Principles of Risk

Risk means being exposed to the possibility of a bad outcome

Risk Management means taking deliberate action to shift the odds in your favour – increasing the odds of good outcomes and reducing the odds of bad outcomes

Borge D (2001) The Book of Risk

What is Risk?

What is ‘Risk’?• The exposure to

mischanceWhat is the difference

between a Risk and an Issue?

• A Risk is an Issue that hasn’t happened yet OR

• An Issue is a Risk that has happened

What is an Assumption?• An unknown, therefore, a

Risk

Source: HBOS internal training c. 2005

What is Uncertainty?

If you don’t know for sure what will happen, but you know the odds, that’s risk

If you don’t even know the odds, that’s uncertainty

Knight (1921) quoted in Adams (1995)

Nature of risk

• Speculative (dynamic) – a risk that (potentially) has profit and loss associated with it

• Hazard (static) – a risk that only has loss associated with it

Alberts & Dorofee (2006)

Key Definitions

• Hazard – a situation that could lead to harm• Risk – a combination of the probability and consequences of the

occurrence• Risk assessment – risk estimation (outcome or consequences)

and evaluation (significance for those affected)• Risk management – implementing decisions about accepting or

altering risk

DOE (1995) A guide to risk assessment and risk management for environmental protection

Defining Risk/Uncertainty

Risk - where we know the odds (probability or likelihood); Uncertainty - where we don’t know the odds but may know the main parameters; Ignorance - where we ‘don’t know what we don’t know’; and Indeterminacy - where causal chains or networks are open (spans uncertainty and ignorance).

From various papers – Brian Wynne c. 1990’s

O’Riordan, T, and Cox, P. 2001. Science, Risk, Uncertainty and Precaution. Senior Executive’s Seminar – HRH The Prince of Wales’s Business and the Environment Programme. University of Cambridge.

Risk Spectrum – ‘Incertitude’

‘Uncertainty’ applies where there is no firm basis for probabilities, but some reasonably clear idea as to outcomes. ‘Ambiguity’ applies where the outcomes are not clear. ‘Ignorance’ exists where there is no history of cause and effect that can be used to predict outcomes.

‘Thus science (by its own rules) cannot predict either likelihood or outcome. Examples of ignorance defined in this way occur when there is innovative technology, or a new product or substance.’ [from ERMA (2002) Approach to Risk: Positional Paper p.8]

Risk Spectrum – ‘Incertitude’

RISK - uncertainty of outcome, whether positive opportunity or negative threat, of action and events. It is the combination of likelihood and impact.

INHERENT RISK (or Gross Risk) - the exposure arising from a specific risk before any action has been taken to manage it

RESIDUAL RISK (or Net Risk) - the exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective

Risk: Some Further Definitions

Housing Corporation (2004) Risk Management Strategy

External – arising from the external environment, not wholly within the organisation’s control, but where action can be taken to mitigate the risk.

Operational – relating to the successful execution of existing operations – both current delivery and building and maintaining capacity and capability.

Change - risk created by decisions to pursue new endeavours beyond current capability

Example Risk Categories

HC (2004) Risk management strategy

The Risk Cycle

(HM Treasury, Management of Risk – A Strategic Overview)

Emergency Preparedness: 6 Stage Cycle

ContextualisationHazard review and allocation for assessment

Risk analysisRisk evaluation

Risk treatmentMonitoring

& review

Simple risk assessment matrix

Probability

Low

High

Hig

h

Contingency These risks have high impact but the probability of them happening are low. They are catastrophic events

Primary These risks have both high impact and high likelihood of happening: these require prime attention

Impa

ct

Lo

w

Negligible Housekeeping These risks have a high likelihood of happening, but do not have a high impact; they require routine but directed management

Simple Ranking Risk Matrix

Probability

Impa

ct

5 5 10 15 20 25

4 4 8 12 16 20

3 3 6 9 12 15

2 1 4 6 8 10

1 1 2 3 4 5

1 2 3 4 5

Risk & Opportunity

Generalised Impact or Consequences Descriptors

High Financial impact on the organisation is likely to exceed £x

Significant impact on the organisation’s strategy or operational activities

Significant stakeholder concern

Medium Financial impact on the organisation is likely to be between £x and £y

Moderate impact on the organisation’s strategy or operational activities

Moderate stakeholder concern

Low Financial impact on the organisation is likely to be less than £y

Low impact on the organisation’s strategy or operational activities

Low stakeholder concern

from Risk Management Standard

Generalised Threat Occurrence Descriptors

Estimation Description Indicators

High

(Probable)

Likely to occur each year or more than 25% chance of occurrence

Potential of it occurring several times within the time period (eg 10 years). Has occurred recently

Medium

(Possible)

Likely to occur in a 10 year time period of less than 25% chance of occurrence

Could occur more than once within the time period (eg - 10 years). Could be difficult to control due to some external influences. Is there a history of occurrence?

Low

(Remote)

Not likely to occur in a 10 year period of less than 2% chance of occurrence

Has not occurred.

Unlikely to occur.

Generalised Opportunity Probability Descriptors

Estimation Description Indicators

High

(Probable)

Favourable outcome which can be relied on with reasonable certainty, to be achieved in the short term based on current management practices

Clear opportunity which can be relied on with reasonable certainty, to be achieved in the short term based on current management practices

Medium

(Possible)

Reasonable prospects of favourable results in one year of 25% to 75% chance of occurrence.

Opportunities which may be achievable but which require careful management. Opportunities which may arise over and above the plan.

Low

(Remote)

Some chance of favourable outcome in the medium term or less than 25% chance of occurrence

Possible opportunity which has yet to be fully investigated by management. Opportunity for which the likelihood of success is low on the basis of management resouces being currently applied.

Example Impact Scalar – Warwick University [Health & Safety]

Consequence PersonalDamage

DamageCost

ProcessInterruption

Environ-mental

Major Extensiveinjury ordeath

>£250K > 6 weeks Nationalimpact

Severe Hospitalisation £100K – 250K

1 week – 6 weeks

Regionalimpact

Minor Medicaltreatment

£25K –100K

1 day- 1 week Off siteimpact

Low First aidtreatment

£ 2K – 25K 1 hour – 1 day On siteimpact

V. Low No treatment <£2K <1 hour Potentialimpact

Example Impact Scalar – South Central NHS [UK] (Part A)

Level/ Score

Descriptor Description

1 Negligible •Negligible, if any, disruption to any function of the SHA business

•Very low financial impact (>£10k)

•No threat to stakeholders

•Clinical impact – no impact on patients

•Public confidence & SHA reputation not affected

2 Minor •Minor disruption but function of SHA still maintained

•Low financial impact (>£100k)

•Some minor threat to stakeholders

•Clinical impact – minor reduction in quality of care and temporary affect on health status of patient

•Minor public confidence & SHA reputation issue

Level/ Score

Descriptor Description

3 Major •Major disruption to organisation and major threat to stakeholders

•Severe financial loss (>£1m) and loss of confidence in the organisation

•Reputation damaged

•Clinical impact – serious reduction in quality of care with permanent affect on health status of one or more patients

•Some breach of legislative and/or statutory regulation

•Exposure to risk of litigation

4 Disaster •Organisational collapse, fatality, financial disaster, public confidence in the organisation lost

•Financial impact >£10m

•Reputation loss

•Clinical impact – serious reduction in quality of care leading to avoidable deaths of one or more patients

•Loss of assets

•Litigation faced

(Part B)

Documenting RiskAssessment

HM Treasury (2004) The Orange Book: Management of risk - principles and concepts

5 5 10 15 20 25

4 4 8 12 16 20

3 3 6 9 12 15

2 1 4 6 8 10

1 1 2 3 4 5

1 2 3 4 5

Impa

ct

Risk appetite Accept

Action?

Issue

Action now

Treat or transfer risk

Probability

Risk Management and Risk Appetite

Risk Adverseness

ERMA (2002) Approach to Risk: Positional Paper

Principles of UK Risk: Statute & Policy

ALARA as low as reasonably achievable

ALARP as low as reasonably practicable

BATNEEC best available technique not entailing excessive cost

BPEO best practicable environmental option

BPM best practicable means

Tolerability region – where action is

based on risk ‘as low as is reasonably

practicable’ (ALARP)

Broadly acceptable region (no need for

detailed work to show ALARP)

Unacceptable regionRisk justified only in exceptional circumstances

Tolerable only if risk reduction is impracticable or excessively costly

Tolerable if cost of reduction would exceed the improvement gained

Necessary to maintain assurance that risk remains at this levelHester & Harrison (Eds) (1998)

Major transport accidents

Major industrial accidents

Attacks on critical infrastructure

Coastal flooding

Inland flooding

Pandemic influenza

Non-conventional attacks

Attacks on crowded places

Attacks on transport

Electronic attacks

Severe weather

Animal diseases

Recent high-consequence UK

risks

Likelihood

Imp

act

A Richter scale for risk?

Scientists are good at putting a number on anything, but so far they have failed to find a simple measure for the risks of normal life. Is living in Cornwall, where radon levels are high, more dangerous than eating British beef? How do both of these compare with the risks of smoking cigarettes or driving a car?

We need a number to express these risks. Coming up with a Richter scale for risk isn’t easy. It must provide a comparison between the risks of purely voluntary activities (smoking, rock climbing) and those that are voluntary but unavoidable (travel, eating different foods, coalmining) while also incorporating risks imposed by society (living near a nuclear power station), or passive smoking and acts of God such as floods or lightning strikes.

The Times 9 December 1996, page 14

Examples for working on

A simple issue: my purchasing risks

Cost £29.99 – 3 yr warranty = £9.99

Cost £84.95 – 3 yr warranty = £39.99

I’m buying a new microwave and wondering about whether to take an extended warranty. How do I view the options available ……?

1. Identify risk

2. Apply 4 T’s: tolerate; treat; transfer; terminate

3. Incorporate risk monitoring into assurance reporting.

Managing Risk: the 4 T’s

My travel risks

I’m travelling to a training event some 200 km away:

what are my risks? how do I manage these risks?

Gross risk

Net risk

Gross risk = inherent risk

Net risk = residual risk

Probability

Impa

ctGross vs Residual Risk