Despite an increased focus on risk management, many organisations have experienced incidents that have impacted their reputation, threatened their financial sustainability and led to regulatory fines and legal action. In some cases, they have resulted in fatalities.
In most cases the common thread has been the failure of risk management despite the existence of supposedly robust risk management systems, overseen by a chief risk officer.
So how is it that these avoidable incidents continue to occur at a time when organisations have a greater emphasis on – and more personnel dedicated to – managing risk?
There are two primary reasons. First, there is a complete lack of understanding as to what constitutes a risk, and secondly, very few risk management practitioners are qualified for the role they are filling.
Reason 1 – lack of understanding of what a risk is
It may seem obvious but, fundamental to the effective management of risk is the understanding of what a risk is. This understanding does not exist. It starts with an inability to present a common definition of risk or one that appropriately defines a risk across regulatory bodies, legislative frameworks and international standards.
The ISO 31000 definition, which is the most commonly cited definition of a risk (the effect of uncertainty on objectives), is at the heart of the issues organisations have in not understanding risk and risk management.
Effect is defined in the standard as “a change which is a result or consequence of an action or other cause”. An effect is an outcome or consequence. So, if we substitute that into the ISO 31000 definition it becomes: The consequence of uncertainty on objectives.
In this definition, the focus is on evaluating the likelihood of the consequences of the uncertainty. This is similar in many ways to the Australian Government’s code of practice for work, health and safety which defines a risk as ‘the possibility that harm (death, injury or illness) might occur when exposed to a hazard’.
We are not assessing the likelihood of the event happening, just what the consequence would be if it did happen. As a person who is actually managing risk, I would much rather focus on reducing the likelihood that a worker falls from height rather than focusing on the likelihood of them being harmed.
Uncertainty implies a lack of control
It is even more fundamental, than where the focus of our definition lies. Uncertainty is a state of flux that occurs in the strategic environment. Organisations have little to no control over the changes that occur in the environment (the uncertainty). They can only control how they deal with it. This is, quite simply, the basis for strategy development - that is, we develop strategies to exploit opportunities and/or to protect us from threats.
Using the term uncertainty in any description of a risk implies they have little to no control over whether it occurs or not. What is in our control, however, is how we deal with preventing the incidents that so many organisations continue to experience.
My book, ‘A One in 30 Year Incident - 30 Years in the Making’, explores the causes of the Dreamworld incident in 2016 that tragically led to four fatalities. The book points out: “All the elements that contributed to the Dreamworld incident that day were within the control of Dreamworld, that is, there was not one external factor that contributed to the incident.”
The book goes on to say that “all the issues that existed in the design, maintenance and operation of the ride aligned and resulted in the tragedy that unfolded”. In other words, there was no uncertainty here, just an unmanaged risk.
A change in paradigm is needed
It is for this reason that I use the following definition to define risk: A possible event/incident that, if it occurs, will have an impact on organisational performance, outcomes and/or objectives.
This definition is simpler for organisations to understand as it focuses their attention on the incidents they don’t want to occur. The many organisations that I am assisting that have adopted this definition are seeing real benefit in finally understanding their risks. Once they are understood, they can be better managed.
Reason 2 – lack of professionalisation
The second factor contributing to poor risk management practices is the fact that the risk management profession is not professional.
As an illustration, most risk management roles advertised on job sites such as Seek require a ‘risk management qualification – or equivalent’. Other advertisements vaguely require a demonstrated experience in risk management - or equivalent.
When was the last time an advertisement for an accountant, engineer or medical practitioner specified an equivalent qualification was suitable? The stark reality is that risk management is a career that most of us have ‘fallen into’ later in our careers. How many kids at the age of 10 say they want to be a risk manager when they grow up?
I am even more concerned that many organisations rely on consultants to provide risk management advice, but very few of them are qualified either. Anyone can hang up their shingle and say they are a risk management consultant, but how much do they really know about managing risk?
I also believe that a significant proportion of industry knowledge has been driven by ‘folklore’, with dubious knowledge passed down the line by bosses. It’s time we recognised that the implications of an ineffective risk management programme in an organisation can be dire.
We need to professionalise through qualifications
A registered training organisation, Paladin’s Professional Security and Risk Institute, seeks to fill the education gap with certificate-level programmes as well as short courses.
Since 2013 more than 2,500 participants from 27 countries have attended the qualification courses, which have universal application.
I try to simplify and demystify risk management so that participants have all of the necessary skills to implement an effective risk management programme from the outset. The fundamental issue is that organisations are ‘doing risk management’ rather than managing risk – and there’s more than a semantic difference.
In my observation, most organisations believe that because they have a range of risk management documents and a series of risk registers, they are managing risk. Nothing could be further from reality.
There is also a belief that an absence of incident means that we are managing our risks effectively. The day [BP’s] Deepwater Horizon rig exploded with the loss of 11 lives in 2010, the rig’s managers were presented a safety award.
In the case of Dreamworld’s Thunder Rapids Ride tragedy in 2016, an expert at the coronial inquest stated that because the ride had been fatality free for 30 years, the design of the ride posed little risk to the health and safety of patrons, but on the day of the tragedy it certainly posed significant risk to the health and safety of patrons.
The simple fact is that we need to understand our risks better so they can be managed effectively. To do this we need to professionalise the industry and that starts with qualifications.
When will organisations stop putting their faith in risk management ‘professionals’ that do not have the baseline qualifications that most other occupations take for granted? How many more avoidable incidents have to occur before we start insisting our risk management personnel have risk management qualifications and not just equivalents? A
Mr Rod Farrar is a director with Paladin Risk Management Services.