Managing Risk Strategically

With a nod to David Cameron, ex Prime Minister of the United Kingdom, who succinctly said what he thought of the election of Jean-Claude Juncker to the  position of President of the European Commission, the risk matrix is the wrong answer to the wrong question.  

What are my reasons for saying this?

  1. It is a misdirection of effort as the primary question that should be on any manager’s mind is not how big the risk is but what standard of risk control is needed in the situation under consideration.  There is no expectation or assumption in either common or statute law that the degree of risk should be estimated.  The required standard of risk control depends on the Likely Worst Consequence (LWC).  The emphasis placed on the “Hierarchy of Controls” in Statute law underlines this point.
  2. The risk matrix is, in any case, not a suitable means of estimating the extent of risk, for these reasons: probability/likelihood is virtually impossible to estimate without the use of far more complex methods than the simple word scale; the matrix hides the matter of Exposure, which is a significant variable in Risk Estimation; Risk is actually a relationship between Frequency and Consequence Value, not a spot point; the Cardinal or Ordinal scales of measurement used to measure likelihood and consequence on either a 3×3 or 5×5 matrix are not able to reflect the typical logarithmic nature of the relationship between these variables.
  3. Users are largely incapable of using the matrix in a consistent or repeatable manner.  Also, the action expectations meanings (eg. stop work until something is done) associated with the cells of the matrix distorts the user’s view of what cells to choose.

I made these points in a recent conversation and another party to the conversation pointed out that the matrix was relied on as a cornerstone of health and safety programmes by tens of thousands of CEOs, who gained comfort from its presence and use in their organisations.  The (unexpressed) question arising from this observation was that if the fact of the inadequacy of the matrix was widely known and understood, what would replace the vacuum left by its removal?  This is indeed a valid question and I reflected on how this point draws attention to the (to me) widespread and arguably excessively simple (and misdirected) understanding of risk and its management that exists.

Having said that, I hasten to add that I do not believe that risk and its management has to be a very complex matter.  It is true that there is a necessary complexity due to the number of energy forms that need managing, but the process of risk management itself is in essence a simple one and we would do well to value that simplicity.  As a result I am less attracted to theories around ‘complex adaptive organisations’ and ‘high reliability organisations’ and more attracted to understanding the processes that give rise to risk and attending to the necessary risk control measures.  It is better to focus on practical reality than on some abstract idea of complexity.

I think it may reasonably be said that the safety programmes of typical organisations express themselves in these ways:

At senior manager level

  • Receiving and discussing reports of incidents and injuries
  • Setting ‘lag’ targets for lost time injury frequency rate, or of similar measures such as medical treatment rates etc. and monitoring performance to those targets
  • (Possibly) setting ‘lead’ targets for the numbers of safety committee meetings and toolbox meetings held, site inspections done and so on, as so-called ‘lead indicators’
  • Exhorting safe behaviour, showing leadership in safety attitude etc.

At the operating level

  • Risk assessments of tasks (this is mostly where the Risk Matrix is used) and use of stop-and-think tools (such as “Take 5”) before tasks are started
  • Writing safe work method statements
  • Conducting inspections of workplaces
  • Investigating accidents
  • Promoting safe behaviour
  • Induction training
  • Holding safety committee meetings

My interest for this article is the senior manager level actions, even though much could also be said about operating level activities.  What is relevant to the role of senior managers can be gleaned from various Chapters in the book, so it is useful to draw it all together here.

The Risk Management System

The best that can be hoped for in the confines of a single organisation is the implementation of a Risk Management System (RMS), the six essential features of which are described in Chapter 11:

  1. Explicit overall purpose to manage risk
  2. An inventory (register) of risks
  3. Periodic review of the adequacy of control measures identified in the inventory
  4. Conscious efforts to maintain risk control measures
  5. Review of inventory entries when things go wrong – learning from experience
  6. Ensuring the continuity of this approach over a time scale measured in decades (rather than the interval between CEO appointments).

The strategic view

There is much in favour of the senior manager group holding a strategic view of what is to be done, as without strategy tactics can be misdirected. The strategic view ensures that subsequent tactics are relevant to the needs of the organisation.

The first feature of the RMS in the list above expresses the need for an overall strategy: the ‘explicit overall purpose’ is a statement of the context of the strategy.  The Risk Management Standard (ISO 31000 series) draws attention to the need to establish the context of the risk management programme.

What types of risks are to be included?

  • Risks arising from damage threats require the energy forms to be listed and divided between operational and non-operational situations (see Chapters 5,11,12).
  • Risks arising from non-damage threats require non-energy threats to be listed and also divided between operational and non-operational situations.

As the text argues in various places, it is worth considering operational risks separately from general risks as the control measure tactics for each are quite different as is the expertise needed to understand them.  I have watched organisations fail to make this distinction at a strategic level and suffer the significant consequences – the ideas, methods and understanding used to manage general safety are quite different from those required to manage operational safety.

Strategic questions are:

a) What is the underlying need?

  • is the current operating expenditure on risk management appropriately directed?
  • what improvements in risk control measures are justifiable and what capital is required to implement them?

b) What is our capacity to improve: how much capital or operating expense increase can we afford to implement justifiable improvements and over what period of time?

Answering these two strategic questions goes a long way to stating the context in an operationally useful way.  Some people think of these strategic questions as describing the ‘risk appetite’ of the organisation – how much risk is the organisation happy to take? I know of no practical way in which this question could be answered meaningfully. For a start, how can risk be described or measured to allow an answer to be formulated?  Even if it could be, what is the relevance of this to the obligations expressed by common law?


Is the current operating expenditure on risk management appropriately directed?

One way of looking at this is through the Total Cost of Risk (TCOR), for an explanation of which see Chapter 11 and Figure 11.3.  In brief, the same TCOR could be experienced either as a small ‘cost’ for prevention and a large component of reactive expenditure or as a large cost for prevention and a small one for reactive expenditure.

A stitch in time saves nine.

There is no doubt which of these indicates an organisation behaving responsibly.  If TCOR is not estimated it is not possible for the organisation to have a strategic view of its risk management efforts.  I suspect and have had a few chances to confirm, that many organisations’ TCOR is made up of about 80% reactive costs.

What improvements in risk control measures are justifiable and what capital is required to implement them?

Given that all risks are always under some form of control, the primary question is only is the standard of control good enough?  This can only be answered systematically if the organisation has a sensible risk register, by which I mean one that truly only contains risks and does not contain either lists of ’causes’ or of failed control measures.  It is generally easy to see if the register is sensibly constituted by glancing at the total number of entries.  If these amount to hundreds (I have even seen thousands) you can be fairly sure the register is not sensibly constituted.  As a general rule, there should be one entry for each type of energy or non-energy threat, increased by the number of different situations in which each energy or non-energy threat is to be found or the number of different levels of threat that exist.  For example, in a hydro electric power station pressure energy exists in both vehicle tyres and bottled workshop gases and in control hydraulics, with each being both a totally different situation (technology) and a different level of pressure.  Hence three entries are justified.

How do you know if the standard of control is good enough?  By asking who is going to judge you if it fails.  Any responsible organisation aspires to satisfy all Regulations.  You could call this a “Must Do”.  Then there are Codes of Practice, Standards and common industry practice, which you could call “Should Do”.  Then there are the things that can be done beyond this, which I call “Could Do”.  It is a mistake to assume that Regulations (and Codes and Standards) contain all that needs to be done.  I recently looked at the Regulations (and Codes etc.) around dust explosions in a jurisdiction.  When I compared them with a structured analysis of possibilities I would say the Regulations etc. covered some 30% of them.  The other 70% were not pie in the sky or blue sky thinking either – any engineer would have accepted them as sensible approaches to the control of all aspects of this risk.  It is hard to imagine a successful defence of your control measures if you have failed to implement Must and Should Do items.  It is only in the Could Do area that it is feasible to evaluate them on the basis of cost and benefit. In other words, only here is there a point in actually considering the size of risk and the effectiveness of the risk control improvements being considered.  Are you wasting money?

When there is a reasonably comprehensive understanding of how much operating expense or capital is needed to reach the Must Do level (maybe call this Level 1) and then the Should Do level (Level 2) and then the various possibilities in Could Do (Level 3), then the organisation can respond with a strategic decision about where improvements will be made and at what rate.

The tactical view

  1. An inventory (register) of risks
  2. Periodic review of the adequacy of control measures identified in the inventory
  3. Conscious efforts to maintain risk control measures
  4. Review of inventory entries when things go wrong – learning from experience
  5. Ensuring the continuity of this approach over a time scale measured in decades (rather than the interval between CEO appointments).

Features 2 to 6 in the list above are the risk management tactics for the organisation and they are directed at knowing what the risks are and ensuring that suitable control measures are implemented over each one of them and continuously over time.


Senior managers are wise not to rely on ensuring that low level risk assessments are carried out, for example using the risk matrix, Take 5 etc.  Doing so does little to satisfy their obligations.  The real strategic role of managers is not hard to identify or implement, as this simple summary makes clear.





1 Comment


Leave a Comment