CHAPTER 2

How Do You Do It?

We now come to the heart of the matter. We look at how we go about managing risks.

I have tried to avoid being too prescriptive, as it is important to find an approach that you are comfortable with, and therefore actually use, rather than struggle to do it the allegedly correct way and give up. Risk management is there to serve businesses, not vice versa.

What Is Embedded Risk Management and How Do You Do It?

Internal or External?

You may have heard that risk management should be embedded in an organization. This means that it should become part of the culture, the way everything is done, and not just an add-on. If that is true, you may wonder how there can be any point in using the services of external risk management consultants. I believe they can contribute something valuable to any organization, but that can never be a substitute for the involvement and commitment of the organization’s own management at all levels. Consultants achieve most when they can work with management. They find it very frustrating when managers try to push all their responsibilities onto them. Their reports end up on shelves and scarcely read let alone implemented.

Ownership

It is essential that, in addition to top management, whoever is responsible for managing any part of the business, or a particular activity, accepts responsibility for managing the risks involved. That is called owning the risk. It is the opposite of passing the buck.

People, Procedures, and Training

People at all levels need to understand their roles in managing risks and be actively involved in the process.

Risk management should be built into all the procedures of the organization, and these need to be communicated if they are to be followed. Risk management should be part of everyone’s training, both at induction and ongoing.

Sometimes, someone, such as a potential client, backer or partner, may require a statement of your risk management policy. These vary considerably. Some are so vague and general as to be meaningless. Others go into so much detail about everyone’s responsibilities and all the company’s procedures as to make reading them a major task. They quickly become out of date. I would advise producing something in the middle, which sets out how risks are managed and by whom. Aim at being informative and readable.

Lines of Defense

Risk management professionals recommend that businesses have three lines of defense against their risks. These are:

1. The individual manager.
2. Risk managers, inspectors, health and safety officers, and similar advisors within the business.
3. Independent persons such as auditors and nonexecutive directors.

What if you cannot achieve this? What if you are the only line of defense in your business? Then, it is all the more important that this one line is robust. You need to be sure you are managing your risks actively. Perhaps, you cannot afford a full-time risk manager, but what about using the services of an external one, at least once a year, just to give you an independent view? Or, how about getting someone in your business trained in risk management?

What Is a Risk Assessment and How Do You Do It?

A risk assessment is your assessment of the nature and significance of a particular risk and the measures you have chosen to control it. It should show the process by which you came to your decision. Here is how to go about it.

1. Identify the risk. Do not try to solve all the problems in the world at once.
2. Describe the activity and the risks involved.
3. Identify the existing controls. Let us assume there are at least some. Say how they are supposed to work.
4. Analyze the probability and severity. See the next chapter for more on this.
5. Identify possible new controls: preferably some to reduce the probability and some to reduce the severity.
6. Give new values as if the new controls have been introduced.
7. Get rid of any redundant controls. You may decide you do not need a belt if you now have suspenders. Or, perhaps you do?
8. Consider the acceptability of the risk and of the actual and potential controls in the light of the costs and benefits of each.
9. Consider ways of eliminating the risk. This may seem like a nonstarter, but if the risk is unacceptable or if the control measures are too expensive, you might have to abandon the activity. This could mean ceasing to produce a certain product or not going ahead with a proposed project.
10. Make a decision. Do not go around in circles forever.
11. Implement it. Make it happen.
12. Monitor the effects. Make sure it works in practice the way you had intended. Do not be afraid to go back to the start if it is obviously not working.
13. Set a date to review it. Even if it does work well. In a changing world, what works now might not work next year.

How to Assess Probability and Severity

Probability

This is the likelihood of a thing happening. It can be expressed in various ways:

• A decimal, where 1 means it is inevitable, and 0 means it is impossible. Purists argue that nothing is conceptually inevitable and nothing is impossible. Not many purists are in business, but you could humor them by giving everything a value between 0.1 and 0.9.
• A percentage. The maximum should be 100 percent or 99 percent for purists.
• On an ascending scale of whole numbers, it is usual to choose an odd number to allow for medium risks to sit in the middle. Whether 1 to 3 or 1 to 9 depends on how exact you want be. Remember this is never an exact science.

Where relevant statistics are available, probability can be expressed as a frequency, referring to the average number of accidents annually. Where possible, it is worth comparing any statistics you compile in your business with national ones. Where no information is available, taking a guess at likely or unlikely is better than nothing.

Severity

• This means how much it would affect your business if it happened. As most things have a price tag, severity can usually be expressed in terms of cost.
• One way to assess it is to relate it to time: the number of days, weeks, or years it takes to earn that much money, in either revenues or profits. If you are making a loss, use revenues.
• Alternatively, severity can be expressed on a scale of whole numbers, like probability. It is advisable to use the same scale for both, to avoid unduly weighting either.
• It is important to include indirect costs, such as loss of ­production, additional expenses, or recruitment costs.
• Some losses are intangible and come without any obvious price tag. Loss of reputation, political reaction. These can sometimes be estimated in terms of lost sales or higher cost of borrowing, but you can always take a stab at it using a scale of low, medium, or high. It is unwise to ignore intangibles.

Risk Analysis: How to Estimate the Value of a Risk

1. Give each risk a value for its probability and another for its potential severity.
2. Multiply the two figures together to give the total value for the risk.
3. Put it into a table like this one according to its value, with severity shown vertically and probability shown horizontally.
   • We can see that a risk with a high probability but low severity may have the same total value as one with a low probability but a high severity.
   • Without doing an exercise like this, we tend to overvalue either the more probable ones or the more severe ones.
   • This exercise helps us see whether the cost of controls is justified. You might find you are already spending time or money on controls that are not worth it.
   • You should deal with the risks near the top right first. You should try to reduce their severity or their probability if not both.
   • The ones near the bottom left you may choose to leave alone or look for cheap and easy controls only.

Table 2.1 Risk analysis

	Low probability × 1	Medium ­probability × 2	High probability × 3
High severity × 3	3 × 1 = 3	3 × 2 = 6	3 × 3 = 9
Medium severity × 2	2 × 1 = 2	2 × 2 = 4	2 × 3 = 6
Low severity × 1	1 × 1 = 1	1 × 2 = 2	1 × 3 = 3

Link to Insurance

This exercise should help you plan your insurance program, as well as manage the underlying risks.

• You may find it hard or expensive to get insurance for the risks near the top right until you have done something about them.
• The ones near the top left are the ones you should expect to insure. Your premiums each year go toward the cost of the big claims when they arise.
• It is probably not worth insuring those near the bottom: just allow for a few losses in your costing.

Three More Questions About Evaluating Risks

What Is Risk Gearing?

When we try to evaluate a risk in order to prioritize it or to decide how much money to spend on controlling it, it is tempting to look only at the immediate cost of the thing occurring, for example, the amount of money that could be stolen in a break-in or the cost of compensating someone who blamed you for his or her injuries. The point is that there might be secondary costs that were much bigger than the immediate ones, such as the damage done to your property in breaking in, the damage to your reputation from the accident, the time and effort you or your staff has to put in so as to sort out the claim. Gearing is the ratio between the obvious immediate costs and the overall final costs of an incident. It is important to take the bigger picture into account when making decisions about priorities and the amount you are prepared to pay to reduce the risk.

How Can You Measure the Unknown?

This sounds bizarre, but unknown variables can be measured, even if they cannot be identified. How?

1. You may know that a variable you are measuring, say, number of accidents, is a result of several other variables that you can also measure, at least approximately, such as spending on health and safety, training, overall activity levels … well, you can make your own list.
2. Then you find the total number of accidents has gone down despite reductions in all the other variables. What is going on? There must be some other variable(s) affecting it that you are not taking into account.
3. If you measure all the knowns carefully, you can calculate the unknown(s).
4. Over a period, you can see whether there is any change in the unknown(s).

This may help you predict changes in the number of accidents. It may also direct your attention to trying to identify the unknown factor(s) so as to see how you might be able to influence it or them. Even if you cannot, knowing the size of the unknown can be important. It can stop you putting too much effort into managing the known factors, or getting into the blame game if your efforts in that direction are unsuccessful.

What Is Risk Appetite?

Risk appetite (or risk tolerance) is the extent to which you are prepared to live with risk. How near the top right of the risk analysis table are you willing to go? Can you put a number on it and say you will take risks up to a certain level only? Even people who are ready to take big risks should go through an exercise like this first. There is a huge difference between making a decision in the light of all the facts and just going ahead blindly.

What Is a Risk Register and Do You Need One?

A risk register is a summary of all your risk assessments and should be cross-referenced to each of them. It should show:

1. The name of each activity.
2. The risks in each category.
3. The value of each risk: probability and severity.
4. The person responsible for managing each risk.
5. When each was last assessed.
6. When it is due to be assessed next.

The level of detail can vary considerably. Different managers find they have different needs. Unless someone else has specified it, you should opt for whatever you find helpful.

It is often kept in order to meet someone’s requirements: a potential client, funder, or partner. It may be a condition in a tender ­specification. For me, its most important use is that it helps prioritize risk control ­measures and target expenditure where it is most likely to be effective. It is also useful for new managers to see what has been done and what needs doing, in order to hit the ground running.

How to Avoid Missing Any Risks

Set them out in a table something like this. Mark N/A to any that do not apply, but only after you have made sure it is the case. Add other categories of risk and other departments. Cross-reference to risk assessment files.

Table 2.2 Risk register, summary page

	Property	People	Financial	Cyber	Motor
Production	1.1–1.5	2.1–2.7	3.1–3.2	4.1–4.3	5.1–5.4
Supplies	6.1–6.2	7.1–7.3	8.1	9.1–9.2	10.1–10,2
Sales	11.1	12.1–12.5	13.1	14.1–14.3	15.1
Admin	16.1–16.2	17.1–17.3	18.1–18.2	19.1–19.7	20.1
Directors	N/A	21.1	22.1–22.2	23.1	24.1

What Do Your Controls Control?

I keep coming across controls that do not control anything. Or, at least, not the things they are meant to control.

• Checks that are time- and energy consuming that do not much reduce the risk of being circumvented.
• Checks that duplicate other checks, usually where the data all comes from a common source: if that is wrong it is all wrong.

I recently visited an establishment where the good, old-fashioned signing-in book had been replaced by a computerized system. Even a slow writer like me could sign in before in a tenth of the time taken to do it on the touchscreen. Even my half-legible scrawl was nearer to my name than the on-screen version, where a character could easily be omitted or duplicated. I was told that the main reason for the change was that the new system was to be used in the event of a fire to check who was in the building. I would have thought the best thing to rely on was the knowledge of individual managers as to who was in or out and what visitors were there. My faith in the accuracy of computerized systems is low.

• How easily could an entry be duplicated, so they will be looking for two John Murrays, especially if one read Jon Murry.
• How easily could someone leave without logging out, especially if a group went out together and in a hurry?
• Do they have to print out all the names in the event of a fire so as to be able to check them?

To err is human: to make a real mess, you need a computer! Review your risk control measures to see which ones are actually worth keeping. Risk management is not only about adding to your controls. Often, it is the opposite.

Six Reasons Why We Usually Underestimate Our Business Risks and Our Insurance Needs

If we do not have a realistic view of our risks, we will not be able to make the right decisions as to what insurances we need, nor will we be able to make the right decisions about the measures to take, so as to control the risks. Most of us underestimate both the likelihood and the possible severity of the risks with which we are faced in life, and especially in ­business, but failing to have a reasonable understanding of our risks usually has two results:

• We do not take out the right insurances, or if we do we tend to set the limits of cover too low.
• We do not take the necessary steps to control the risk because we consider the time and money required would be unjustified.

It is probably not difficult to see what further consequences such wrong thinking might have.

What are the reasons for this?

1. We tend to assume that large losses only happen to big businesses or in connection with large projects. Sadly, this is not always true. I remember a claim involving a plumber who had gone into a school to install a disabled toilet. He went into the roof-space to get to a water supply and tried to cut into a pipe using a hot torch. The flames from this set the roof insulation alight. The fire soon spread and burned down half the school. I also remember a falconry display at a county fair in Scotland when a vulture was caught in high winds and blown off course, into the airspace at Glasgow Airport, causing several flights to be re-routed. It is the context that matters, not the size or value of the job itself.
2. We tend not to think about certain intangible risks. We usually insure our laptops and mobile phones, but what about the data in them? Apart from the legal issue, how important is the data to us? We know about health and safety, but what about our potential liabilities arising from stress, harassment, discrimination, or unfair dismissal? We protect our property, but do we protect our reputations? One unfortunate tweet can go a long way. A genuine but minor complaint can do a lot of damage if it is handled badly, or not at all.
3. We tend to think of remote risks as being considerably more remote than they really are. If something is a million-to-one, it means it will affect 300 people in the United States this year. Will you be among them?
4. We often do not think about consequential losses. We usually insure our buildings for the cost of rebuilding in the event of fire, but how is the business going to carry on while we are waiting for the rebuilding to take place? Do we have a plan? Does that involve extra cost? Is that insured?
5. We usually expect third-party claims to come one at a time. All too often, however, several people claim to have been injured in the same incident, and the limit on most liability policies is per incident not per claim. We need to think how many people could possibly be hurt by anything which might go wrong. This is especially important if we are involved in public events or activities at crowded venues.
6. Finally, we may be reluctant to admit to the seriousness of some risks out of fear of having to spend a lot of money on measures to control them. It is easy to forget that prevention is better than cure. It is also important to look for cost-effectiveness when considering ­various options for controlling the risks. Sometimes, there are ­simple, low-cost measures we can take. I once found a skip full of paper, wood, and other combustible material placed against a wall where it was under the eaves of a large building. If anyone set fire to the skip’s contents, it was highly likely that it could have spread to the building. Moving the skip to the opposite side of the yard was not expensive.

It is always worth remembering that premiums do not go up pro-rata to sums insured. The first million dollars of cover costs more than the second and so on. In addition, being able to demonstrate that you have identified your risks and taken reasonable steps to control them can only help you in negotiating premiums. Do not be underinsured and do give serious risks serious attention. In the next section, we look at an example of risks being different from our perceptions.

What Have Horse Riding Accidents in the United Kingdom Got to Do With Your Business?

I have read a report on accidents involving horses in the United Kingdom, produced by the British Horse Society. It deals with accidents involving other parties, which includes road accidents. Much of it is aimed at the riding fraternity, as you might expect, but I think two of the findings have implications we all need to consider, even if you never go near a horse. They are especially worth considering, precisely because they are not what most people, including myself, would expect.

First, let us also note one of the findings that came as no surprise to me.

Most accidents occur on minor roads in the countryside.

• Of course, this is partly because that is where you find most horses.
• It may also be because some horses react to traffic better when there is a steady flow than when a car appears suddenly.
• On country roads, there are often no sidewalks or grass verges to get onto out of the way of danger.
• There are a lot of bends on British minor country roads so motorists cannot see horses, or other hazards, until they are close to them.

Now let us consider the two surprising facts the report threw up:

1. The time of most road accidents is between 11 a.m. and 3 p.m. well away from the rush hour.
2. The worst month for such accidents is June, when you would think bad weather would be less likely than in most of the year.

So why is this? The short answer is that nobody knows. But, we can try to speculate intelligently. Let us ask ourselves a few questions:

• Are there more horses on the roads at the times their riders consider safest, despite the fact that so many people have to ride before or after work or school most days?
• Do more people ride in June because it is more pleasant?
• Are riders less vigilant because they do not expect so much traffic at those times?
• Do a lot of riders ride without high-visibility clothing when visibility is good? I have sometimes been driving my car and seen horses being ridden on the road only when I was quite close. High visibility would have helped me to notice them and so slow down sooner.
• Do motorists drive faster and pay less attention when there is less traffic?

Are you still wondering what this has to do with your business?

Ask yourself these three questions:

1. Do you take less care when you think the risks are lowest, in any situation?
2. Do you not bother with risk controls, for example, high-visibility clothing, when you think it will not matter?
3. Do you have statistics on accidents or other risks in your business? Do you study them?

When you have thought how this applies to your business, please remember to drive wide and slowly past horses whether at noon in June or late on Christmas Eve.

If you want to see more about horse riding accidents in the United Kingdom, go to: www.bhs.org.uk/safety-and-accidents

Are You Taking Enough Risks? Or Is Undue Caution Holding Back Your Business?

An interpretation of risk management as an attempt at eliminating or minimizing every risk, sometimes leads businesses or other organizations to miss out on opportunities to maximize profits or achieve other desirable goals. This view fails to see the need to balance one risk with another or to fully evaluate the costs and benefits of different courses of action. I am concerned that overzealous or one-sided risk management can be harmful to business and other activities. Please do not misunderstand me. I do not advocate a cavalier attitude that would treat lightly anything which could lead to someone’s death or serious injury, to extensive damage to property, to the loss of large sums of money, or to serious damage to the environment; neither do I underestimate the harm an ill-judged word or deed can do to a hard-won good reputation. However, it is easy to over-react and take excessive defensive measures. I suspect that the man who said, “I’m not afraid of flying … just of crashing” probably thought the only way to be safe was not to fly, not knowing that in fact modern airlines have such good safety arrangements that the most dangerous part of your flight is likely to be the drive to the airport.

What Are the Causes of This Over-Cautious Attitude?

1. The natural and justifiable concern to prevent undesirable consequences of our actions, sometimes taken to an extreme.
2. Lack of communication between managers, insurers, and health and safety, leading to knee-jerk reactions, rather than properly considered solutions.
3. The requirements of funding agencies and regulatory bodies, often lacking in detailed knowledge and understanding.
4. The culture in some organizations where failure is punished more than success is rewarded.
5. Fear of being sued as a result of the claims culture, especially in the light of a few well-publicized high-cost cases, sometimes with unexpected outcomes.
6. Fear of adverse publicity if the press should take a one-sided view of an incident, regardless of the real blame.

Is a Strong Dislike of Taking Risks Wrong?

The actual risk may be very different from our impression, and so our response may be inappropriate: many New Yorkers would rather drive in frustratingly slow traffic than take the often faster subway, out of fear of mugging, when more people are killed in road accidents than in violent robberies.

1. Control measures may be more costly than is really justified, in terms of their effects on productivity: in fact, there may be so much pressure to do something that controls are introduced, which are totally ineffective or unnecessary, like the cowboy who wore two guns in case he missed six times and was still alive.
2. Above all, this attitude of excessive caution fails to recognize that all management (not only risk management) involves making choices that require balancing one risk against another, such as that of making a loss by spending too much on control measures.

General McClellan commanded the main U.S. Army in the early part of the Civil War. As he was concerned for the welfare of his men and wanted to avoid throwing lives away needlessly, he always waited for the ideal opportunity before going on the offensive. Sadly, he lost more men to disease in his large static encampments than were killed by the enemy. He was too focused on one risk to the exclusion of another. More recently, there was some controversy in the United Kingdom over the failure of some schools and other organizations to carry on during the big freeze of 2010–2011. There was a need to balance the risks to people in trying to work, or even get in to work, in those conditions, against the risks to the organization, as well as to those using its services, in failing to maintain some of its activities.

What Can You Do About It?

• Fully assess each risk, looking at both the probability and the severity.
• Consider all the implications of each potential control ­measure.
• Take into account financial and nonfinancial costs and ­benefits.
• Recognize that accidents do happen, however hard you try to prevent them, and be prepared to accept some of the ­consequences.
• Have damage-limitation measures ready.
• Manage the reputational aspect of your risks by being prepared to respond to the press and public in the event of (even remotely) foreseeable incidents. Try to prevent unhelpful or ill-thought-out remarks from colleagues or employees getting into the social media.
• Consult. Although the manager of the activity does need to be the one who manages the associated risks, it is also important for someone not quite so involved to have a look as well, to bring some objectivity and to challenge well-established assumptions. It could be someone within your business or an outside consultant.

Do not let undue fear of risk stop you making a success of your ­business or organization. Wherever possible, think in terms of positively managing rather than avoiding risks. In Britain, when the motor transport was first invented, there was a requirement to have a man carrying a red flag in front of every motor vehicle. It might have prevented a lot of accidents in its day, but most of us would agree that removing that restriction has benefitted society a great deal, and other measures have been brought in to improve road safety whilst allowing cars to travel faster than pedestrians.

Three Questions to Help You Decide Which Kind of Risk Management Consultant Your Business Needs

Most businesses could benefit from being studied by a risk management consultant from time to time. If you think yours has such a need now, there are three main choices you will need to make if you are to get the right one and so avoid the sort of disappointment that can lead to an undeservedly poor image of the profession, when a consultant fails to deliver what the client was expecting. There are many risk management consultants around, and it is not easy to choose the right one for your business. It is easy to spend a lot of money without getting the result you need, but this is not always the consultant’s fault. Although stereotyping any professionals can be misleading, you may find that thinking in terms of the following categories will help you in your search.

1. Do you need a specialist or a generalist? As it is obvious that a generalist does not know everything about everything, it is tempting to assume that you are better off with someone with specialist knowledge about your industry. That could be the case if the risks you are mainly concerned about are very technical, and you need someone with knowledge of engineering, the environment, or aviation for example. On the other hand, you may have the technical knowledge within your business, but need advice in managing the risks. There is also the danger that the specialist will become too absorbed in the technical issues to think about the bigger picture or the way different risks affect one another, so that reducing one can increase another. What you probably need is someone who understands the business at least as much as understanding the technology or science, and who can communicate with you in normal English.
2. Do you need an external or internal consultant? There may be people in your own organization who could act as consultants to another department, or even to the business as a whole. The advantages are that they probably cost less than external consultants and can hit the ground running because of their existing knowledge of your business. The drawbacks are that they may command less respect, rightly or wrongly, and that any criticisms they may appear to make of other managers could lead to ongoing relationship problems in your business. They may also be too close to the problems and lack the objectivity of external consultants.
3. Do you need answers or questions? You may think you want someone to come along and give you the answers you are looking for, whereas, in fact, some consultants are experts at asking questions, rather than answering them. You may find that you knew the answers all the time, but had been asking yourself the wrong questions. After all, it is likely that nobody understands your business as well as you do. When a consultant leads you via a series of questions to the solution you were looking for, possibly setting out a number of options on the way, you often find it is particularly effective, because you know how and why you arrived there, and you will make the solution work because you own it, instead of feeling it is what someone else has told you.

You can probably see that there is no all-purpose ideal consultant. What matters is finding the one who best meets your needs and those of your business at this time. Think carefully about the aforementioned three questions and try to decide first what you want and need before trying to decide who can best advise you on managing the risks you are trying to deal with. Do not be afraid to tell your risk management ­consultants that you think they are not the right ones for a particular exercise: most would rather lose a client than have a dissatisfied one. Here is hoping you find the right one.

What Has Seeing the Elephant Got to Do With Managing Risks?

I once heard someone saying that children these days do not seem to show as much awe and wonder at the marvelous creatures that they see in the zoo as we did. I am not sure who we included, but never mind.

I can think of two reasons why this remark may hold some truth.

• Children these days do not want to show too much awe and wonder at anything, as it is not cool, so they say.
• Children have seen lots of wildlife documentaries and are better prepared than some previous generations for the sight of amazing animals. At one time, most adults, let alone children, would not have seen foreign animals in the flesh. At best, they might have seen a picture in a book or a painting in a gallery.

During the American Civil War, there was an expression to see the ­elephant, meaning to experience a battle. The point of the metaphor was that anyone who had not been in a battle could not know what it was like. No description did it justice. [Sorry if you are a War Poet or even a War Correspondent: I did not mean to offend.] In the same way, if you had never seen an elephant, no description quite conveyed what one was like, but once you had seen one, you knew. Sometimes, the problem for a risk management consultant is to enable the client to see what the risk is. It may sound unrealistic or it may sound trivial. If it has never happened to you, it may be hard to imagine how it would affect you or your business. That is why, you may need a consultant.