Principles of Risk

What is Risk?
What is Risk? The exposure to mischance What is the difference between a Risk and an Issue? A Risk is an Issue that hasnt happened yet OR An Issue is a Risk that has happened What is an Assumption? An unknown, therefore, a Risk
Source: HBOS internal training c. 2005

Risk means being exposed to the possibility of a bad outcome Risk Management means taking deliberate action to shift the odds in your favour increasing the odds of good outcomes and reducing the odds of bad outcomes
Borge D (2001) The Book of Risk

What is Uncertainty?

If you dont know for sure what will happen, but you know the odds, thats risk If you dont even know the odds, thats uncertainty

Knight (1921) quoted in Adams (1995)

Nature of risk

Speculative (dynamic) a risk that (potentially) has profit and loss associated with it Hazard (static) a risk that only has loss associated with it

Alberts & Dorofee (2006)

Key Definitions

Hazard a situation that could lead to harm Risk a combination of the probability and consequences of the occurrence Risk assessment risk estimation (outcome or consequences) and evaluation (significance for those affected) Risk management implementing decisions about accepting or altering risk

DOE (1995) A guide to risk assessment and risk management for environmental protection

Defining Risk/Uncertainty
Risk - where we know the odds (probability or likelihood); Uncertainty - where we dont know the odds but may know the main parameters; Ignorance - where we dont know what we dont know; and Indeterminacy - where causal chains or networks are open (spans uncertainty and ignorance).

From various papers Brian Wynne c. 1990s

Risk Spectrum Incertitude

ORiordan, T, and Cox, P. 2001. Science, Risk, Uncertainty and Precaution. Senior Executives Seminar HRH The Prince of Waless Business and the Environment Programme. University of Cambridge.

Risk Spectrum Incertitude

Uncertainty applies where there is no firm basis for probabilities, but some reasonably clear idea as to outcomes. Ambiguity applies where the outcomes are not clear. Ignorance exists where there is no history of cause and effect that can be used to predict outcomes. Thus science (by its own rules) cannot predict either likelihood or outcome. Examples of ignorance defined in this way occur when there is innovative technology, or a new product or substance. [from ERMA (2002) Approach to Risk: Positional Paper p.8]

Risk: Some Further Definitions

RISK - uncertainty of outcome, whether positive opportunity or negative threat, of action and events. It is the combination of likelihood and impact. INHERENT RISK (or Gross Risk) - the exposure arising from a specific risk before any action has been taken to manage it RESIDUAL RISK (or Net Risk) - the exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective

Housing Corporation (2004) Risk Management Strategy

Example Risk Categories

External arising from the external environment, not wholly within the organisations control, but where action can be taken to mitigate the risk. Operational relating to the successful execution of existing operations both current delivery and building and maintaining capacity and capability. Change - risk created by decisions to pursue new endeavours beyond current capability
HC (2004) Risk management strategy

The Risk Cycle

(HM Treasury, Management of Risk A Strategic Overview)

Emergency Preparedness: 6 Stage Cycle

Contextualisation
Hazard review and allocation for assessment

Risk evaluation

Risk analysis

Risk treatment

Monitoring & review

Simple risk assessment matrix

Probability
Low High

Contingency
These risks have high impact but the probability of them happening are low. They are catastrophic events
High

Primary
These risks have both high impact and high likelihood of happening: these require prime attention

Impact

Negligible
Low

Housekeeping
These risks have a high likelihood of happening, but do not have a high impact; they require routine but directed management

Simple Ranking Risk Matrix

5
4

5
4

10
8

15
12

20
16

25
20

Impact

3
2 1

3
1 1 1

6
4 2 2

9
6 3 3

12
8 4 4

15
10 5 5

Probability

Risk & Opportunity

Generalised Impact or Consequences Descriptors

High
Financial impact on the organisation is likely to exceed x Significant impact on the organisations strategy or operational activities Significant stakeholder concern

Medium

Financial impact on the organisation is likely to be between x and y Moderate impact on the organisations strategy or operational activities Moderate stakeholder concern
Financial impact on the organisation is likely to be less than y Low impact on the organisations strategy or operational activities Low stakeholder concern

Low

from Risk Management Standard

Generalised Threat Occurrence Descriptors

Estimation
High (Probable) Medium (Possible)

Description
Likely to occur each year or more than 25% chance of occurrence Likely to occur in a 10 year time period of less than 25% chance of occurrence Not likely to occur in a 10 year period of less than 2% chance of occurrence

Indicators
Potential of it occurring several times within the time period (eg 10 years). Has occurred recently Could occur more than once within the time period (eg - 10 years). Could be difficult to control due to some external influences. Is there a history of occurrence? Has not occurred. Unlikely to occur.

Low (Remote)

Generalised Opportunity Probability Descriptors

Estimation High (Probable) Description Favourable outcome which can be relied on with reasonable certainty, to be achieved in the short term based on current management practices Reasonable prospects of favourable results in one year of 25% to 75% chance of occurrence. Some chance of favourable outcome in the medium term or less than 25% chance of occurrence Indicators Clear opportunity which can be relied on with reasonable certainty, to be achieved in the short term based on current management practices Opportunities which may be achievable but which require careful management. Opportunities which may arise over and above the plan. Possible opportunity which has yet to be fully investigated by management. Opportunity for which the likelihood of success is low on the basis of management resouces being currently applied.

Medium (Possible)

Low (Remote)

Example Impact Scalar Warwick University [Health & Safety]

Consequence Personal Damage
Extensive injury or death Hospitalisation Medical treatment First aid treatment No treatment

Damage Cost
>250K

Process Interruption
> 6 weeks

Environmental
National impact Regional impact Off site impact On site impact Potential impact

Major Severe Minor Low V. Low

100K 250K 25K 100K 2K 25K

1 week 6 weeks 1 day- 1 week 1 hour 1 day <1 hour

<2K

Example Impact Scalar South Central NHS [UK] (Part A)

Level/ Score
1

Descriptor
Negligible

Description
Negligible, if any, disruption to any function of the SHA business Very low financial impact (>10k) No threat to stakeholders Clinical impact no impact on patients Public confidence & SHA reputation not affected

Minor

Minor disruption but function of SHA still maintained Low financial impact (>100k) Some minor threat to stakeholders Clinical impact minor reduction in quality of care and temporary affect on health status of patient Minor public confidence & SHA reputation issue

Level/ Score 3

Descriptor Major

Description

(Part B)

Major disruption to organisation and major threat to stakeholders Severe financial loss (>1m) and loss of confidence in the organisation Reputation damaged Clinical impact serious reduction in quality of care with permanent affect on health status of one or more patients Some breach of legislative and/or statutory regulation Exposure to risk of litigation Organisational collapse, fatality, financial disaster, public confidence in the organisation lost Financial impact >10m Reputation loss Clinical impact serious reduction in quality of care leading to avoidable deaths of one or more patients Loss of assets Litigation faced

Disaster

Documenting Risk Assessment

HM Treasury (2004) The Orange Book: Management of risk - principles and concepts

Risk Management and Risk Appetite

5 4 5 4 3 1 1 1 10 8 6 4 2 2 15 12 9 6 3 3 20 16 12 8 4 4

Treat or transfer risk

25 20 15 10 5 5

Impact

3 2 1

Probability
Risk appetite
Accept Action? Issue Action now

Risk Adverseness

ERMA (2002) Approach to Risk: Positional Paper

Principles of UK Risk: Statute & Policy

ALARA ALARP
BATNEEC BPEO BPM

as low as reasonably achievable as low as reasonably practicable

best available technique not entailing excessive cost best practicable environmental option best practicable means

Unacceptable region

Risk justified only in exceptional circumstances

Tolerability region where action is based on risk as low as is reasonably practicable (ALARP)

Tolerable only if risk reduction is impracticable or excessively costly Tolerable if cost of reduction would exceed the improvement gained Necessary to maintain assurance that risk remains at this level

Broadly acceptable region (no need for detailed work to Hester & Harrison (Eds) (1998) show ALARP)

Recent highconsequence UK risks

Major industrial accidents Coastal flooding

Pandemic influenza

Major transport accidents

Attacks on critical infrastructure

Attacks on crowded places

Inland flooding Attacks on transport

Impact

Non-conventional attacks Severe weather

Animal diseases Electronic attacks

Likelihood

A Richter scale for risk?

Scientists are good at putting a number on anything, but so far they have failed to find a simple measure for the risks of normal life. Is living in Cornwall, where radon levels are high, more dangerous than eating British beef? How do both of these compare with the risks of smoking cigarettes or driving a car? We need a number to express these risks. Coming up with a Richter scale for risk isnt easy. It must provide a comparison between the risks of purely voluntary activities (smoking, rock climbing) and those that are voluntary but unavoidable (travel, eating different foods, coalmining) while also incorporating risks imposed by society (living near a nuclear power station), or passive smoking and acts of God such as floods or lightning strikes. The Times 9 December 1996, page 14

Examples for working on

A simple issue: my purchasing risks

Im buying a new microwave and wondering about whether to take an extended warranty. How do I view the options available ?

Cost 29.99 3 yr warranty = 9.99 Cost 84.95 3 yr warranty = 39.99

Managing Risk: the 4 Ts

1. 2. 3.

Identify risk Apply 4 Ts: tolerate; treat; transfer; terminate Incorporate risk monitoring into assurance reporting.

My travel risks

Im travelling to a training event some 200 km away:

what are my risks? how do I manage these risks?

Gross vs Residual Risk

Gross risk

Impact

Gross risk = inherent risk

Net risk = residual risk Net risk

Probability