Operational Risk Management: The Deadly Duck Kicking that Awaits

"One of you is going to die..."
Risk Management in the corporate world (outside of finance...and sometimes even in it) leaves a lot to be desired. Despite what you may read in Annual Reports, many mid-size - and even larger - companies simply do not take it seriously, or if they do, they go about it with sizable gaps in the process...and even bigger ones in the end result.

Risk Management functions are perceived as a luxury, one of the first things that gets downplayed, put aside or completely ignored when resources are stretched. With many organizations, what happens is that they initially put in some effort, create something that on Day 0 is quite respectable...then slowly falls into disuse and disrepair. But worse still, because many of these organizations initially made an effort, they still believe their Risk Management is world class.

Right up until some disaster proves otherwise.

Fact is, risk management is the reality of most management work: you've got the perfect project plan, you've got a perfect operational business...on paper. Your job is to defend it against Mr. Murphy, who always can be relied on to pop around and keep you honest. So, how do you do it? How do you manage risks?

The last thing I want to do is bore the reader with another treatise that outlines exactly what you must do, so I'll get down to the core of what to watch out for: the most common errors/oversights people make in managing risk.

With projects, event probabilities are (relatively) easy to determine: you just align the risk likelihood to the project's timeline. But with ongoing operational risks, it becomes less clear. And the reality is that with an open ended timeline, probabilities start to approach 100%.

Sooner or later, EVERYTHING is BOUND to happen. The longer the timeline, the greater the likelihood of any event and on an infinite timeline, well, then there is a near certainty of just about everything happening: wars, fires, flooding....even being kicked to death by a duck.

I kid you not.

After all, in the future, as we progress with genetic research, we will want to breed larger ducks for food. And some of those ducks will become smarter, as per the Law of Natural Selection. And eventually, there will be damn big and damn smart ducks. And you can be assured that somewhere, some guy on some farm will get drunk and fall over next to one of these ducks...and the duck will see its tormentor, and respond with the mother of all duck kickings, sending that hapless soul into that big battery farm in the sky. :-)

Clearly, this is as impractical - and silly - as it is perfectly logical, so it's vital to be remedied.

When you are doing an operational risk assessment, you must state the period of time you are looking at. Ideally, that should align with the reporting period, say 1 year, but in some cases rolling 3, 5 or even 10 year timescales are advisable.

Many companies rightly believe they can handle individual risks: they have solid mitigation and contingency plans in place for a single event. But...what if a few events happen at the same time? And what if one risk leads to another?

Case in point, a fire at a factory. Key machinery burnt to a crisp. But what if flooding has also occurred at an alternative factory location, disrupting the back-up supply chain? Suddenly, there is no viable contingency plan.

It's like a flu outbreak in an office just when key deadlines fall due. Some people will try and come in and do their work - and infect others, worsening the problem. Telecommuting as the solution? Possibly, but with a  severe flu strain and people running high fevers, work quality drops down to unacceptable levels: the heart is willing, but the body and brain have been hammered.

Whilst this can be time consuming, it is vital to take at least the most likely key individual events and combine them to see what the impact will be, and prepare for those.

Oh boy, have I seen some beauties here. Different functions and different business units in the same conglomerate may as well be different companies that don't know of each other's existence. Different ways of calculating risk, different emphasis on what is a risk, different understandings etc...you name it.

If you can't have a centralized risk function, then you need a centralized risk standard that everyone can follow. The ISO31000:2009 Risk Management Principles and Guidelines and the OGC's Management of Risk: Guidance for Practitioners (essentially a practical implementation of the ISO standard) are low cost ways to at least get everyone on (roughly) the same page.

Saving the best - or worst - for last, I turn my attention to company politics intruding into the risk management sphere. This is where functions / business units specify some form of non-optimal performance of a rival / un-liked  function / business unit as a risk in itself.

This is an absolutely sure-fire way to not only create a pretty awful situation at work (or more correctly, make a bad one much worse), but it also has the effect - which I have witnessed - of diminishing the credibility, capability and value of proper risk management in an organization. Games such as this do nothing to resolve issues and serve only to heighten organizational tension, a very real risk in itself.

It's work.

It's not Congress or Parliament.

Certain standards of competence and professionalism are required.

Risk Management is a useful tool which, in many ways, you use daily, albeit in very subtle and sometimes not too obvious a fashion. Just by watching out for the above, it gives you that little extra assurance.

I know the duck is waiting. I'm ready.