Populating the rows of the register with meaningful entries
There is a post under Chapter 4 titled “Describing Risks”. This explains an approach to the task of identifying and describing an entry in a Risk Register that is based on the theory expounded in the text, namely that adverse Consequences are experienced by Assets of value to us and as a result of a process capable of being objectively described. Scientifically, processes are of two types, one derived from energy (and resulting in damage, injury/ill health, from which consequential monetary losses arise) and one not being derived from energy (and resulting in physical or monetary loss directly). Examples are respectively an explosion and failure of a major supplier.
This scientific (as in being based on physical reality and capable of being defined objectively) understanding of Risk is, however, very uncommon. It will not be found in the common literature (for example: the journal Safety Science, the web site of the Society for Risk Analysis, the International Standards Organisation or legislation). Very commonly the term risk is used as a synonym of probability or chance.
An example I saw in one Risk Register stays in my mind: “the design manual might be wrong“, it read. I am sure that is so, but it is not a Risk. It was no accident then that this register contained about 1500 entries, which number was increasing over time as people assiduously searched for such chances. The register was so large that a person was employed to manage it. In another organisation (also burdened with of the order of 1000 entries), the Risk Management Department had set a standard for the review of all Risk Register entries of once every two years. This standard was impossible to achieve in that organisation also because of the huge number of register entries.
It is easy to understand that, as there are typically of the order of ten significant forms of energy in everyday industrial life, there are also of the order of ten underlying Risk processes, added to typically by nuances arising from the conditions and circumstances within which the energy forms exist in the industry. These nuances arise for two main reasons, there may be others:
- The energy inventory (how much of it) and the technologies associated with managing it. (eg. electricity at 240V compared with that at distribution Voltages)
- The environment surrounding the energy (eg. in densely populated areas compared with unpopulated desert)
A workshop was held in one of the organisations mentioned above to describe all energy-based risks using these ideas. The result was a register that had about 40 entries. It was immediately clear to all that it was more meaningful and more manageable. Had any essential detail been lost in coming down from, say, 1000+ risks to 40? Not at all. The detail in the 1000s that was of any meaning had been given a place in which to understand its relevance to the 40 real Risks that arose.
Populating the columns of the register
There is a commonly held and very simple, but erroneous, idea that the size of a risk can be indicated by the combination of probability and severity/significance/impact. The resulting expression of this in the or a Risk Matrix has become extremely popular. The idea has “gone viral”. However, extracting from the Risk Matrix a probability number (or letter) and a severity number (or letter) and entering them into columns in the Risk Register is not meaningful for two reasons.
One is that the Risk Matrix is not capable of being used repeatably or objectively. Those who use it and academics who have analysed it are both aware of these deficiencies. The second is that it is not helpful as in no case in which a moral obligation exists (it is hard to find a Risk for which this is not the case) is a court interested in how big you thought the Risk was. It is, however, interested in whether the Risk was being controlled to an adequate standard. This standard is judged on a moral basis.
The larger the Likely Worst Consequence (LWC) arising from the Risk the greater the moral obligation and hence effort required to control it. A Risk Register column headed LWC does have much value for this reason. The bigger the LWC the more the register entry demands your attention. Deciding on the LWC for a Risk is a very good way of focussing the attention of the responsible managers. Furthermore, the larger the LWC the more managers at higher levels in the organisation need to be involved. It is not just a problem for the manager where the Risk actually exists. Just think, who goes to jail, or resigns when very serious things happen? Rarely the lower level manager.
The only time it is helpful to understand the size of the Risk is when a serious effort is needed to decide if the costs of proposed changes to reduce a Risk are actually a sensible use of funds. In this case it really is necessary to involve a capable specialist. This could be an appropriately educated employee (there is much benefit in this) or an external specialist. In this case, the ‘size of the Risk’ does not mean a point chosen on a Risk Matrix. It means estimating a Risk Diagram – a graph of estimated Frequency of occurrence (not probability) against Consequence Value using real number scales. It is possible to then determine payback periods for capital required for the proposed changes. Due to moral considerations, however, this does not mean simply complying with normal, non-Risk, investment decision rules.