Professional Documents
Culture Documents
What is Risk?
What is Risk? The exposure to mischance What is the difference between a Risk and an Issue? A Risk is an Issue that hasnt happened yet OR An Issue is a Risk that has happened What is an Assumption? An unknown, therefore, a Risk
Source: HBOS internal training c. 2005
Risk means being exposed to the possibility of a bad outcome Risk Management means taking deliberate action to shift the odds in your favour increasing the odds of good outcomes and reducing the odds of bad outcomes
Borge D (2001) The Book of Risk
What is Uncertainty?
If you dont know for sure what will happen, but you know the odds, thats risk If you dont even know the odds, thats uncertainty
Nature of risk
Speculative (dynamic) a risk that (potentially) has profit and loss associated with it Hazard (static) a risk that only has loss associated with it
Key Definitions
Hazard a situation that could lead to harm Risk a combination of the probability and consequences of the occurrence Risk assessment risk estimation (outcome or consequences) and evaluation (significance for those affected) Risk management implementing decisions about accepting or altering risk
DOE (1995) A guide to risk assessment and risk management for environmental protection
Defining Risk/Uncertainty
Risk - where we know the odds (probability or likelihood); Uncertainty - where we dont know the odds but may know the main parameters; Ignorance - where we dont know what we dont know; and Indeterminacy - where causal chains or networks are open (spans uncertainty and ignorance).
ORiordan, T, and Cox, P. 2001. Science, Risk, Uncertainty and Precaution. Senior Executives Seminar HRH The Prince of Waless Business and the Environment Programme. University of Cambridge.
Uncertainty applies where there is no firm basis for probabilities, but some reasonably clear idea as to outcomes. Ambiguity applies where the outcomes are not clear. Ignorance exists where there is no history of cause and effect that can be used to predict outcomes. Thus science (by its own rules) cannot predict either likelihood or outcome. Examples of ignorance defined in this way occur when there is innovative technology, or a new product or substance. [from ERMA (2002) Approach to Risk: Positional Paper p.8]
Risk evaluation
Risk analysis
Risk treatment
Contingency
These risks have high impact but the probability of them happening are low. They are catastrophic events
High
Primary
These risks have both high impact and high likelihood of happening: these require prime attention
Impact
Negligible
Low
Housekeeping
These risks have a high likelihood of happening, but do not have a high impact; they require routine but directed management
5
4
10
8
15
12
20
16
25
20
Impact
3
2 1
3
1 1 1
6
4 2 2
9
6 3 3
12
8 4 4
15
10 5 5
Probability
Medium
Financial impact on the organisation is likely to be between x and y Moderate impact on the organisations strategy or operational activities Moderate stakeholder concern
Financial impact on the organisation is likely to be less than y Low impact on the organisations strategy or operational activities Low stakeholder concern
Low
Description
Likely to occur each year or more than 25% chance of occurrence Likely to occur in a 10 year time period of less than 25% chance of occurrence Not likely to occur in a 10 year period of less than 2% chance of occurrence
Indicators
Potential of it occurring several times within the time period (eg 10 years). Has occurred recently Could occur more than once within the time period (eg - 10 years). Could be difficult to control due to some external influences. Is there a history of occurrence? Has not occurred. Unlikely to occur.
Low (Remote)
Medium (Possible)
Low (Remote)
Damage Cost
>250K
Process Interruption
> 6 weeks
Environmental
National impact Regional impact Off site impact On site impact Potential impact
<2K
Descriptor
Negligible
Description
Negligible, if any, disruption to any function of the SHA business Very low financial impact (>10k) No threat to stakeholders Clinical impact no impact on patients Public confidence & SHA reputation not affected
Minor
Minor disruption but function of SHA still maintained Low financial impact (>100k) Some minor threat to stakeholders Clinical impact minor reduction in quality of care and temporary affect on health status of patient Minor public confidence & SHA reputation issue
Level/ Score 3
Descriptor Major
Description
(Part B)
Major disruption to organisation and major threat to stakeholders Severe financial loss (>1m) and loss of confidence in the organisation Reputation damaged Clinical impact serious reduction in quality of care with permanent affect on health status of one or more patients Some breach of legislative and/or statutory regulation Exposure to risk of litigation Organisational collapse, fatality, financial disaster, public confidence in the organisation lost Financial impact >10m Reputation loss Clinical impact serious reduction in quality of care leading to avoidable deaths of one or more patients Loss of assets Litigation faced
Disaster
HM Treasury (2004) The Orange Book: Management of risk - principles and concepts
Impact
3 2 1
Probability
Risk appetite
Accept Action? Issue Action now
Risk Adverseness
Unacceptable region
Tolerability region where action is based on risk as low as is reasonably practicable (ALARP)
Tolerable only if risk reduction is impracticable or excessively costly Tolerable if cost of reduction would exceed the improvement gained Necessary to maintain assurance that risk remains at this level
Broadly acceptable region (no need for detailed work to Hester & Harrison (Eds) (1998) show ALARP)
Pandemic influenza
Impact
Likelihood
Scientists are good at putting a number on anything, but so far they have failed to find a simple measure for the risks of normal life. Is living in Cornwall, where radon levels are high, more dangerous than eating British beef? How do both of these compare with the risks of smoking cigarettes or driving a car? We need a number to express these risks. Coming up with a Richter scale for risk isnt easy. It must provide a comparison between the risks of purely voluntary activities (smoking, rock climbing) and those that are voluntary but unavoidable (travel, eating different foods, coalmining) while also incorporating risks imposed by society (living near a nuclear power station), or passive smoking and acts of God such as floods or lightning strikes. The Times 9 December 1996, page 14
1. 2. 3.
Identify risk Apply 4 Ts: tolerate; treat; transfer; terminate Incorporate risk monitoring into assurance reporting.
My travel risks
Impact
Probability