Risk management is an accepted part of business vernacular these days, but it’s still helpful to step back and remind ourselves of the key principles of the process from time to time, as otherwise if can be easy to ‘miss the wood for the trees’.
In terms of assessing risk, Australia (& NZ) had a solid foundation to work from in the 2000s with AS/NZS 4360:2004 Risk management in play well before the introduction in 2009 of ISO 31000 Risk management – Principles and guidelines and its supporting suite of Standards.
According to AS 4360, the analysis of risk involved the “…consideration of the sources of risk, their positive and negative consequences and the likelihood that those consequences may occur” followed by “Risk is analysed by combining consequences and their likelihood“.
This approach was then formalised within the 2009 ISO Risk Management Standard where it reinforced that “Risk is analyzed by determining consequences and their likelihood”.
The clarity brought by the ISO Std was reflected within the re-write of the QLD WHS Risk Management Code of Practice in 2011, with a re-packaged practical discussion under the sub-heading of ‘Work out how severe the harm could be‘ (aka the consequence) and ‘Work out the likelihood of harm occurring’.
The re-issued ISO 31000 in 2018 amended some details and blurred the discussion somewhat, however it still stated (in the Terms & Definitions) that “Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood”.
The commonly used risk matrix approach combines the qualitative or semi-quantitative ratings of consequence and likelihood to generate an overall risk score. However, the resulting risk score can be significantly skewed by confusing the order in which the consequence and likelihood factors are considered. Even the way it is written in an organisation’s risk management procedures has the potential to inadvertently construct this error.
To explain we should take 2 steps back to remind ourselves of two areas in particular where it’s important to be sure that we’ve nailed the basics:
- Check the risk statement is right – without this we often succumb to psychological biases and tend to think more broadly than we should and lose sight of what is the real risk. The risk statement, embracing the ISO31000 definition of the “effect of uncertainty on objectives” or in simple terms “what” and “so what”, should state the type of event (e.g. physical injury, property damage, environmental damage) to who or what (e.g. workers, the work depot) and the cause (e.g. from a cyclone).
- Consider the current controls – including the strengths and current effectiveness of these (as per the process detailed in the ISO Standard or the WHS Code of Practice).
After these considerations, we can start thinking about consequence and likelihood.
Based on the risk statement, we start by putting a ‘credible’ consequence score to the scenario using the developed risk statement to refine our thinking in terms of the level of consequence. Then with this consequence in mind, we need to consider the likelihood of the event occurring and producing the defined level of consequence. The 2 factors (the consequence and the likelihood) need to be relative to each other, they need to be anchored together to the risk statement, or else the result will be skewed.
By determining the consequence first, we enable the risk assessment to be focused and ‘credible’.
If likelihood were considered as the first factor, we are overtly asking for the likelihood of an event occurring which would logically be much higher likelihood (e.g. the likelihood of a cyclone occurring would logically be higher than the likelihood of an injury occurring from the cyclone given all of the precautions and risk controls in place). The fundamental error of considering likelihood before consequence leads the discussion of the consequence off on a tangent, because it is not tied to the consequence outcome that reflects the context of the risk. By considering a ‘credible’ consequence of the risk statement first, with the current controls in place, the tendency to ‘catastrophise’ is deterred from the outset, because the discussion is framed in terms of the risk statement and the ‘credible’ consequence.
We would recommend that discussion of the risk management methodology is always written as consequence before likelihood, as per the way it is expressed in ISO 31000, as this frames and embeds the correct process every time it is undertaken.
In summary, the risk assessment process comes with flaws and biases that are inherent to any consultative process that involves a group of humans. The way to work through this is to set the process and context from the outset, to frame the risk assessment to be less impacted by these biases – and the best way to do this is to have absolute clarity about the risk assessment methodology and applying the process as detailed in the ISO Standard.
Everyone involved in the risk assessment needs to be clear that the process is to assess the consequence first using pre-agreed consequence and likelihood scales, with a focus on ‘most credible’ consequence (as this corrals the thought processes away from the worst-case scenario and toward the more realistic outcomes). Then reinforcing that, the likelihood has to connect to the risk and the consequence – that is, the likelihood of the risk occurring at that determined consequence level.
Last of all, risk ratings should be reviewed with the “does it seem right” test (with a ‘wrong feel’ prompting a double checking of the controls, consequence and likelihood used) to ensure that that they are realistic and truly reflective of the situation.
Please contact QRMC for information or assistance.
