知識社群ePortfolioLogin
What's preventable risks and how to effectively manage? (26-March-2015)
by 趙永祥 2015-03-28 07:15:06, Reply(0), Views(999)


Edward Chao

What's preventable risks and how to effectively manage?

Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.Top Contributor

What's preventable risks and how to effectively manage?

According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Our field research shows that risks fall into one of three categories. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Type I: Preventable risks.

These are what I call "internal risks" which is arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. 

To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.
This risk type is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Since considerable literature already exists on the rules-based compliance approach, we refer interested readers to the sidebar “Identifying and Managing Preventable Risks” had been popular discussed and apparently best practiced in most industry.


Dr. Chao
5-Feb.-2015

Comments

  • John

    John Grubbs

    Student at Bowling Green State University

    It's interesting to think that there is this "preventable risk". In my experience, I've found risk to be only manageable as there is risk in everything we do, especially when it come to human nature

  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear John Grubbs, 
    This risk type is what I call "internal risks" which is arising from within the organization, that are controllable and ought to be eliminated or avoided. In addition, best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. 

    Thanks for your comments. 

    Dr. Chao

     John G. likes this
  • Mark Powell

    Mark

    Mark Powell

    Consultant - Rescuer of Doomed Projects; Solver of Impossible Problems; Inspired by Sharing How to Do It All

    Edward, 

    I think the terminology you have chosen for native English speakers is a bit unfortunate. 

    I understand what you are saying, but the term "preventable" does not connote to native English speakers the definition you have assigned to it. 

    Mark Powell

  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear Mark Powell, 
    Thanks for your response. 
    This terminology perhaps not suitable to native English speakers, it's another definition concerning about the "internal risks" which is arised from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. 
    Perhaps, you can give me better suggestions concerning about this terminology. 

    Best regards. 

    Dr. Chao

  • Mark Powell

    Mark

    Mark Powell

    Consultant - Rescuer of Doomed Projects; Solver of Impossible Problems; Inspired by Sharing How to Do It All

    Edward, 

    To me, your term "internal risks" seems to capture what you have described so far quite well. 

    All of your examples are what I would naturally think of as a company's internal risks. 

    Mark Powell

     Edward Chao likes this
  • Sherif Dawood , MBCI, MBA, ITILv3, M.Sc.

    Sherif Dawood

    Sherif Dawood , MBCI, MBA, ITILv3, M.Sc.

    Manager - Enterprise Risk Management, Strategy Management and Planning Department, VIVA Bahrain, STC Group

    Second Mark's opinion 
    We can have preventive controls as part of the control structure for managing certain risk, but we can never guarantee the prevention of the risk. If there is a risk, there will be always a residual risk till the risk becomes irrelevant

     Edward Chao likes this
  • William Thorlay

    William

    William Thorlay

    Senior Consultant for Engineering and Reliability

    Dr. Chao, 
    I think your definition on "internal risks" is well understood. On the other hand, I have to agree with Mr. Grubbs when he says that risk is something inherent to everything we do. As far as human behaviour is concern, human reliability is becoming more and more applied within the organizations worldwide.

     Edward Chao likes this
  • Tracy Dcruz

    Tracy

    Tracy Dcruz

    Business Executive at VS PAY

    We could provide payment gateway for many high risk industries like Gaming, Casino, Forex Pharmacy, Nutra, Binary, Replica, Pet shops, Tour and travel operators, Gaming, Gambling, Lotto and lottery, Headshops, Medical marijuana and many more. 
    We hope to be able to get you an account, with surety and this will be much more reliable which will have you being paid within shorter period for your transactions on credit card. 
    Tracy Dcruz Skype id: connect2vspay email id: sales@vspayglobal.com

     Edward Chao likes this
  • Stephen McManus

    Stephen

    Stephen McManus

    Owner, i Lead Projects, L.L.C.

    When discussing risks, whether internal or external, the use of "preventable" would equate to avoid the risk....this means the risk probability and/or the impact must go to zero. 

    In practice, it is often almost impossible to prevent risks from occurring or having an impact if they do occur without having a significant trade-off on one of the other constraints or objectives a project is trying to meet. So in practice there should be two questions regarding a significant risk and the desire to "prevent" the risk. 

    1st - Is it more important to do the project or not experience the risk? 
    2nd -If a prevent or avoid response is put in place, is the cost or benefit worth the trade-off of project objectives not being fully met. 

    Finally, in practice we most often have to determine how much is the project willing to invest in reducing a risk or increasing an opportunity and still leave on the table residual risk....what is the risk appetite of the key stakeholders.

     David D.Edward Chao like this
  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear Stephen McManus, 

    What you have indicated that "in practice we most often have to determine how much is the project willing to invest in reducing a risk or increasing an opportunity and still leave on the table residual risk", I agree with your viewpoints. 
    The decision-makers has the responsibility to analyze the keypoints whether the cost or benefit is worth the trade-off of project objectives not being fully met. 

    According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. 

    Finally, you have to determine how much is the project willing to invest in reducing a risk or increasing an opportunity and still leave on the table residual risk. 

    Thanks for your comments. 

    Dr. Chao 
    10-Feb.-2015

     David D. likes this
  • Michael Allocco, PE, CSP

    Michael

    Michael Allocco, PE, CSP

    System Safety SME

    MOST RISKS ARE PREVENTABLE GIVEN…. 
    The understanding of a (system) accident life cycle: 
    • Implement safety axioms to assure that risks are identified, eliminated or controlled to acceptable levels; 
    • Apply proactive, predictive, and reactive methods to understand hazards and associated risks; 
    • Consider how an adverse propagation can start? A poor decision associated with the system (integrated human, machine and environment); 
    • The decision results in a latent, dormant, hidden (hazards) situation; 
    • The hidden situation is triggered by a condition or situation (other hazards); 
    • Adverse sequences can be complex to simple; 
    • The elements of the system support the adverse progression(s): conditions and/or actions; 
    • The adverse process may progress unless detected, or progression continues and harm may result; 
    • If causality or contingency action is unsuccessful additional harm can result; 
    • Eventually the system needs to be brought back to a stable state.

     Edward ChaoDavid D. like this
  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear Michael Allocco, 
    The statements you have pointed out makes sense, and thanks for your reply with sincerity. 

    Dr. Chao

  • Pierre Lommerse

    Pierre

    Pierre Lommerse

    High-level business analytics professional with a focus on risk management, compliance and governance

    Dear Edward, 

    I tend to say risk is the only certainty in your life the difference is how you cope with it, other thought is doing business is consciously taking risk. 
    When we discuss the risk factor we have to keep in mind it is not risk management but overall management, think of the loop identify, assess, accept/not accept, control. So when we discuss the “internal risks” we have to be aware of them. My experience is that one of the biggest risks is, motivation, being proud to be part of the organization etc.

     Edward Chao likes this
  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear Pierre Lommerse, 
    I'm very appreciated with your reply. According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Finally, you have to determine how much is the project willing to invest in reducing a risk, how to avoid and manage is an important issue to take into consideration. Thanks for your comments again. 

    Dr. Chao

  • John Mallino

    John

    John Mallino

    Sr. System Safety Engineer at BAE Systems

    Preventable risks are risks that can be engineered out of the design. With that said, if asked which specific risks are preventable. I would say OSHA top ten most cited violations. No excuse for these risks to be active at your job site. 
    http://www.safetyandhealthmagazine.com/articles/11136-osha-announces-top-10-most-cited-violations-for-2014

     Edward Chao likes this
  • David Brady

    David

    David Brady

    President, DBrady Risk Associates

    John M got it right. The only way to make a risk preventable is to eliminate it altogether, either removing it by re-engineering or or changing the process if possible, e.g. if the risk is flying then drive or take the train. Although remember that eliminating a risk may introduce a secondary risk.

     Edward Chao likes this
  • John

    John O'Sullivan

    Director, Strategic Asset Engineering Pty Ltd. Available from 2Feb15.

    Edward, 
    Glad to see your comments have brought up numerous valid replies. In my experience these 'internal risks', while being largely preventable or able to be mitigated (or at least should be so) can also be very insidious because many of them can arise from the company 'culture'. But when a company's 'culture' is flawed identifying and mitigating those risks can be a daunting task because people may not even realise the risk exists, let alone where it stems from - 'it's how we do business'. In these companies (read 'large organisations') those people in positions of authority have generally reached those positions because they understand how to 'work the system' and that knowledge and understanding becomes their power base. When you start to identify and address those internal risks be prepared for some potentially serious pushbacks because someone's power base is suddenly being threatened. 
    Interested to see if anyone else shares these views. 
    John

     Edward Chao likes this
  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear John O'Sullivan, 
    First, I'm very appreciated with your reply. 

    Secondly, according to your past experiences which said in your comments,'internal risks', while being largely preventable or able to be mitigated (or at least should be so) can also be very insidious because many of them can arise from the company 'culture'. But when a company's 'culture' is flawed identifying and mitigating those risks can be a daunting task because people may not even realise the risk exists. 
    In fact, the culture seems to play an important factor in 'internal risks', which can also be very insidious because many of them can arise from the company 'culture'. 

    Thirdly, when we discuss the risk factor we have to keep in mind it is not risk management but overall management, think of the loop identify, assess, accept/not accept, control. So when we discuss the “internal risks” we have to be aware of them.Finally, you have to determine how much is the project willing to invest in reducing a risk, how to avoid and manage is an important issue to take into consideration. 

    Finally, I'm very appreciated with your professional comments. 

    Sincerely, 
    Edward

  • John

    John O'Sullivan

    Director, Strategic Asset Engineering Pty Ltd. Available from 2Feb15.

    Thanks Edward, 

    From a Quality point of view the causes of these types of risks (ie variations in output) would usually be termed 'common causes'. Any unexpected, uncontrolled or unauthorised variation in output results in risk. The only way to fix them is by fundamentally changing the 'system' or, in some situations, the system's implementation. Common causes arise when 'everyone is doing it'.

    John

  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear John O'Sullivan, 
    I'm very appreciated with your comments. 
    I agree with your viewpoints, the better way to fix 'internal risks' is by fundamentally changing the 'system' or, in some situations, the system's implementation. 
    You provide another solution to fix the 'internal risks'. 

    Sincerely, 
    Edward

  • James Andrae

    James

    James Andrae

    Risk Management Specialist

    Edward 
    I agree with your comments in general, and yes the examples you identified are internal and "preventable" through a variety of actions. (there is no sure fire mitigation for rogue trading). 
    In Australia we have taken the risk management of physical injury to a new level. I worked for a company that went into the Guinness book of records when it achieved a million hours without any injuries. Preventable risks that have direct impact on the bottom line and lives. 
    While nothing is perfect and some solutions do open the door to other risks, it is none the less the most important exercise and question for a risk manager to undertake. This is the heart of the process to determine Board risk appetite declarations, Risk Policies, Corporate structures etc, etc... 
    I prefer to approach an organisation as a blank sheet, identify risks and put them in 3 columns and then spend some time analysing what is the understanding of each risk by the relevant staff. I'm sure you are doing this process since you started at the same point I did . 
    The bottom line is the identification of the universe of risks I have to have, I want to have, and I don't want to have. Then devise a strategy to address these. 
    Of course it is a very involved processes and you need to move at least 3 to 6 iterations to ensure no new risks are accidentally introduced and what residual risks remain and so on. 
    If done right, the rewards are astronomical, and most importantly it sets the culture. Everyone has to get on board and risk management is embedded in the hearts and minds just through the exercise. 
    Qualitative benefits are numerous, least of all, the insights gained. 
    I once worked for a company that wanted to address 1 preventable risk. 
    The cash flow risk. They wanted greater certainty of revenue. In attempting to mitigate this risk, it created new risks, some of which were an even higher order of risk. But once we went through the process and mapped it out down to the most minute issues stressed in 6 different ways, the CEO was so impressed this strategic thinking became the norm for every action undertaken You cannot ask for a better culture. 
    Happy to provide further details in private if you want to contact me.

  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear James Andrae, 

    I'm very appreciated with your professional comments about the topic:"What's preventable risks and how to effectively manage?". According to your viewpoints, the bottom line is the identification of the universe of risks I have to have, I want to have, and I don't want to have. Then devise a strategy to address these. I agree with your viewpoints stated. Your past experiences in two companies which gave me some hints in solving preventable risk. You are an expertise in facing risks, therefore you know how to solve in better way. According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. 

    To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. In addition, companies should seek to eliminate these risks since they get no strategic benefits from taking them on in general. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.Finally, you have to determine how much is the project willing to invest in reducing a risk, how to avoid and manage is an important issue to take into consideration. 

    Happy to receive your comments and if possible, we can discuss more details on risk managements in private if you don't mind. 

    Best regards. 

    Edward

  • John

    John O'Sullivan

    Director, Strategic Asset Engineering Pty Ltd. Available from 2Feb15.

    Edward, 
    I believe one principle is worth always remembering when dealing with risk, regardless of the type, source or severity of that risk. and that is: 
    Regardless of what business you THINK you are in, you are in the PEOPLE business. 
    Cheers, 
    John

  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    Dear John, 
    Thanks for your reply. 
    You have mentioned that when dealing with risk, "Regardless of what business you THINK you are in, you are in the PEOPLE business." It is useful for me how to treat the risk happened in the coming future. 

    In my experiences running on project managements, I usually think that risk management can include the following activities 
    1.Planning how risk will be managed in the particular project. Plans should include risk management tasks, responsibilities, activities and budget. 
    2.Assigning a risk officer – a team member other than a project manager who is responsible for foreseeing potential project problems. Typical characteristic of risk officer is a healthy skepticism. 
    3.Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved. 
    4.Creating anonymous risk reporting channel. Each team member should have the possibility to report risks that he/she foresees in the project. 

    Very thankful for your comments again. 

    Best regards. 

    Edward

  • Edward Chao

    Edward Chao

    Governmental Counseling consultant, Small and Medium Enterprise Administration,Ministry of Economic Affairs,Taiwan.

    Top Contributor

    There are two questions regarding a significant risk and the desire to "prevent" the risk. 
    The first question has to be considered is "Is it more important to do the project or not experience the risk?", the second is "if a prevent or avoid response is put in place, is the cost or benefit worth the trade-off of project objectives not being fully met." (Sited from Stephen McManus) I think that it's necessary for us to think about the process how to prevent the coming risk and the best solution. 

    As what I suggest in the former comments 'Maintaining live project risk database.' 
    In fact, each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved. 

    Edward.

Edward Chao