January is almost over and we are starting to look at all those New Year’s resolutions we made for ourselves, all the things that we were going to stick to that would make our lives better than previous years.
How are we all going with them? No judgement, hey sometimes we do put a little too much pressure on ourselves.
Now please don’t take offence but the resolution I get a little chuckle out of is the “I am quitting sugar” ones.
Looking at it logically, when people tell me they no longer eat sugar, the questions that run through my mind are – Do you still eat fruit? Vegetables? Meat? Any type of grain, nut or seed? Dairy products?
Answering yes to any of those food groups means that you do still in fact eat sugar in some form, including things that your body converts to sugar such as carbohydrates. Unless your diet consists of nothing but purified water then a better statement for you is “I don’t eat any added sugar”
People can also have this same misconception when it comes to risk management.
I have a similar chuckle when I get told the goal for the year is to eliminate all risk. Just like getting rid of all sugar, getting rid of all risk isn’t as easy or practical as you might think.
There are three common types of risk:
• Inherent risk – This is the risk before risk management strategies and controls are put in place. You can look at this as known risk
• Residual risk – This is the risk that remains after risk management strategies and controls are put in place. This in contrast could be considered unknown risk
• Key Risk – Any extreme or high inherent risk. This would be anything that instantly sets off alarm bells in your mind
Without going in to a full risk management training session I just want to show an example of what can happen if you get fixated on removing all risk.
For this example let’s say our business operator, we’ll call her Lisa, has decided to take the food industry by storm with a selection of gourmet cheeses. Lisa has been making cheese in her local area for a while, has
become very well-known, and has decided to expand.
As her product is perishable she has invested in having a new cool room installed, it has all the bells and whistles, including an alarm to let her know if the temperature is outside the pre-set desired range.
Now Lisa is one of those people who wants to remove every possible risk, with this in mind she decides that her biggest risk is loss of power to the cool room so starts her risk management plan there.
The simplest way to manage the risk of power loss is to have an alternate supply – a back-up generator. Great! Nice and easy! MMM but is there a chance that the generator might fail as well? Possibly, this would fall under the residual risk category. And we must remember Lisa wants no risk left!
So Lisa now adds a second generator just in case. But has that actually removed that residual risk? Not really, while the odds might be getting smaller there is still the possibility that both generators could fail at the same time.
Lisa is so focused on getting rid of ALL risk that she kind of goes overboard and before you know it there are 20 generators lined up beside the cool room.
Has this removed all the risk? No, it has lowered the odds considerably but the chance of all generators failing at once is still there.
Is it practical? I would say no, having to find space for and maintain all that equipment is a strain on Lisa’s resources that really isn’t necessary!
How about we forget about getting rid of all risk and look at a more practical risk management strategy.
So we have a cool room where our identified risk is loss of power, I am going to add breakdowns in there as well.
Starting with the breakdown possibility, creating a regular testing and maintenance schedule, conducted by a qualified professional, will reduce the chance of the equipment failing and help it to operate better.
Now the power loss, yes a back-up generator is a good idea but you probably would be ok with just one. Doing a little research, such as how often your area has lost power in the last few years and how long each outage lasted can help with this decision, if you have only had one outage in the past three years that lasted for about 10 minutes you can be fairly confident that can be considered a lower risk.
With your generator, again a testing and maintenance schedule is beneficial to make sure it will work when you need it.
So we have break downs covered and are a little more informed about the power supply issues in the area, does that mean we have removed all risk?
Nope – Murphy’s Law, if it can go wrong it will! We can never predict everything, and for those things we can’t there is insurance! Should the worst happen and Lisa was to lose all her stock, or even the equipment, she has thought of that and managed the risk by having everything insured.
There you have it, we covered it all without having to buy 20 back-up generators. The thing to remember when conducting risk assessments and determining how you manage those risks is to understand that you will never
remove all residual risk and ask yourself the following questions –
Do you feel you have covered all the current inherent risk?
Do you feel comfortable with the techniques you have used to manage the risks?
Do you feel comfortable with the remaining amount of residual risk?
Would your risk management plan stand up to external review? (For example, just because you are comfortable storing flammable chemicals in a cardboard box rather than a fire resistant cabinet doesn’t mean that an auditor would agree with you!)
If you can answer yes to all of these then you have the beginnings of a basic risk management policy. However this policy should never be a write and forget exercise, circumstances constantly change, and as a result risk
management should be reviewed on a regular basis.
The above article is not intended for use as standalone risk management advice. For an individual review of the audit and compliance requirements for your business please contact KLM Audit & Compliance (firstname.lastname@example.org)