I have discussed the various elements involved with evaluating risk before but have recently just came across the term ‘risk velocity’ and this caught my attention; enough to make me do a little research and talk to other professionals on their understanding.
My initial research identified this as an element of risk management used in the realms of financial risk but not from what I can gather in any other risk areas, whether these areas are based on enterprise risks or general safety topics etc.
So what is risk velocity and does it have a place in general risk management?
If we look at the term velocity a quick Google search provides the following as the definition of velocity ‘the speed of something in a given direction’. Using this definition therefore when or if we are going to assess the velocity of the risk, we are assessing how fast it can be felt or can cause the impact we have identified.
A few examples exist that I have found (it must be noted that I am just scratching the surface with my initial research that I have so far conducted into this matter) of this terminology being used outside of financial risk circles come across more as individual businesses coining their own phrases, rather than an actual industry standard phrase.
Stripping down to the basics of risk, it is commonly stated as Likelihood x Severity = Risk. So in the general likelihood x severity equation we are asking ‘How likely is it to happen?’ and ‘If it did happen what is the end of result?’; Risk velocity brings the element of ‘how fast will this risk develop or how fast will the impact be felt’. A new addition to an equation of which I personally think adds value and perhaps focus.
Imagine that you are presenting to your board or even senior management team on your corporate risks, you have a total of 10 risks identified (to keep it simple), 3 risks are deemed low, 4 identified as a medium risk and 3 stand out as being of a high risk to the business. Considering risk velocity can bring the following possible benefits.
Firstly, by looking at how fast a risk can develop or cause an impact another analysis can be conducted of the suitability of the control measures in place and the residual risk rating. Imagine you have a reputation risk identified for the business and your current mitigation would be to consult an external company that you use for your public relations management in the event of a risk. Have you accounted for how fast this can happen with social media? Hours, minutes will pass as bad publicity spreads, all while you are (if you are yet aware of the news) ringing an external agent in which to act on and initialise plans. You may realise suddenly that a low risk is actually not so low because your controls are slower to respond than you first considered or evaluated. It could lead you to even ask questions of a supplier or consultant to establish how fast they can respond, especially in out of standard business hours and therefore be better prepared for any future risk.
Secondly, financial budgets are commonly restrained in all businesses and you need to focus on what you spend with any available budgets or what to advise your business on what to spend on certain risks. Evaluating risk velocity as an additional part of your risk equation will allow you to potentially have a differentiator between the 3 high risks. One risk may take weeks or months to develop, another one days to weeks and the third hours to days.
Now, risk velocity is easier to think about and to look at than it is to actually add in to your risk assessment process and of course evaluate a suitable way of rating your risk levels. One example I have observed that simplified this process was to score Likelihood x Severity then + Velocity so if you use a 5 x 5 matrix and the likelihood and severity was a 4, your initial score would be 16.
Rating velocity as Hours to Days = 3, Days to weeks = 2, and Weeks to months = 1, we now can evaluate the three risks, if they all scored 16 but yet each came in separately within the velocity scale we now have the scores of 17, 18 and 19. This separates the risks and allows us to focus on them better and to gain I would argue a key insight and evaluation of risks that you have already identified.
I would personally recommend looking at risk velocity as I really think that this will push through into the main stream of risk management in the coming years and more importantly will provide a key tool in focusing and managing the subject of risk