Risk management is not just about preventing surprises or bad things from happening. It has a lot to do with innovation. If your risk management department does not provide you with insights to improve your business, it is high time you changed the staff.
According to ISO 31000:2018, risk management is the impact of uncertainty on corporate objectives. This means, if you do not have any set objectives, you cannot experience risk. The starting point in the risk management process is to define the organisation objectives: what are your objectives at risk?
Let us take a simple example of a traveller from Kampala to Jinja. Before you assess any risks, you face, you must first start by defining your objectives.
The objective at risk is: Arrive in Jinja by 9:00 am from Kampala by road.
Anything or event that may fail the achievement of your objective is a risk, and its severity depends on the likelihood of the occurrence and impact of the events on the objective if it occurred.
For your trip from Kampala to Jinja, the various events that could affect you are traffic jam, being stopped by traffic police, sleeping on the wheel by the driver, a flat tyre, running out of fuel, or possible mechanical problem with the car. All of these are possibilities.
You must assess the chances or probability of traffic jam along the way depending on the day and time of travel. If you know you will find jam when you set off at 7am, then adjust your travel time and leave Kampala before 6 am so that you find the road still free. By considering each event, you may be able to identify the top risks that threaten your objective. We know the probability of an event is usually between 0 and 1 or 100%. The probability of something that is certain is 1. The probability of any living thing will die is 1 or 100%. And the probability of something that will never happen is 0% or 0. The probability that an elephant will turn into a house is 0.
In risk management, we map the probability against a score from 1 to 5. With 5, being scored almost certain – meaning something will likely happen, as it has more than 75% chances of occurring.
Table 1: event likelihood score
Table 2: Event impact score
The above table shows the event impact score, against the 1- 5 scale.
To determine the risk, we use informed analysis and experience to estimate probabilities of events, and their impact when assessing risk. For example, I could estimate risk as the likelihood of an event times impact, risk = likelihood x impact. The likelihood of traffic jam on Jinja road on Friday evening is 80% ( a score of 5 on Table 1, since 80% is higher than 75% so it falls under 5), the impact is a failure to achieve the objective (5, on Table 2, which is under column five in the table).
So, if these are mapped on the risk scale, risk = likelihood x impact = 5 x 5, one has a risk level of about 25, which is a high risk. That means something must be done to manage the risk.
Table 3: Impact and risk score
There are four ways to manage risk – transfer, treat, tolerate, or terminate. When you buy insurance, you have transferred the risk. When you implement internal controls, like vehicle repair and servicing before a long trip, you are treating the risk. When you do nothing, you have tolerated the risk. And when you stop doing the activity that brings the risk, you have terminated it. For example, when you cancel your trip to Jinja, you have effectively terminated the risk. Remember, you must decide on the best treatment strategy that brings the most benefits.
To see the relationship between risk management and innovation, see part 1.
Copyright Mustapha B Mugisa, 2020. All rights reserved.