A presentation that attempts to strip away the often-unnecessary complexity of most risk management methodologies to focus on five fundamental elements: goals, plans, uncertainties, responses and management.
This presentation discusses the 1st Principles common to all risk management. For each of the principles, I will review the basics of each element, then touch on a few refinements you may find useful. Throughout the pitch we will develop a practical example, something everyone can relate to.So, what is risk management? For that matter, what is risk?
What is Risk? Here is a dictionary definition.In short, risk is a measure of uncertainty. Too often the second definition is the one we use, however in risk management, the other three definitions are less confusing. As we will see, there are better terms for describing uncertainty. A planned event or desired goal or objective may be AT risk from an uncertain condition or unplanned event, but it is not A risk.
Fundamental Skill: also known as thinking ahead, preparing for the future, seeing around cornersHypothetical: A.K.A. mistake proofing, planning for problems, Management: A.K.A. planning for problems; not a separated specialty, must provide
You can count the fundamentals of risk management on one hand. There are five elements common to all risk management activities, from the boardroom to the back room, from the enterprise to the individual.. . . .
1. Trip Goals. Objective: Get there!2. The Plan: preparation, travel route, including essential and non-essential items3. Threats: Flat tire, accident, breakdown, run out of gas4. Opportunities: New road,5. Mitigations: Check tire conditions and spare; stay alert, avoid bad weather; service car before trip; fill tank at start6. Promotions: Update maps, GPS data7. Contingencies: Spare tire, insurance, AAA, extra gas can, cell phone to call for help8. Exploitations:9. Triggers: 10. Management:
Goals and objectives are desired events or conditions. They may also be called expectations, expected results, desired outcomes or other labels, but they all represent the end point of a journey. Goals or objectives should be well defined, specific and measurable. It is important to know when you are done so you can devote resources to new or other goals and objectives.
SMART stands for Specific, Measurable, Attainable, Relevant, and Time-based.
Trip Goals. Objective: Get there!How could we define a goal for our trip?Is it SMART?
"how am I gonna do that?!"Plans should include both events and conditions.
If a goal or objective represents the end of a journey, a plan represents the journey itself. A plan is a set of presumed-certain necessary and sufficient actions and conditions designed to achieve one or more goals or objectives. Activities and ArtifactsActions and ConditionsOne man's goal is another man's planA goal or objective may be the outcome of a single action or multiple actions and conditions. Most corporate objectives require a complex sequence of actions and conditions to achieve.An action is any time-variant transformational process whose output depends on its initial inputs or stimulus. If the process obeys laws of physics and, along with the inputs are sufficiently well known, the output is predictable and repeatable. The time scale may be very short, or very long, and the process may be mechanical, electrical, chemical, physical or human, but so long as the process obeys the laws of physics and all inputs and stimuli are known, the output is predictable.A Condition is a time-invariant characteristic that exists at the same time as an action, and may influence the event, but is not transformed or affected by the event. Sunlight on a cloudless day is a condition. Removing an ice cream cone from the freezer is an action. That the ice cream cone melts rapidly when exposed to the sun is a consequence of the action. The melting does not alter the condition - the sun still shines. However, the condition does alter the outcome of the action - the ice cream cone melts more rapidly than it would if it were a cloudy day.Assumptions are the events and conditions that can affect your plan, but which you do not control, and probably can't influence.
Most often the actions and conditions in a plan are designed to occur in a particular sequence. In that case the actions have precedence relationships, i.e. a condition or outcome of one event is required for the successful completion of another event.Plans are often hierarchical. Each action on the plan may represent a complete set of subordinate actions and conditions.
The Plan: Actions: preparation, travel route, including essential and non-essential itemsConditions: Good weather, good health, available fuel
Emphasize terminology – “I am on a one-man campaign to clarify the conversations – bear with me while I explain.”
Uncertainties are actions and conditions whose occurrence is not presumed-certain. Also called Speculations, Suppositions, because they happen in the future (if they happen at all) and their impact is unsure.Can be stated in the form "What if..." or "Suppose that..."Caution: "If- Then" forms of threat or opportunity statements tend to limit creativity.A threat is an uncertain action or condition that might have a negative impact on a goal, objective or expectation. Emphasis on the word MIGHT. The purpose of threat management in any risk management system is to identify threats, and to reduce their likelihood or their negative impact (or both ) through carefully selectedmitigation actions, and to plan how to respond (called contingencies) should the threat occur despite our best efforts.An opportunity is an uncertain action or condition that might have a positive impact on a goal, objective or expectation. Emphasis on the word MIGHT. The purpose of opportunity management in any risk management system is to identify opportunities and to encourage their likelihood or their positive impact (called promotions), or both and to plan our response (called exploitations) should the opportunity occur, with our without our help.Likelihood is a qualitative estimate of uncertainty, particularly the uncertainty of a threat's or opportunity's occurrence. It is qualitative because it is necessarily imprecise, often subjective. By comparison, probability is a quantitative estimate of a threat's or opportunity's occurrence, usually as the outcome of a mathematical model validated with physical evidence. Risk management more often uses likelihood rather than probability to describe uncertainty because the uncertainty of a threat or opportunity is seldom amenable to mathematical modeling.Impact describes the negative effect of a threat or the positive impact of an opportunity on a goal, objective or plan. It may be expressed qualitatively or quantitatively, in the latter often in financial terms.Tip: Estimate impact by the cost of the selected mitigations/promotions and contingency/ exploitation actions.Velocity describes the effect of time on a threat or opportunity. It is also called urgency, or time horizon. Understanding when a threat or opportunity might materialize is essential to make rational decisions about how much the organization is willing to spend to mitigate a threat, promote an opportunity or plan a contingent or exploitive action. It is also useful to know when the threat or opportunity has passed.Triggers are early-warning signs. They are actions or conditions that predict when defined threats and opportunities might occur. They are crucial to proactive risk management because they allow early and possibly graduated mitigation and promotion responses. If triggers are not identified, too often the organization must react to threats and opportunities, rather than prepare for them.
Identifying threats means looking for the actions and conditions that are not incorporated into your plan that could change the outcome of the plan actions, or alter the assumed conditions.Identifying threats is a creative exercise, because it involves developing hypotheses for future actions and conditions that may not materialize.Hypothetical problem analysis: you can think of uncertainty identification as an exercise in hypothetical problem analysis – more to come on that subject.A risk is a probability - a measure of likeliness. People sometimes use the term to mean an existing condition that may not have met expectations, but it is most often used to mean an action or condition that has not happened yet.The likelihood of an uncertainty occurring is measured as a probability. Getting the probability correct is more important than getting it accurate. A probability calculated at 36.829% is not useful if the probability is actually about 70%.All actions bear consequences. Unplanned, unexpected, or undesirable actions or conditions bear consequences for our goals and objectives. Objectively quantifying those consequences helps later when we have to make management decisions about mitigations and contingencies.
From “Apollo Root Cause Analysis”, Dean L. Gano, Apollonian Publications, 2008.
3. Threats: Flat tire, accident, breakdown, run out of gas, gas stations closed, cell phone battery dies4. Opportunities: New road, less traffic
So you think something might happen to derail your plan, put your objective at risk. What are you going to do about it? Carefully selected actions, both proactive and reactive, can reduce the likelihood or impact of a threat, or increase the likelihood or impact of an opportunity.
A mitigation is a new action or condition added to a plan to respond to a defined threat. Mitigations may be designed to reduce the likelihood of the threat, to delay its possible occurrence, or to reduce its potential impact.Mitigations are proactive responses.A.K.A., Prevention or Probability ReductionYou need to know what to do to head off the derailers"what could I do to prevent the derailers?""let's head 'em off at the pass!""Which of these should I bother with?“A contingency is a new action or condition added to a plan to respond to a threat if it occurs despite best efforts to mitigate it. Because they happen after the fact, contingencies can only reduce the impact of the threat after it has occurred. Nevertheless, knowing that a threat may not occur, it is sometimes more cost-effective to plan contingencies than expend resources on mitigation activities.Contingencies are reactive responses.A promotion is a new action or condition added to a plan to respond to a defined opportunity. Promotions may be designed to increase the likelihood of the threat, to move up its possible occurrence, or to increase its potential impact.An exploitation is a new action or condition added to a plan to respond to an opportunity after it occurs. Because they happen after the fact, exploitations can only increase the impact of the opportunity. Nevertheless, knowing that an opportunity may not occur despite the best efforts, it is sometimes more cost-effective to plan exploitations than expend resources on promotion activities.
Prevention:Process assets, a.k.a. Controls, are mitigation activities. Most are intended to prevent problems or minimize impacts.
Mitigations: Check tire conditions and spare; stay alert, avoid bad weather; service car before trip; fill tank at startPromotions: Update maps, GPS dataContingencies: Spare tire, insurance, AAA, extra gas can, cell phone to call for helpExploitations: New favorite restaurant on the road
* Risk management is for managers* Risk management is not optional; it is not avoidable* Risk management cannot be segregated from other management tasks* Risk management is a planning and execution activity* Risk management is not an engineering specialty
Good risk management needs good decision making. You will make decisions about which events and conditions to protect, which preventive actions (suppositions and speculations) to mitigate or promote, which reactive actions (contingencies and exploitations) to engage, and when (triggers).Priorities: You need to know what in the plan needs protection."how do I get the biggest bang for the buck?""What is most important?""Where's the beef?!““How much is enough?”Tolerance: A.K.A. Decision thresholdsChange: You need to maintain the information and the guesses, and revise the plan as events and conditions change."what happens if conditions change?"
Plan priorities: "What is most important? Which actions and/or conditions could have the greatest impact? Which are the most likely to miss expectations?“Mitigation/Promotion priorities: It is usually impractical to mitigate all threats to a zero likelihood or zero impact, nor is it always necessary. Resources spent on mitigation or promotion detract from resources necessary for executing the plan. Sometimes it is a better idea to accept some risk and wait for the threat to occur and if it does, then engage the contingent plans. Mitigations and promotions must be balanced with contingencies and exploitations respectively.Contingency/Exploitation priorities: "what is the most cost-effective way to reduce the impact?“Risk Tolerance: "what level of uncertainty am I willing to gamble with for this set of goals/objectives?“Mitigation/Contingent Action Tolerance: "how much can you afford to spend on mitigation before exceeding the expected value?"“How much can I tolerate the consequences?"“How much can I afford to spend on contingencies?“
10. Management: Which are the most important actions or conditions?Which uncertainties are most likely or have the greatest impact?Which contingencies are the best to employ? How will we know when to use them?
You can count the fundamentals of risk management on one hand. There are five elements common to all risk management activities, from the boardroom to the back room, from the enterprise to the individual.. . . .