by Alfonso Esteban
•
17 Jun, 2020
Those who know me know that I wear hearing aids as I suffer from severe to profound hearing loss in the mid to high range frequencies, which is typically the voice range of women and young children. I realised I had hearing loss when I was not able to understand anything my then young son was saying, and I could not hear what people were saying to me in noisy situations. My hearing aids have been a blessing that has enabled me to participate in normal conversations. But what does this have to do with risk management? Hearing aids are my reactive control to the risk event of deafness. There were several causes to the risk event and partial deafness impacted on several of my life objectives. So the hearing aids play a role in the risk story, which is the theme of this blog. Many risk registers that I have reviewed over the years do not contain actual risks. During my time at Protecht, David Tattam taught me the benefit of using a risk story to differentiate risk events from causes, controls and impacts. Educating front line managers in the use of the risk story will assist in ensuring that your risk register actually contains real risks and not failed controls. So what is the risk story? A risk story can be written as: “The risk of (risk event name) is caused by (risk causes) and impacts (objectives); and can be controlled by preventative, detective and reactive actions.” In my case, the risk event is deafness, caused by a number of factors that I was able to control (but didn’t!) at the time, leading to the impact of not being able to participate in normal conversations. The hearing aids used during waking hours are a reactive control to reduce the impact on the objective of participating in normal conversations. I recall reviewing a risk register of a mining and exploration company that had over 6,000 entries in its risk register. Most of the so called risks were in fact failed controls – easily detected as the risk event was called “failure to…“ – as well as impacts – again easily detected as they were called “non-compliance with licence condition / regulatory obligation”. Once cleaned out, this risk register was reduced to around 400 risks, which was still too high as the risk events were too granular (they included risk events such as “inability to source xyz branded truck tyres” where xyz was one of many types of truck tyres). How many risks are in your risk register and can they be stated as a risk story? Stratedge Consulting can assist in reviewing your risk register to make sure that you are accurately capturing risks that are impacting on your objectives.