| |
Risk Management as it should be
18 November 2011 • Ype Wijnia
risk management
In the past few years many companies active in infrastructure management have made the transition from classical maintenance and operation to the more contemporary asset management. Virtually all that made this progression publicly advocates the importance of risk management within asset management. However, we note that it often does not go beyond this. Risk management seems to be a topic to talk about, but not a practice to execute. Many risk managers excuse themselves for this lack of results by pointing out that they have a facilitating role and that the operation should provide the content. Excusez les mots, but that is the uttermost nonsense there is. Precisely risk management is a practice in which content and process cannot be separated. Take for example the risk of burglary. If you order someone to manage that risk, one might opt for insuring the risk, another for an anti burglary installation, and a third one takes a dog. It seems kind of strange, that three different solutions are chosen for the same problem. The only valid explanation is that they are solutions for different problems. If the financial damage is the main concern, insurance is a good option, if the mess is the problem then the alarm is a valid choice and if the problem is the feeling of being exposed to burglars is the problem than a dog provides more support than the other options. Framed differently, you can only manager risks if you know what the real problem is and what values are at risk. In case of the burglary risk, the owner of the house (and thus the risk) has all freedom to select the mitigation he likes best. But in a company it comes handy if it is determined centrally what is important to the company (e.g. by mission, vision and strategy). Only then the business can determine how the values and goals are threatened. Unfortunately, when companies start with risk management, those values and goals are often not very clear, at least not within the infrastructure companies. They just do what they have been doing for the past hundred years or so and the value system is hardly explicit. If the risk manager acts in those circumstances as the facilitator, many will be lost in translation (except of course the risk manager, as the discussions no doubt have been fabulous). How should it be done then?
As mentioned earlier, the most important element of risk management is the definition of a coherent value system. Without goals no risk. A practical way of formalizing the value system is the definition of a risk matrix. This is a table with a description of potential consequences and their classification on one side, and the likelihood of occurrence on the other side. In the table itself is the risk level that is associated with the combinations of likelihood and consequence. An example is given in the table below.
Please note, the important thing is making a matrix yourself, not having a matrix. Insight in what is important to the company emerges in the discussions that are held on the business values to be considered, the level at which an impact becomes serious or catastrophic, and which combination or impact and likelihood is unacceptable. If the matrix is simply copied from another company the matrix may be a valuable instrument, but if the world changes one lacks the experience to adjust the matrix accordingly.
In constructing a matrix there is plenty of opportunity to do it wrong. Besides the discussion on colours, names and orientation (arbitrary but relevant for a consistent impression) there is a number of pitfalls to avoid. The first is that effects labelled the same are not equally bad for the company. In general, one should be indifferent between equally bad things. If that is not the case the things apparently are not equally bad. The second pitfall is that of resolution. If impact and likelihood can be assessed on five levels, one would expect 5 risk levels as well. The next pitfall is too easily designating a risk as intolerable. If risks are really intolerable one has to do anything acceptable to mitigate the risk, and that is often not the case. An intolerable risk that is accepted in the end is de facto not intolerable. Finally, the last important pitfall is using risks as effect. The typical example is in the condition of assets, like being rusty. If this is put on the impact side of the matrix (say a pipe being rusty is a catastrophic impact) then a circle reasoning arises, as if being rusty itself is the problem. The point is of course that a rusty pipe can leak, tear or rupture which will result in the outflow of material with all associated consequences like loss of valuable resources, pollution or dangerous situations. The pipe being rusty is a problem because of those potential consequences, not because of the rust.
This introduces the problem of what a risk then is. Often it is stated that risk equals probability times consequence, but that is only a quantitative approach of the concept of risk, like the expected amount of misery. Risk then just is a metric. In risk identification, on the other hand, the pivot point is naming ways in which the misery can come into existence. Risk in this sense is an entity, an event that can impact the values negatively. To distinguish those very different concepts is can be helpful to use risk if one talks about the events, and of exposure if the expected misery is meant. Besides the ambiguity in the definition of what risk is, an equally interesting question is if risk as an identity does exist. The modern view is that risk is not an objective part of reality that can be counted and measured, but a structure imposed by the observer upon all potential events in the reality. Those potential events are real (at least when they occur), but the structure is just handy for dealing with everyday problems and can be changed should the circumstances demand so. Risk therefore is an abstraction, not an object.
This last point is the most important reason why process and content cannot be separated in risk management. The risks do not come from reality, they are not waiting to be found, no, they evolve from the potential to do something about them within the structure and value system of the organization. If the only tool is a hammer, one has to consider all problems as nails. Structuring threats in such a way the organization can deal with them in an efficient way is the true mission of the risk manager. This is more leading than facilitating. That structuring all problems is not easy is without doubt, but if a professional risk manager cannot do this, how can you expect the laymen in the organization to do that? Risk manager should not be afraid to get their hands dirty and really help the organization forward. Otherwise risk management is nothing more than producing paper full of empty terms that nobody really understands, and that is not valuable in any system.
Ype Wijnia is partner at AssetResolutions BV, a company he co-founded with John de Croon. In turn, they give their vision on an aspect of asset management in a weekly column. The columns are published on the website of AssetResolutions, www.assetresolutions.nl/en/column
<< back to overview
|
