Risk Management Insights

I want to join the BLOG

21/07/2017 / Enterprise Risk Management, Risk Controls, Risk Culture, Risk Management

Prevention is better than cure - and other risk management cliches

There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:

Every cloud has a silver lining:  If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.

What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.

And my favourite…

Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management. 

Read More

19/06/2017 / Risk Controls, Enterprise Risk Management

Risk Event Libraries. Do your own sanity check.

At Protecht, we get to see a lot of risk event libraries. There continues to be some confusion as to what is actually a risk event that is worthy of its place in a central library of risks. We often see these libraries peppered with failed controls, impacts and causes rather than the true underlying risk event.

In this blog we hope to provide some tips for you to do your own sanity check on the quality of risks in your risk registers or library. 

It helps to first think about the output – what will our reporting to stakeholders at both management and Board level look like and be used for. If risk events are too broad, aggregation of supporting data such as incidents and internal audit findings connected to such broad risks will become less useful, as will any attempt to allocate a meaningful set of controls to the risk. Too specific with lots of detail, renders summation of the top risks in charts as too unwieldy and confusion as to what is the actual risk event.

Examples would be as follows:

Criminal activitytoo broad. In this example, there are too many sub risks with different controls that need to be assessed. If all internal audit findings and incidents relating to internal fraud were wrapped up to this ‘risk event’ the first thing any Board member would ask is what type of criminal activity are we talking about? Rather than a risk event – this would be a good risk category, similar to other risk categories such as Employment Practices and Safety and Business Disruption.

Read More

06/06/2017 / Enterprise Risk Management, Risk Controls, Operational Risk, Risk Culture

Reducing human error...

What is Human Error?

Risk events often have many contributing causes, a common one being ‘human error’. But what is human error can be adequately mitigated? Human error can be defined as being a ‘failure of a planned action to achieve a desired outcome’.

Actions can fail to achieve the desired outcome if the action itself is inadequate for the purpose for which it was designed; or the action can be adequate but the execution of the action can be deficient – either through unintentional or intentional behaviours of people. Related article Expected and Targeted Risks.

Outcomes? 
There are therefore six possible outcomes in the combination of plan and human action:

  1. An adequate plan that is intentionally followed will likely result in the avoidance of the risk event
  2. An adequate plan that is unintentionally not followed will likely result in failure – a risk event caused by human error
  3. An adequate plan that is intentionally not followed will likely result in failure – a risk event caused by malice
  4. An inadequate plan that is intentionally followed will likely result in failure – a risk event caused by poor planning
  5. & 6. An inadequate plan that is unintentionally or intentionally not followed has a higher likelihood of failure or success of meeting the ultimate objective.

An example…
Is the case of the Piper Alpha disaster, where personnel who followed the muster procedures found that they could not access the lifeboats from the accommodation block, personnel who survived the disaster were those who (unintentionally or intentionally) chose to violate the muster rule and ‘step off’ the platform into the ocean. Therefore, an inadequate rule (plan) was violated and the ultimate objective (no fatalities) was individually achieved as these people avoided the risk event.

Read More

23/02/2017 / Risk Management, Risk Controls, Risk and Control Self Assessment, Risk Maturity

Expected and Targeted Risks

Are they useful?

Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process. 

In a previous blog article,  we questioned whether inherent risk was useful. We concluded on balance that it can be a useful concept to recognise and assess. Inherent risk is useful in providing assistance when assessing the importance of controls and helping in the understanding of stress test scenarios.

This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful. 

Read More

26/01/2017 / Enterprise Risk Management, Inherent & Residual Risk, Risk Controls

Inherent Risk – Is it useful?

The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment. The main areas of contention are:

What does Inherent Risk mean?

There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”. 

Read More

14/09/2016 / Risk Controls

Integrated Controls Assurance – Maximum Assurance, Minimum Effort


Controls assurance is a critical component of any robust risk management framework, providing an organisation with:

  1. Objective evidence that controls are designed and operating adequately as a basis for executive and Board signing off on the adequacy of controls over material risks.

  2. KnowIedge of control weaknesses as a basis of making improvements.

  3. Education to control owners and operators as to the objectives, workings and importance of controls that they are responsible for.

  4. A basis of assessing the adequacy of controls as part of a Risk and Controls Self Assessment process.

Controls assurance varies greatly between organisations. At the most basic level, some organisations rely on an annual or semi-annual attestation from business unit heads that all is in order. Usually this comes with no or little evidence and relies more on trust that the manager has adequate knowledge to make the attestation.

Read More

10/08/2016 / Risk Controls, Risk Management Training

Risk Controls! Going through the motions or providing real value?


Controls to assist us managing risk have been around for thousands of years. Why – because risk has been around since the beginning of time. Our human instinct for survival has by necessity meant that we have had to try and control our environment and the risk contained therein.

Then the industrial revolution took the need for control to a new level as we placed large groups of workers together and added in a good dose of dangerous machinery and processes. As a result, we have grown to accept controls as an everyday part of our business lives. See an example of controls being implemented in our article Risk Management Controls in Tough Mudder.

Read More

29/04/2016 / Bow Tie Analysis, Risk Controls

Bow Tie Analysis

Bow Ties usually conjure up a vision of a formal event, to be used infrequently for special occasions.  For risk bow ties, nothing could be further from the truth.  Risk bow ties are ideally used by the business as everyday wear. So what are risk bow ties and what is the value of making them part of your everyday?

The Bow Tie principal to analyse and document risk has been attributed back to Royal Dutch Shell in the 70’s / 80’s.  Since then, oil and gas, mining and pharmaceutical companies amongst others have used the Bow Tie principle to explore and communicate risk. More recently, financial institutions have warmed to the idea, seeing the benefit of this simple, yet comprehensive method to understand and communicate risk.

The Bow Tie technique is a logical way to explore and communicate risk. Its principles are simple, but the execution and presentation need care.

Read More

09/12/2015 / Risk Culture, Risk Management, Risk Controls

Risk Management Controls in Tough Mudder


See the Slideshare and find the pictures of Protecht team members in Action

Tough Mudder is an endurance event series in which participants attempt 16–19 km military-style obstacle courses that test mental as well as physical strength. The obstacles often play on common human fears, such as fire, water, electricity and heights. 

The main principle of the Tough Mudder revolves around teamwork. The Tough Mudder organisation values camaraderie throughout the course, designing obstacles that encourage group participation. The first event was held in 2010 and to date, more that 2 million people worldwide have participated.

Read More

26/11/2015 / Risk Auditing, Operational Risk, Risk Controls

Risk Control - Who owns the Risk Management Controls?

THAT RISK IS NOT MINE!

A common issue that arises when implementing an enterprise risk management (ERM) framework is “who owns, is responsible for, is accountable for risks and controls?” Clear risk and control ownership is critical to ensure that all risks are being managed and none are falling through the cracks and the main risk control has an owner who is accountable for the control’s performance.  Equally, it is important that we are not duplicating effort through multiple owners.

Read More