Think about the greatest risk you have encountered in the past five years. Maybe it was related to physical injury or serious sickness. It could be related to the mental health of a family member. Natural disasters or career changes are obvious ones. In fact, you can probably think of more than one great risk you have recently experienced.
Now, what is the definition of risk? In technical sessions and my workshops, well-educated business professionals struggle with the terminology. It usually takes two to three minutes for someone to arrive at their definition. The sad news is that there are about as many definitions as there are well-educated people in the room.
The standard definition of risk is the effect of uncertainty on objectives. It takes a while to say it three times fast, but if you are a risk professional you will get the hang of it. The trouble is that most people look at you as if you have three eyes when you tell them.
The good news is that the average person usually responds, "a loss." Occasionally. I get "a surprise." I like surprise because it stands up to the tedious debate that risk professionals have about whether risk can be positive or negative, or just negative (some argue that risks are potential losses and opportunities are potential gains).
Word games
For this demonstration, I snipped some of the text from ISO 31000 from a good article by Marco Nutini titled Practical Guide for ISO 31000:2018 Implementation – A Critique that I recently read. Take a read of the passages below and hold those impressions.
4. Risk management process
4.1 Introduction
A structured risk management process aims to align risk management with objectives and manage risk in an unbiased way. Although the basic steps of the process apply to any risk and any level of the organization, different risk assessment techniques can be used depending on the circumstances.
An important focus of risk management is on the creation of value for the organization and better decision making.
However, in many circumstances the risks are well known, and controls are in place. In such cases, the focus of risk management may be on ensuring the controls are appropriate, work effectively, and provide assurance that this is the case.
4.4 Defining risk criteria
Risk criteria are a set of rules or statements that enable consistent decision making throughout the organization.
An organization may state their goal for health and safety risks to be no incidents. Risk criteria compatible with this statement would clarify that risks are controlled so far as is reasonably practicable
Criteria used for comparing the relative significance of risks to different objectives can be based on the consideration of consequences and their likelihood.
2.5 Assigning roles and responsibilities
2.5.5 Risk owners
A risk owner is a person or an entity with the accountability and authority to manage risk. The organization’s culture and structure play a key part in determining the best model for assigning risk owners.
Risk owners are to have the appropriate level of decision-making authority to manage their assigned risks.
Risk ownership can be delegated through several levels of the organization. This assists in reducing the workload on top management as well as cultivating the thinking, behaviours and actions regarding risk and risk management throughout the organization.
Now this way
Let us demystify with a simple change of one word.
4. Surprise management process
4.1 Introduction
A structured surprise management process aims to align surprise management with objectives and manage surprises in an unbiased way. Although the basic steps of the process apply to any surprise and any level of the organization, different surprise assessment techniques can be used depending on the circumstances.
An important focus of surprise management is on the creation of value for the organization and better decision making.
However, in many circumstances the surprises are well known, and controls are in place. In such cases, the focus of surprise management may be on ensuring the controls are appropriate, work effectively, and provide assurance that this is the case.
4.4 Defining surprise criteria
Surprise criteria are a set of rules or statements that enable consistent decision making throughout the organization.
An organization may state their goal for health and safety surprises to be no incidents. Surprise criteria compatible with this statement would clarify that surprises are controlled so far as is reasonably practicable
Criteria used for comparing the relative significance of surprises to different objectives can be based on the consideration of consequences and their likelihood.
2.5 Assigning roles and responsibilities
2.5.5 Surprise owners
A surprise owner is a person or an entity with the accountability and authority to manage surprise. The organization’s culture and structure play a key part in determining the best model for assigning surprise owners.
Surprise owners are to have the appropriate level of decision-making authority to manage their assigned surprises.
Surprise ownership can be delegated through several levels of the organization. This assists in reducing the workload on top management as well as cultivating the thinking, behaviours and actions regarding surprise and surprise management throughout the organization.
More Operational
Which term, risk or surprise, makes the passage more understandable?
The terminology must be easily understood if risk management is to be more operational. The same holds true for Strategic Plans and other technical disciplines like resilience and reliability. That may be a little unfair to the reliability profession, where academics and analysts have a single long definition but do not fight the simplified term "uptime" to operationalize the concept by simplifying it.
Demystifying risk - making risk more operational - may, or may not, be the goal of the risk (a.k.a., surprise) management profession.
JD Solomon, Inc provides services at the nexus of facilities, infrastructure, and the environment. Contact us for more information on making reliability, risk, resilience, and asset management more operational for your organization.
Comments