Theoretically this would require us, as part of the RCSA process, to firstly define the range of possible consequences and, secondly, define the likelihood of them occurring. The question is: “How many consequences do we evaluate and how will those consequences be defined?” By default, and due to time and cost constraints, many RCSA processes require just one consequence but do not define whether this consequence is the average, worst case, or something else. This results in confusion for the assessed business and inconsistency across the organisation.
In order to address this issue and improve the quality of your RCSA process, the following questions should be answered:
- How will the RCSA output be used by the business? If the purpose of the RCSA is to better manage “business as usual” risks, then an average consequence makes sense. If on the other hand, the purpose is to protect the business from major disasters, a worst case consequence will be more useful.
- How many consequences will you require to be identified and how will they be defined? Where there is just one consequence identified, the key choice is between an “average” and a “worst case”. The two are vastly different. A progression from this is to identify two consequences, usually an average and an extreme/worst case. This worst case is often assessed as an extension of RCSA, being a scenario analysis process. The most consequences we have seen being used are three, covering average, exceptional and extreme/worst case.
- Have the persons responsible for assessing the risks been adequately informed of what level of consequence(s) is being determined?
The key issue is that most current RCSA processes do not guide the assessor as to what is required and it is left up to their own choice.
What are you doing in your self assessments?
As a minimum, ensure that those assessing the risks are aware of how they are supposed to be assessing. Secondly, consider whether the number of consequences you are assessing for all risks is adequate taking into account the extra level of understanding created by multiple consequences weighed up against the extra time taken to carry out multiple consequence assessments.
Note 1: Risk is defined here as the potential for something happening in the future which could have a positive or negative impact. That is, the same risk has a range of potential consequences. Interestingly the ISO 31000 Risk Management: Principles and Guidelines, defines risk in terms of the likelihood of a given consequence. This overcomes the multiple consequence issue but in practical terms still requires us, as part of the RCSA process, to define the consequence of the risk event that we are discussing.