Wednesday, 25 November 2009

When things go wrong: Lessons for risk management

The responses to risk will vary from business to business and from risk to risk, but they tend to fall into one of these categories:
  • eliminating risks
  • tolerating risks
  • minmising risks
  • diversifying risks
  • concentrating risks
  • hedging risks
  • transferring risks
  • insuring risks.
Deciding which of these responses is appropriate in any given situation requires careful analysis of the risk in terms of probability, impact and potential outcomes.

If the downside result of a specific, foreseen risk occurs, you will want to look at the way you analysed it and chose your response, and the effectiveness of the chosen response.  Consider questions such as: 

1.  Are there any clear lessons for your estimates of probability?  (For example, has an event that was regarded as extremely rare happened twice in a week?)

2.  How accurate was your assessment of impact?
  • Was it more or less severe than anticipated?
  • Did it affect areas you didn't predict?
  • Did it have consequences of a different nature than those you expected?

3.  Were the plans and processes made to deal with operational risks effective in practice?
  • Should they be improved?
  • What alternatives are there?

4.  Could operational problems occur again?
  • Is the situation different now?
  • If not, how should it be changed?

5.  Did you choose the right response to the risk?
  • How has it worked out in practice?
  • Do you need to choose a different response in future, or just make the chosen response work better?

6.  If you chose to tolerate a risk, was this the right decision?
  • Was it based on enough probability and impact information, or information of sufficient reliability?

7.  If you chose to try and minimise a risk, what effect did this have on its impact?

8.  Can you demonstrate the link between your decisions and the positive results for the business?

9.  If you chose to hedge against a risk, how good was the hedge?  How balanced were the different risks against each other?

10.  If you chose to diversify risks, was the extra effort worthwhile?

11.  If you chose to concentrate risks, was the saving in effort worth the extra exposure incurred?

12.  If a risk was transferred, did the third party accept responsibility when things went wrong?

13.  What knock-on effects are now apparent?
  • Is the outcome fully known (or knowable), or is it still unfolding?
  • What new risks have arisen?
  • What new decisions now need to be taken?

No comments: