Wednesday, April 13, 2011

The Quadruple Constraints of Risk Management

As managers, leaders and risk professionals we make trade-offs every day to manage our risk exposures and achieve acceptable levels of risk and agreed quality standards.  Most of us for example, willingly accept the risk of being involved in a car accident in exchange for the benefits of living in a modern society. We also accept that fitting locks to our doors reduces the money we have to spend on other items, and that the inconvenience of having to lock the door takes a little of our time. In exchange for those trade-offs, we can reasonably expect to find our possessions waiting for us at home at the end of each day. Equally, the money we put aside for saving is money we can’t spend right now but we do it because it gives us peace of mind that we’ll be able to support ourselves in our retirement.

Boiled down to it’s simplest, there are four things that we trade-off against each other to achieve a level of risk which we are comfortable with.  Collectively these four elements can be considered the ‘quadruple constraints’[1] of risk management:  
quadruple constraints of risk management
The Quadruple Constraints of Risk Management
  • Risk – the risk that we want to achieve or that matches our appetite
  • Quality – how effectively we apply resources to manage risk
  • Resources – how much time, money, effort we apply to managing risk
  • Exposure – the amount of risk we would be exposed to if we did nothing
Any change in one will result in a corresponding increase or decrease in one or more of the other elements as illustrated in the following diagram. The ideal target range for risk is ALARP (As Low As Reasonably Practicable) and the previous pyramid diagram, if viewed from above, might look something like this:
Risk Equilibrium - in search of the optimal trade-off

In theory, each of these elements could be adjusted dynamically in response to external influences but in practice, the world changes faster than we can accommodate. Accordingly, our goal is to optimize both resources and quality in a way that modifies exposure to leave us with an approximate level of acceptable risk.  Applying more resources and/or improving quality will usually reduce risk, even if the risk exposure stays the same. Before applying those changes however, you need to understand:

  • what level of risk (benefit or loss) you are prepared to accept
  • what level of risk exposure is necessary to achieve your desired risk
We can adjust our risk by increasing or decreasing resources (eg: more security guards at the gate or more analysts monitoring the stock portfolio) but achieving total protection for any given asset might require more resources than the value of that asset. Reducing risk to zero although theoretically possible is likely to require either: a) virtually infinite resources or b) a reduction of risk exposure to the point where an activity is effectively abandoned – thereby leaving little opportunity to achieve the project goals. Similarly, realizing opportunities (positive risk) requires increased risk exposure which may also result in increased downside risk.  Equally, if you increase the risk exposure (eg: by conducting more business travel or taking on larger positions in your derivatives portfolio) then the risk will increase accordingly unless some change is made to quality or resources.  

Quality gets a mention here as it is an often overlooked elements. If you allocate a sum of money to risk reduction, the quality of implementing that budget will ultimately determine the change in risk.  For example, if you spend the budget installing  CCTV to reduce theft in your supermarket, the residual risk will depend on the quality of the system.  ‘Quality’ issues such as which direction the cameras are pointing,  how easy the system is to use, etc will have a greater impact than how much you spend on the system.  Equally, you can often reduce risk (or increase benefits) by simply making administrative changes such as roster changes or introducing logbooks.  The relationship between quality and resources is like the story of the two lumberjacks who challenge each other to see who can cut the most trees in a single day. At the end of the day, older lumberjack won by a huge margin although the younger man had worked much harder. "How could you have cut down more trees than I did?" complained the younger one. "Every hour you sat down while I kept right on cutting. I don't understand!" The older lumberjack replied:"When I sat down, I was sharpening my axe, Why didn't you stop to sharpen yours" "I didn't have time," the younger man said, "I was too busy cutting!

Simply throwing more resources at risk management without considering the trade-offs inherent in these quadruple constraints is unlikely to achieve your objectives, nor win you any friends. 

[i] Talbot, Julian & Jakeman, Miles (2009), Security Risk Management Body of Knowledge, John Wiley & Sons, New York, USA


  1. Dear Julian Talbot,

    A very interesting start to a bit boring subject. The examples are picked up from daily life routine and do make a lot of sense to readers.
    The acronym ALARP should be explained some where in text as it is not so much used term for some regions.

  2. Syed, Apologies re ALARP. I've put a link to another article which talks about ALARP. Thanks for picking that up. Cheers, Julian