I’ve been spending a not inconsiderable amount of time recently thinking about risk. This is partly because it’s an issue I’ve been working on with some of my clients. And it’s partly because I’ve had to prepare various risk assessments for things I do in my free time. (Yes, I know. I lead such an exciting life…) But it’s helped me to refine my ideas about what risk is and how we assess and manage it.
As I see it, risk is about the existence of more than one possible outcome. If there’s only one way things can turn out, then there’s no risk – only certainty. But if things could go either of several ways, then there’s always the risk that things could go one way rather than the other. In reality, though, we tend to focus on risk when one or more of those potential outcomes is undesirable for us or for our organisations.
We usually think of risk as a function of the likelihood of something happening and of the impact on us if it does happen. And so we try to manage both of these elements, making it less likely that something bad will happen and less catastrophic if it does. The risk before we do anything is known as the ‘gross’ risk and the risk after we’ve done whatever we can to mitigate it is known as the ‘net’ risk.
Organisations frequently develop complex ways of assessing the likelihood and impact of particular risks. These usually involve scores, matrices and other ways of quantifying what might happen and how bad it might be. I’m not a huge fan of this approach, to be honest, as it tends to detract from actually managing the risks involved. Can we really stop worrying about something because it scores a 25 rather than a 26?
I much prefer to put risks into one of two categories: things we need to worry about and things we don’t. Now sure, I’m already making my own judgement here about how likely something is to happen and bad things would be if it did. But it’s a judgement. A judgement of when the ‘gross’ risk is unacceptably high. And it’s my judgement. Not what a spreadsheet has told me I need to be concerned with.
If I choose to worry about a particular risk, I want to make sure that I am managing it effectively. I want the ‘net’ risk to come down to a level that I can cope with. To achieve this, I have a number of options (all of which, you’ll notice, handily begin with ‘T’):
- I can treat the risk, in that I do something that either makes it less likely to happen or lessens the impact if it does happen. So if I’m concerned that I might lose my laptop, I can make sure that I back-up my data every evening and make sure that I can get new copies of the software that’s on it.
- I can transfer the risk to someone else, so that if something goes wrong it’s their problem, not mine. That’s what insurance is for. And outsourcing. But it doesn’t usually resolve the problem completely. Even if your car is insured, for example, it’s still a complete pain in the backside if someone nicks it.
- I can terminate the activity giving rise to the risk. Imagine I had the opportunity to go base jumping. Sounds great. But the mortality rate among base jumpers is a little higher than I would ideally like. So no base jumping for me. And if there’s no base jumping, there’s no risk.
- I can tolerate the risk. This basically means that I want to do whatever is giving rise to the risk, but there’s nothing I can do to mitigate the impact or likelihood of the risk in any significant way. So I just have to keep my fingers crossed and live with it.
We all manage risk as a matter of course every day of our lives. We look before we cross the road. We insure our cars and our homes. We put on sunscreen. We turn the toaster off at the mains before we use a knife to extricate the piece of toast that’s got wedged in it and is starting to smoke alarmingly. Managing risk at work is no different to this. And it doesn’t have to be any more complicated, either.