"Not off to a good start" I thought to myself. Brian was a mid-level manager at a high-security, high-risk, bio-hazard facility where I’d been asked to conduct a safety risk analysis. Brian’s attitude wasn’t typical of the people at this location - we were there to follow up on the findings of a coronial inquest – but it’s an attitude I’ve heard all too often in my career. It wasn’t that Brian was unmoved by the death of his co-worker and he understood the ‘why’ of risk management, but he was a typical overworked manager who simply hadn’t been shown much in the way of ‘appropriate’ risk management. Spend enough time in risk management and you’ll hear a million variations of “I’m busy enough as it is and this stuff is too time-consuming to use in my day-to-day work anyway”. Even I will admit to having this attitude to risk management many years ago after having ill-conceived and impractical safety training rammed down my throat - until I discovered the risk management continuum.
Brian's comments about risk management being too complicated were less a failure of risk management than a failure of imagination. In the end I managed to bring Brian around to being a fan of risk management (or at least to showing a little interest) which later translated into a few business changes in his department. Paraphrasing our discussion somewhat, these are the key points that we discussed:
- There are any number of risk management processes, formats, standards and guidelines to choose from.
- The trick is to use the appropriate size tool commensurate with the job.
- You don’t need to do a series of workshops and a 100-page report to manage the risk of hanging a picture on an office wall. Neither do you want to write your organizations five-year risk treatment plan on the back of an envelope.
It’s all about picking the right size tool for the job. Trying to apply every section of ISO31000 to risk managing a staff training day is like trying to crack a walnut with a 20-tonne hydraulic press. Sure you could do it, but you’ll spend a lot of time at it and you’re not likely to get an edible result. Over the years that I've been doing this, I’ve collected a grab bag of tools, which when put into context give us a hierarchy of tools or what I call 'the risk management continuum'.
|The Risk Management Continuum|
These tools range from the very simple to very complex and take correspondingly different expertise, resources and time to do. At it’s simplest; you can do a risk assessment on crossing the road in a matter of seconds while an enterprise risk plan may take a team of people several months to complete.
Before introducing the tools illustrated above, it's worth emphasizing that these are only examples of tools that you might choose to use. Even if you like the concepts there is no reason why you need to keep the names, but they could be a good place to start:
- Take 2
- Stepback 5x5
- The Team Leader’s 10 Questions
- Job Risk Analysis (JRA)
- The Team Leader’s 10 Questions
- Project Risk Assessment and Treatment Plan
- Formal Risk Assessment
- Complex Risk Assessment
‘Take 2’ is simply an easy to remember name for the process of taking 2 minutes (metaphorically or literally) to consider the risks associated with an activity. It's an ideal tool for a quick risk assessment before moving a filing cabinet or plugging in new equipment for example. An individual might use it before pressing ‘Send’ on an email to your boss or a client and spend two minutes considering the risks or opportunities (eg: Could this be a Career Limiting Move, Is this a good email to share with a colleague). Equally, in a group activity someone might suggest, “hang on, let’s Take 2” before collectively moving a desk. The process of taking 2 might in the latter example get the group thinking about moving some boxes out of the way or allocating someone to hold a door.
Step back 5 paces (metaphorically or physically) and spend 5 minutes considering, discussing and documenting risks and risk treatments. A simple example would be two tradesman drilling a hole to hang a whiteboard. A 5x5 might raise questions like:
- Are there live wires, gas or water pipes behind this wall?
- Will the plaster wall support the weight of this electric whiteboard?
- If we put it on this wall, is it likely to be in the way of people passing through?
- Do we have enough people to hold it up while we fasten it to the wall?
- Is this activity/project necessary to achieve organizational objectives?
- Has an adequate risk analysis been done and have the measures that have been identified to reduce the risk actually been implemented?
- Are adequate contingency plans in place if things go wrong?
- Have briefings and training been done including for when things go wrong?
- Are those involved in leading this activity experienced and qualified?
- Are our people involved qualified and trained to participate in this activity?
- Are our tools and equipment in good working order, well maintained and ready?
- Has there been adequate build up of skills among the team prior to this activity?
- Do I have checks in place to monitor and review the activity after it has launched and to amend if necessary?
- Am I, as the team leader or manager, satisfied we are prepared to do this activity/operation?
Formal Risk Assessment
A formal risk plan involves as the name suggests, a comprehensive documented risk assessment leading to an endorsed risk treatment plan. In this respect it is little different from a project risk plan or even a Job Risk Analysis. I’ve separated it out here between a Project Risk Assessment and Complex Risk Assessment because a) it's the type of risk assessment that most managers will do in their working life and b) although relatively sophisticated, it often has a defined scope. Eg: OHS Plan, Divisional risk plan, security plan, etc.
At this level, we’re starting to get into a whole new level of complexity. This is the domain of enterprise risk management or project risks of the scale of building a space shuttle. The risk management process remains the same, but before even attempting this, you absolutely must have the following elements in place:
- An organizational risk management framework
- An adequate budget to complete the process
- Management support at the highest levels