‘I have never yet seen a risk register that was fit for purpose’ is a sentiment with which I have a lot of sympathy, but confidentiality forbids me from attributing its source. Many organisations will be re-examining their risk registers in the light of the covid-19 impact. Why did this risk continue to languish for so long in the low probability category given what we knew of virus capability from SARS and MERS? Surely it should have been uprated to at least a medium probability years ago?
The value of a risk register is that it plots event probability (high, medium & low likelihood) with corresponding damage severity (high, medium & low impact).This typically ends up in a nine box matrix, colour coded for simplicity and boardroom understanding: red for high/high and green for low/low. It is the yellow or orange boxes that receive insufficient attention.
In theory the register or matrix offers an early warning system and contingency plan for a variety of scenarios. Why is it then that every major crisis in the past 20 years didn’t feature on the risk register and wasn’t foreseen or envisaged? Is this a fault of the risk classification process or a failure of imagination? The answer is not straightforward but it is arguable that most registers are not fit for purpose. There are at least seven good reasons for this:
- Subjectivity – Both likelihood and impact are judgemental metrics; despite being presented as immutable facts each is the product of opinion.
- Probability – is a useful indicator for high frequency events but an unreliable one for low frequency events like floods, earthquakes and pandemics.
- Impact – is a useful indicator for linear cause & effect sequences, but unreliable for complex outcomes with long term consequences or deferred damage.
- Homogeneity – The process treats risk as single entity outcomes, yet most are inter-related or compound risks so the box system over-simplifies the picture.
- Snapshot – The matrix, derived from insurance, is useful for costing risk. It plots urgent against important risks but doesn’t help in managing them.
- Dynamism – It is a static picture ignoring emerging or declining risks. No influencing factors of risk dynamics which increase or decrease a threat.
- Attention – The hierarchy means red risks get time for debate, but the yellow and orange ones suffer from limited agenda time at board level.
One solution that works is to replace likelihood and impact with different determinants, to offer risk managers a model to demonstrate progress in reducing risk. These are Control and Prediction where the scale is determined not by high, medium and low, but hard, moderate and easy estimates. The hard/hard is red and the easy/easy is green, but it changes the way an organisation sees risk. It encourages an organisation to improve its ability to predict and control risk with satisfying results.