline, crew, reputation etc.

One point I will make and one that is often overlooked in the management of risk is ensuring that the workforce is both consulted in the risk decision or information feeds and that they participate in the risk assessment process, this will tend to bring about a better quality assessment

ISO 31000 Risk Management

This is a link to a blog article I have written for Capable People (link below), more posts to follow!

ISO 31000 – Risk Management

Information Security – How to bypass and reset the password on every operating system

An article worth sharing around the topic of information security, something that can present a risk to certain organisations.

 http://www.howtogeek.com/192825/how-to-bypass-and-reset-the-password-on-every-operating-system/

Updates to International Standards (ISO9001, ISO14001 and BS OHSAS 18001)

Just a quick post t some videos on the revisions that are upcoming to the international standards. This is not an endorsement on BSI just a link to some information.

 

http://www.youtube.com/watch?v=a8JLWal2JvY&feature=youtu.be – ISO 9001

http://www.youtube.com/watch?v=1UU-5O8VKAU&feature=youtu.be – ISO 14001

http://www.youtube.com/watch?v=8i0fIhoLDOA&feature=youtu.be – BS OHSAS 18001 to ISO 45001

Planning, management and a little bit of assumption

We always hear that planning and management are key components of any successful business and as the saying goes if you assume, then you make an ‘ass’ out of ‘u’ and ‘me’.

This news article shows a disregard for correct planning and management as well as an assumption of the size of train platforms. A very costly decision it appears.

Could a good proactive culture in compliance have helped?

Would the culture have been more astute to planning and managing activities and looking for the potential pitfalls and risk?

Assumption about platforms in France

Link

News Report: Arrogance shown towards the need for sleep

An article by the BBC on society ignoring the need to sleep. Scientists believe this has a knock on effect to your health later on.

Interesting points made, well that I thought were of interest anyway are:

• The body works on a rhythm and sleep is part of this, which does make sense really.
• Information on blue light adjusting the bodies need for sleep such as computers, energy light bulbs and tablets etc.
• The use of blue light before bed can adjust your sleep timer and you can wake up feeling tired due to rhythm changes.

Apart for the above other elements including shift working do not help and this will bring about risks not just to the health of an individual but in tasks that they perhaps perform. If you have a driver behind the wheel of a vehicle with lack of sleep or poor sleep patterns then the likelihood of incident can be increased.

Communicating in the right language

What am I going to talk about when discussing ‘communicating in the right language’? For starters what I am not talking about is the need to go and learn a second or third language in order to speak other languages as most people would perhaps suggest.

Language is of course the way we communicate, but it is that part that I am concerned with, the communication element. I have watched TV programmes, spoke to people on subjects who spoke in English (my mother tongue) and yet I was still confused by the end of the conversation, discussion or programme. What was being said, my ears listened, my brain heard this information but it could not logically decipher the information into something that made, to me, sense.

How can this be, I am listening to someone who is knowledgeable and that can speak English. They are trying to give me the information I need, what is wrong with me? Why can I not work out what they are really trying to say?

The problem is of course, they may have communicated to me what they understand and how they see, but they may not have taken in to account of course the fact that I needed it in simpler terms as I did not have enough understanding for the technical terms being used. In fact this is a problem that I have seen in HSE and risk management time and again and will hold my hands up to the fact that ‘Yes!’ I have been guilty of this approach before.

I believe, and this is my opinion only as I am entitled to one as is everyone, that some practitioners or professionals can overcomplicate information that they are trying to communicate, Why? My belief is that this can be driven through on occasion’s ego or wanting to seem a vault of knowledge in their subject field, perhaps driven by insecurity. So big words, technical words are thrown in, and do not get me wrong they are applicable and worthy in the right kind of setting.

Information and knowledge are valuable assets but if they cannot be shared and communicated then they become worthless, the key is to ensure that your target audience understands this.  Yes, this is something that is common sense but not the easiest to do. The key point is to remember that the person you are talking to may not know the subject like you do and therefore ensure that you speak their language but more importantly when communicating you ensure that YOU listen. It is only through listening and confirmation with the individual on the points you are discussing that you can truly understand if you are speaking the language.

What about if you are delivering a training session? You cannot exactly listen to everyone on every topic and confirm it. You need to use your judgement and listen to the participants, filtering out non topic related questions and perhaps leaving them to the end. One technique is to have a sheet to write them down on termed ‘Car Park’, that is to park the question and return to it.

Use different media in which to portray the message to help get the message through maybe an introduction into a topic and focus on key points, some slides with bullets to re-iterate the points directly after and then again prior to a break on the key points covered so far.

So how to know what you said made sense, simple Q & A sessions and a course evaluation at the end. I would also recommend revisiting the evaluation a month later, if possible, to see how much knowledge is retained. This information will also help you perhaps shape future methods of communication.

Other ways to break it down is visually as well, posters, images etc. The list could potentially go on.  The point I am making and potentially going a long way around the point is that, do not presume just because you know and understand what you are talking about, that everyone else does; even if they smile and nod their head in agreement.

Advice for persons wanting a career in safety

Well, I have finally completed my recent studies and realised that I still have a blog that has very little followers and also has not had any updates recently; possibly the two could be linked. So now I have some extra time I was thinking what could I cover and then it dawned on me the one topic I am being always asked on. How do I get into safety?
So here are some common questions I have been asked and my answers / personal opinion.

How do I get a career in safety?

I get asked this because I believe in my career so far I have done well and people think, I would like a bit of that. My answer is always the same or thereabouts in that the first step is to get a qualification (see next question for more detail on this statement), then to get some work experience whilst applying for a position and expect to start at the bottom and work your way up the ladder.

I always think you succeed and grow your career through hard work, ability, attitude, a little bit of luck and sometimes who you know. It certainly worked for me!

What qualifications do I need?

This of course will change specifically for certain jobs and industries but I am talking about a general safety/compliance role overall. I like to keep it simple. The starting point is the NEBOSH general certificate or construction certificate (if construction is the industry you want), I think that helps people get into the swing of things in terms of understanding health and safety as a topic; of course the international version is available and depends on where you plan to work.

Is the certificate enough? A tough one to answer as qualifications are not everything, I have met highly qualified safety people who struggled to grasp the basics and I have met safety people with no official safety qualification and have really impressed me with their knowledge. To give you an answer then if you have the knowledge and experience, with a little luck this may get you on the career ladder; otherwise I think you have to move on to further training.

The next step would be to move onto a Diploma course or a degree course for example a post-graduate diploma if you are a little shy on the specific knowledge front. If you are in a role and think the role learns you about the industry then maybe the NVQ route is best for you.

Onwards from here on in will depend on your identified industry, although I think an auditing course is of value, it helps get used to standards terminology and what a management system requires.

How can I help to progress my career?

Firstly I do not proclaim to be a specialist career advisor or that I know all the answers. The first step is that first job, the market is getting harder due to the influx of people wanting to become a safety professional. The first step I honestly believe is the hardest.

Once you have that first position it goes back to attitude and working hard in progressing your career, do the best you can and I always refer to a saying given to me by a former manager.

A safety professional who claims to know everything is dangerous, a good safety manager however knows where to look and how to interpret the requirements and lastly can communicate these clearly in a language people understand.

When starting your career, you do not want to be jumping job to job, I was again fortunate enough to work in a department with other professionals that I could learn from, question and observe to improve my own ability.
For a successful career in safety I believe you have to accept you will not be popular and it can be a thankless task at times, so do not expect to have your ego massaged and to receive praise. If you work hard and are good at your work, your career will develop.

My last bit of advice is never burn your bridges, even when moving to a new company you need to ensure that your performance does not drop as you are a professional, you also never know if you need to return one day in the future.

Should I have a professional membership?

I personally have a professional membership, this helps to show competence and ensures I maintain CPD. It however is a cost and something asked for in interviews, I would say way up the benefits for you and make a choice accordingly.

I will always maintain my professional membership but personally need to work harder to make the most out of it, employers ask for it and you could be penalised without it.

So those are my views and opinions on this topic, I hope you enjoyed reading my thoughts and I will try to ensure that I update my blog at least every fortnight.