Worth fighting about: risk identification

By Harry Rosenthal

What is the most important step in the risk management process?

While some professionals, including my friend Dr David Hillson, the Risk Doctor contend the most important step is the Risk Treatment step (Controls/Mitigation). They support this view by pointing out it is only in this step where you “actually do something to manage risk”. I (secretly) strongly agree with Dr Hillson, as that it is perhaps the first step where positive actions are taken to address risk, everything before that step is just talk. To strengthen their argument even further, I must point out that the second word in risk management is actually “management”, which implies actually doing something. However, I would personally argue that the most important step would be Risk Identification and buttress this paper-thin position by pointing out that any risk not identified, will not be subjected to the rest of the risk management process, and therefore, will not be managed. To a risk professional, off the radar means untreated and worse yet—failed to even be imagined! For example, it is one class of professional error to properly identify a risk, then completely miss-classify it correctly, or to get the analysis completely wrong, or to suggest poor or ineffective risk controls. These steps involve judgment, which can be sharp or weak. It is still another class of professional error when you completely miss a significant risk altogether or fail to even imagine it exists. That’s a much higher class of professional blunder.

Not that the outcomes can be remarkably different, the management part of risk management does not always prevail. Unlike in the movies, the good guys don’t always win. I recall working on a risk register, a large complex initiative, with a lot of moving parts. During the planning stage, we developed a pretty good register, and even assigned ownership to the most suitable managers. At many of the regular project reviews, we re-examined the register, noted changes in the nature of the risks identified and asked ourselves whether there were additional risks we should note. Textbook stuff. Regardless of textbook risk management, the project was a spectacular failure, with the perpetual legacy of being an expensive dud for the institution. On one hand, as the risk guy, I was pleased to see that all the reasons for failure were correctly expressed, in colourful spreadsheets, during the initial and subsequent reviews. None of the drivers of failure were missed, and the colourful spreadsheets remained popular right up to the decision to cut our losses. In spite of identifying the likely possible causes of failing to meet objectives, and monitoring them, the project failed. They had been revealed in the risk identification step, but how they were mitigated by the responsible managers was another matter.

In some ways, this example supports Dr Hillson’s view about the most important step. The failure of the project was rooted in how the risks were managed. He would be correct; however, I stubbornly contend, risk identification is the most important part of the process, regardless of how they were managed after they were identified. As risk professionals, our authority ends at a certain point in either the project we are examining or in the strategic direction of the organisation. As risk managers, we can advise on risk control steps, but rarely do we have either the budget or authority to actually or correctly implement them. Using a few seafaring metaphors, we are the entity’s navigators. We chart the rocks and shallows which are in the path of the ship, as it travels to its intended destination. After drawing the charts, we can even cry out, on occasion when it appears the ship is heading toward our charted rocks, or if we discover new rocks in the distance. But even the loudest cries can be lost when the winds are howling and the captain’s risk appetite has increased since their last meal, and they are determined to plough through the rocks, ignoring the charts. Even the colourful ones.

While we cannot directly control the actions (read: skills and egos) of management, a key service we offer is at least to provide accurate maps of the surrounding waters. These charts are created through skilful risk identification, a part of the risk management process for which we have direct control. This is why I feel it is the most important part of the process. Perhaps I should have qualified that statement by saying, for the risk professional, it is the most important step in the risk management process, as it is a step 100% owned by the risk professional. After this step, we are increasingly relying on others in the organisation to make management decisions which affect the risk profile and eventual outcome of the risk management process. We rely heavily on others to assist in the risk analysis step, and we rely on management to actually fund, implement and manage the risk control steps. Admittedly, we do have some responsibility for the risk monitoring step, and risk communication is mostly our responsibility. As my project experience taught me, successful risk management is not only the responsibility of the risk professional, it is partially owned by the entire ship’s crew.

If risk identification is such an important step, why isn’t there more written about it? I suspect this is because we often take that step for granted. It seems easy. Often, we just conduct a repeat of previous work, and usually employ tools which are repetitive in nature such as checklists, questionnaires, interview questions and focus group procedures. These tools rarely change over time, and therefore, injects a bit of boredom into the risk management process. Secondly, risk identification requires creative thinking which not everyone is comfortable with. Business executives like to solve problems, it is a professional skill they’ve developed over their careers. Their jobs may be seen as a series of problem-solving exercises, where they are recognised for their solutions, not for their skills in problem identification. Risk identification is not problem solving, it is problem forecasting. Skilled managers love to jump to the solutions. If you have ever worked a crisis or disaster scenario, you see this clearly. The management is highly focused on problem solving and tend to do it well. The role of the risk advisor in a crisis or disaster is to present a train of problems to them, in a rational and systematic way where they can all be addressed and solved and trying to prevent more problems from occurring as a result of the earlier solutions.

Risk identification is a core skill of our discipline and it is important because it regards insight, creativity and imagination which many operational and executive management do not utilise to a great extent, until after the risks manifest. We have the luxury of asking “what if” questions, while most in the organisation face day to day issues. We have the luxury of delving into the corporate culture to understand possible barriers to success and the luxury of separating significant risks out of the large pool of possible risks and issues for closer examination. That’s our jam.

Doing this well is important. Elements which might prevent us from doing this well, I have listed above. In summary, they are the blunt tools we use, often the same ones over and over (i.e., the same survey documents, the same old risk registers, the same old risk engineering reports, etc). It has become too mechanical, and not designed to allow our creative juices to flow. For some consultants, you can see this clearly, as they tend to use the same interview questions, survey documents and templates for all their clients. It is a characteristic of using outside consultants. Time is money. But it need not be the way of the world. I have identified below some of the skills I suggest risk professionals consider developing to achieve a better result in the risk identification process. So, before you dust off your standard templates, survey tools and generic interview questions, you might want to first, consider the following.

Risk ID Skill #1: Are you fluent in the organisation’s losses?

I call this Risk Fluency. The risk professional should ask themselves, “Am I able to speak knowledgably about the entity’s losses, or other cases where risk has manifested?” This fluency of past loss events is extremely valuable in risk identification discussions. People often have a selective memory about the past, especially in cases where they might have looked bad as a result. Knowing the data, not necessarily all the details, can facilitate the risk communication aspects of the ID process, but also provide insight into their risk culture. Types of losses to develop fluency can and should include: workplace injuries, product quality failures, transportation accidents/incidents, unplanned shutdowns, litigation, security violations, property damage, audit reports, regulator prosecutions, etc. In many cases, the risk professional may not have access to all classes of loss, but each area which is silent, reduces the practitioner’s risk fluency. Collect as much data as possible.

What does this say about risk culture? We can speculate on topics such as whether losses (in any or all classes) are increasing or decreasing? Do any of these losses impact significant goals and objectives? While most of these losses probably won’t impact corporate objectives in themselves, it does provide insight to the culture, just as worksite housekeeping provides insight into attitudes about safety. It is indicative and gives perspective of how risk is regarded over time.

Risk ID Skill #2: Can you start with the end?

While Mary Poppins sang that in any project, it is best to start at the beginning, she was never a risk manager. When starting a risk identification exercise, it is often wise to start with the end. That is, to have a clear image of what the end of the process will produce. For example:

• What insight do you wish to share as a result of this step (information you want to pass along to others)?
• What is the physical format of the report or the risk register (acceptable report size, number of risks to be identified, etc)?
• What information do you need to collect during the ID process for the next step in the process, risk analysis (often the people suggesting a significant risk will not be present for its analysis, therefore, what will those conducting the analysis need to know)?
• What types of stakeholder communication will be required, and what will be the timing and formats for the communication (what will the timing be like for the surveys, checklists, interviews, feedback, etc)?

Often, we simply drag out the old templates when we consider the final reporting of the risk identification process. To plan the final report at the beginning will focus your thoughts and ensure those who participate in the risk ID process, are able to make a significant contribution.

Risk ID Skill #3: Can you do your homework?

I know that in a COVID world, the term, “homework” has lost its original meaning. For many of us, all work is now home-work since the pandemic hit. What I mean is, have you learned about the entity’s risks sitting alone in your office/home/cubicle? From my experience, most risk identification processes rely far too heavily on information which comes from the staff of the organisation itself. As mentioned, memories can be selective and very few people in an organisation have a high enough, helicopter view, to put all of the data pieces together. For example, Finance staff know about the financial risks, Operations staff know the operational risks, etc, but their focus, properly, is on their own business units, not always on the bigger picture. This is less the case in project risk, as the risk universe is somewhat smaller and limited in time to the duration of the project. In enterprise risk reviews, however, getting staff to look beyond their own areas of responsibility can be a challenge, especially if it reflects poorly on them or another internal business unit.

Sometimes, the risk professional can develop an understanding of the entity sitting alone, with their computer. There is usually a great deal of information in the public domain which can help you to form a view about risk culture and risk appetite. Typical sources include:

• annual reports (which may contain information about desired direction and future expectations)
• strategic plans (especially older versions, where you can learn whether the entity regularly achieves its strategic goals and objectives, or whether they fail due to risks manifesting)
• Financial and other regulatory reports (To those who can read them, which should include you, they provide a great deal of insight, especially when viewed over several years)
• search of newspaper or other media for mention of the organisation (both good and bad)
• searches in social media which mention the entity, especially comments from former staff and past customers
• reports from share company analysts (there is insight to be gained in examining the views of analysts who follow particular entities)
• the websites of relevant regulators or other governmental authorities
• the websites of the entity’s industry or of their industry competitors. Such websites can highlight issues which are relevant to the sector and may loom significant in the entity’s external environment. You may not have access to the entity’s internal strengths, weaknesses, opportunities, and threats (SWOT) analysis or other internal reports of the strategic environment, so try to create your own SWOT analysis, based on the sources listed above

To learn more about what was covered in this article and more relating to Risk Management Today, contact us below.

ABOUT THE AUTHOR Harry Rosenthal Former General Editor Risk Management Today Harry Rosenthal is a regular contributor and past General Editor of Risk Management Today. Harry is a retired Insurance and Risk Management General Manager with a demonstrated history of working in the higher education and risk financing industry. Course coordinator and facilitator in MBAX program’s Enterprise Risk Management subject, at the Australian Graduate School of Management (AGSM), active in marine citizen science projects, contributes to projects for the Australian and New Zealand Institute of Insurance and Finance (ANZIFF) and publishes articles on risk management and higher education related topics.