Key message: Without a good risk event description the analysis step is a waste of time.
When I first started in the risk management area over 40 years ago we used to describe risk events in single words such as “Safety”, “Budget”, “Governance” etc. Over time it was recognised that these single word event descriptions were insufficient, particularly, with the introduction in Australia of the AS4360:1999 for Risk Management. For the first time the risk management process steps were defined as per the diagram below :
The process steps started with the “Establish the Context”. Coverage of this process step led to the development of outputs such as the “Decide the Structure” - Risk Breakdown Structure (RBS) or Risk Universe which I covered in an earlier article. The RBS allowed risk practitioners to identify key risk areas and then categories within those risk areas. This accommodated the single word descriptions to be captured not as risk event descriptions per-se but as areas and categories of risk.
Noting the risk identification step there is guidance as to what could happen and why it would happen. In the early stages of the development of the standard this was seen as sufficient to describe the risk event so that a valid risk analysis could then be undertaken. As a natural evolutionary step it was found that even this type of detail my not be sufficient. It was in early in 2006 that I was introduced to different nomenclature that has stood the test of time until today. The nomenclature covers both threats and opportunities namely:
· There Is A Risk That (TIART)
· There Is An Opportunity To (TIAOT)
This was a great start point in my view but this needed to be enhanced further. It was then decided that these initial risk descriptions would be well served with the addition of key words to prompt further words to better target the real threat or the actual opportunity. So the risk description for threats was expanded as follows:
· TIART………………
· Caused By………… The root cause of the threat should be articulated in order for the analysis of the probability of the event and the controls and treatments can be identified and targeted more effectively.
· Resulting in……….. The impact should be defined in terms of the impact on the objective of the project, decision/activity to which the risk assessment is being applied. The impact areas should be reflected in the consequence/impact criteria tables. In this way the risk analysis step will be valid.
So we have moved on from a simple statement of “Breach of Safety” to one where this could be a Risk Area whilst one of the Risk Categories within this Area could be “Personnel” which could then lead to a well-defined risk description using the nomenclature above as:
· There is a risk that a worker will not use their personal protective equipment (PPE) when undertaking quarrying operations
· Caused by a lack of supervision
· Resulting in death
Similarly, for an opportunity. We could have a Risk Area of “Safety” and a Risk Category of “Personnel” and using the nomenclature above:-
· There is an opportunity to reduce the number of loss time incidents
· By providing training to all personnel on a regular basis
· Resulting in the company obtaining more high value projects
By having a risk statement consisting of these three parts its sets up the risk management process for a valid risk analysis step. This is not an easy process.Often practitioners get confused between the three components.My advice is to simply reflect back to the consequence/impact tables to nail the impact statement. This often helps to then confirm the TIART/TIAOT and the root cause.