Risk Management Insights

I want to join the BLOG

06/06/2017 / Enterprise Risk Management, Risk Culture, Operational Risk, Risk Controls

Reducing human error...

What is Human Error?

Risk events often have many contributing causes, a common one being ‘human error’. But what is human error can be adequately mitigated? Human error can be defined as being a ‘failure of a planned action to achieve a desired outcome’.

Actions can fail to achieve the desired outcome if the action itself is inadequate for the purpose for which it was designed; or the action can be adequate but the execution of the action can be deficient – either through unintentional or intentional behaviours of people. Related article Expected and Targeted Risks.

Outcomes? 
There are therefore six possible outcomes in the combination of plan and human action:

  1. An adequate plan that is intentionally followed will likely result in the avoidance of the risk event
  2. An adequate plan that is unintentionally not followed will likely result in failure – a risk event caused by human error
  3. An adequate plan that is intentionally not followed will likely result in failure – a risk event caused by malice
  4. An inadequate plan that is intentionally followed will likely result in failure – a risk event caused by poor planning
  5. & 6. An inadequate plan that is unintentionally or intentionally not followed has a higher likelihood of failure or success of meeting the ultimate objective.

An example…
Is the case of the Piper Alpha disaster, where personnel who followed the muster procedures found that they could not access the lifeboats from the accommodation block, personnel who survived the disaster were those who (unintentionally or intentionally) chose to violate the muster rule and ‘step off’ the platform into the ocean. Therefore, an inadequate rule (plan) was violated and the ultimate objective (no fatalities) was individually achieved as these people avoided the risk event.

Read More

06/01/2017 / Enterprise Risk Management, Risk Culture, ERM, Operational Risk, Risk Manager

Changing the Risk Conversation

Three Key Questions

Have you ever tried having a conversation with a risk practitioner about risk management concepts without using the word ‘risk’? Similarly, as a risk practitioner, have you had a conversation with a quality management practitioner without them mentioning the word ‘quality’?

One of the biggest issues we face as risk practitioners is having conversations with non-risk practitioners, especially front line people, about what we do and what we need them to do to ensure that risks, (there is that word again), are adequately identified, mitigated and monitored. Wouldn’t it be a more useful conversation to talk in terms that the front line is used to and understands? Read article 'Are you a Risk Manager?'

Front line staff know what they need to do to achieve their objectives – be it sales targets, transaction processing targets, customer satisfaction targets, quality targets, or whatever it is that they do that collectively allows the organisation to achieve its objectives. They understand their business processes and where shortcuts can be taken to ‘get things done’. They know when other staff are not following procedures – with malicious intent or not.

Read More

03/06/2016 / Operational Risk, Key Risk Indicators, Risk Manager, KRIs

How do Key Risk Indicators work?


In February this year, I ran a blog highlighting the power of the human brain and its senses in acting as a personal key risk indicator (KRI) system for personal early warning risk awareness as we journey through this inherently risky world.

This blog looks at the potentially awesome power that a well-designed and well applied
KRI system can have in the business world.

KRIs have multiple purposes. The main one is to act as an early warning system to prompt initial investigation and response so as to deal with a risk early in its life. It helps a firefighting risk manager to become a proactive risk preventer. At a wider level, KRIs allow us to “measure” risk and incorporate risk into risk-based performance measurement, risk-based decision making and risk-based incentive schemes.

So how do KRIs work?

KRIs operate on the fact that as risk develops through its life, from root cause(s), through event(s) to final impact(s), red flags, symptoms and other evidence may be given off.  KRIs tap into this information and turn it into intelligence to then be investigated and acted upon to deal with the risk most appropriately.

Read More

23/03/2016 / Compliance Management, Risk and Control Self Assessment, Operational Risk

Operational Risk Management 4 –Compliance Management and Compliance Risk Management

Operational_Risk_Management_4.jpg

This is the fourth article in the series of “Learning from yourself as an expert already”. The first blog addressed Key Risk Indicators (KRI) and the second two addressed the Risk and Control Self Assessment (RCSA) process. This blog addresses Compliance Management and Compliance Risk Management.

The extent of personal compliance management depends heavily on the country in which you reside.  Some countries have few rules and nature seems to take care of itself. Other countries have many laws and regulations over personal behavior from strictly enforced speed limits to drinking laws. As an Australian, I am more used to the latter, Australia, and New South Wales in particular, is often now referred to as the “Nanny State”!  Regulatory compliance requirements are everywhere!

The starting point for compliance in your personal life is, therefore, to understand the laws and regulations that are applicable to you. These are often written in a way that is not easily understood and we have to interpret into plain English as to what it really means to us. Ignorance of the law, as we know, is no defence.

Read More

03/03/2016 / Enterprise Risk Management, Risk and Control Self Assessment, Operational Risk

Operational Risk Management 3 – Risk and Controls Self Assessment applied in a Business Context

Operational Risk Management

This is the third blog in this Operational Risk Management series. In the first article, I explained the incredible KRI system we all have via our five senses. In the second blog, I discussed the application of the Risk and Control Self Assessment (RCSA) in our personal lives using the example of the annual medical check-up. The seven key steps of the RCSA process were set out as part of this example. 

In this blog, we will see how the RCSA works in a business context by applying it to a business process. I will use the process of managing employee expense claims, their payment, processing and recording, a process we can all appreciate from one perspective or another. This example is deliberately at a granular level to illustrate the principles. The same concepts should be used at any level of the organisation using the appropriate level of granularity. This means that the volume of information should be similar for any risk assessment carried out.

Read More

24/02/2016 / Enterprise Risk Management, Risk and Control Self Assessment, Operational Risk

Operational Risk Management 2 – Learning from yourself as an expert already!

Risk-_Controls_Self_Assesment.jpg

My last blog highlighted the extensive use of KRIs (Key Risk Indicators) in our personal lives and the incredible KRI system we all have via our five senses. This blog focusses on the Risk and Control Self Assessment process. Again, the expertise we have in our personal lives provides excellent guidance as to how a good RCSA should be carried out in our businesses and the value add of the RCSA process when done well.

In our personal lives, risk assessments are sometimes performed formally, such as for your motor vehicle’s annual service. Other times, however, they are performed informally, from checking the risks and controls relating to your swimming pool to assessing the risks of your house when your first child is born.

Read More

04/02/2016 / Enterprise Risk Management, Operational Risk

Operational Risk Management 1 – Learning from yourself as an expert already!

Operational Risk Management and the wider defined Enterprise Risk Management are often touted as a new concept. While the methodologies and processes employed may have been enhanced in the recent past, risk management is hardly new.

Humans, arising from the instinct for survival, have been using and developing risk management techniques from the beginning of time. The risk management skills, knowledge and capabilities passed onto you have meant that your personal life risk management is extremely well developed. I would argue, so well developed to the point that you are often not aware that you are practicing them.

This series of articles will consider some of those personal risk management techniques and principles how we can use them to enhance the risk management in our organisations.

Read More

26/11/2015 / Risk Auditing, Operational Risk, Risk Controls

Risk Control - Who owns the Risk Management Controls?

THAT RISK IS NOT MINE!

A common issue that arises when implementing an enterprise risk management (ERM) framework is “who owns, is responsible for, is accountable for risks and controls?” Clear risk and control ownership is critical to ensure that all risks are being managed and none are falling through the cracks and the main risk control has an owner who is accountable for the control’s performance.  Equally, it is important that we are not duplicating effort through multiple owners.

Read More

30/09/2015 / Enterprise Risk Management, Risk Management, Operational Risk

Need Help Defining Operational Risk?

Defining Operational Risk is not as easy as it looks 

One of the most basic steps in any risk management process is to define your operational risks.  Risks are typically recorded in a risk register together with their related controls (a topic to be covered in a later blog). This sounds easy but for any of you that have reviewed a range of risk registers or attempted it yourselves, you might have found that it is, in fact, a complex task.

The two main issues to consider are:

  1. What exactly are you describing? Your risk description needs to be consistent between all risks.
  2. What level of granularity and detail should the risk description contain?
Read More