Boiled down to it’s simplest, there are four things that we trade-off against each other to achieve a level of risk which we are comfortable with. Collectively these four elements can be considered the ‘quadruple constraints’ of risk management:
|The Quadruple Constraints of Risk Management|
- Risk – the risk that we want to achieve or that matches our appetite
- Quality – how effectively we apply resources to manage risk
- Resources – how much time, money, effort we apply to managing risk
- Exposure – the amount of risk we would be exposed to if we did nothing
|Risk Equilibrium - in search of the optimal trade-off|
- what level of risk (benefit or loss) you are prepared to accept
- what level of risk exposure is necessary to achieve your desired risk
Quality gets a mention here as it is an often overlooked elements. If you allocate a sum of money to risk reduction, the quality of implementing that budget will ultimately determine the change in risk. For example, if you spend the budget installing CCTV to reduce theft in your supermarket, the residual risk will depend on the quality of the system. ‘Quality’ issues such as which direction the cameras are pointing, how easy the system is to use, etc will have a greater impact than how much you spend on the system. Equally, you can often reduce risk (or increase benefits) by simply making administrative changes such as roster changes or introducing logbooks. The relationship between quality and resources is like the story of the two lumberjacks who challenge each other to see who can cut the most trees in a single day. At the end of the day, older lumberjack won by a huge margin although the younger man had worked much harder. "How could you have cut down more trees than I did?" complained the younger one. "Every hour you sat down while I kept right on cutting. I don't understand!" The older lumberjack replied:"When I sat down, I was sharpening my axe, Why didn't you stop to sharpen yours" "I didn't have time," the younger man said, "I was too busy cutting!"
Simply throwing more resources at risk management without considering the trade-offs inherent in these quadruple constraints is unlikely to achieve your objectives, nor win you any friends.
[i] Talbot, Julian & Jakeman, Miles (2009), Security Risk Management Body of Knowledge, John Wiley & Sons, New York, USA