What's preventable risks and how to effectively manage?
According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Our field research shows that risks fall into one of three categories. Risk events from any category can be fatal to a company’s strategy and even to its survival.
Type I: Preventable risks.
These are what I call "internal risks" which is arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes.
To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.
This risk type is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Since considerable literature already exists on the rules-based compliance approach, we refer interested readers to the sidebar “Identifying and Managing Preventable Risks” had been popular discussed and apparently best practiced in most industry.
Dr. Chao
5-Feb.-2015
位置: 趙永祥 >
Risk managements
What's preventable risks and how to effectively manage?
by 趙永祥 2015-09-18 22:34:13, 回應(0), 人氣(889)
John Grubbs
It's interesting to think that there is this "preventable risk". In my experience, I've found risk to be only manageable as there is risk in everything we do, especially when it come to human nature
Edward Chao
Dear John Grubbs,
This risk type is what I call "internal risks" which is arising from within the organization, that are controllable and ought to be eliminated or avoided. In addition, best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms.
Thanks for your comments.
Dr. Chao
Mark Powell
Edward,
I think the terminology you have chosen for native English speakers is a bit unfortunate.
I understand what you are saying, but the term "preventable" does not connote to native English speakers the definition you have assigned to it.
Mark Powell
Edward Chao
Dear Mark Powell,
Thanks for your response.
This terminology perhaps not suitable to native English speakers, it's another definition concerning about the "internal risks" which is arised from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes.
Perhaps, you can give me better suggestions concerning about this terminology.
Best regards.
Dr. Chao
Mark Powell
Edward,
To me, your term "internal risks" seems to capture what you have described so far quite well.
All of your examples are what I would naturally think of as a company's internal risks.
Mark Powell
Sherif Dawood , MBCI, MBA, ITILv3, M.Sc.
Second Mark's opinion
We can have preventive controls as part of the control structure for managing certain risk, but we can never guarantee the prevention of the risk. If there is a risk, there will be always a residual risk till the risk becomes irrelevant
William Thorlay
Dr. Chao,
I think your definition on "internal risks" is well understood. On the other hand, I have to agree with Mr. Grubbs when he says that risk is something inherent to everything we do. As far as human behaviour is concern, human reliability is becoming more and more applied within the organizations worldwide.
Tracy Dcruz
We could provide payment gateway for many high risk industries like Gaming, Casino, Forex Pharmacy, Nutra, Binary, Replica, Pet shops, Tour and travel operators, Gaming, Gambling, Lotto and lottery, Headshops, Medical marijuana and many more.
We hope to be able to get you an account, with surety and this will be much more reliable which will have you being paid within shorter period for your transactions on credit card.
Tracy Dcruz Skype id: connect2vspay email id: sales@vspayglobal.com
Stephen McManus
When discussing risks, whether internal or external, the use of "preventable" would equate to avoid the risk....this means the risk probability and/or the impact must go to zero.
In practice, it is often almost impossible to prevent risks from occurring or having an impact if they do occur without having a significant trade-off on one of the other constraints or objectives a project is trying to meet. So in practice there should be two questions regarding a significant risk and the desire to "prevent" the risk.
* - Is it more important to do the project or not experience the risk?
* -If a prevent or avoid response is put in place, is the cost or benefit worth the trade-off of project objectives not being fully met.
Finally, in practice we most often have to determine how much is the project willing to invest in reducing a risk or increasing an opportunity and still leave on the table residual risk....what is the risk appetite of the key stakeholders.
Edward Chao
Dear Stephen McManus,
What you have indicated that "in practice we most often have to determine how much is the project willing to invest in reducing a risk or increasing an opportunity and still leave on the table residual risk", I agree with your viewpoints.
The decision-makers has the responsibility to analyze the keypoints whether the cost or benefit is worth the trade-off of project objectives not being fully met.
According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face.
Finally, you have to determine how much is the project willing to invest in reducing a risk or increasing an opportunity and still leave on the table residual risk.
Thanks for your comments.
Dr. Chao
10-Feb.-2015
Michael Allocco, PE, CSP
MOST RISKS ARE PREVENTABLE GIVEN….
The understanding of a (system) accident life cycle:
• Implement safety axioms to assure that risks are identified, eliminated or controlled to acceptable levels;
• Apply proactive, predictive, and reactive methods to understand hazards and associated risks;
• Consider how an adverse propagation can start? A poor decision associated with the system (integrated human, machine and environment);
• The decision results in a latent, dormant, hidden (hazards) situation;
• The hidden situation is triggered by a condition or situation (other hazards);
• Adverse sequences can be complex to simple;
• The elements of the system support the adverse progression(s): conditions and/or actions;
• The adverse process may progress unless detected, or progression continues and harm may result;
• If causality or contingency action is unsuccessful additional harm can result;
• Eventually the system needs to be brought back to a stable state.
Edward Chao
Dear Michael Allocco,
The statements you have pointed out makes sense, and thanks for your reply with sincerity.
Dr. Chao
Pierre Lommerse
Dear Edward,
I tend to say risk is the only certainty in your life the difference is how you cope with it, other thought is doing business is consciously taking risk.
When we discuss the risk factor we have to keep in mind it is not risk management but overall management, think of the loop identify, assess, accept/not accept, control. So when we discuss the “internal risks” we have to be aware of them. My experience is that one of the biggest risks is, motivation, being proud to be part of the organization etc.
Edward Chao
Dear Pierre Lommerse,
I'm very appreciated with your reply. According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Finally, you have to determine how much is the project willing to invest in reducing a risk, how to avoid and manage is an important issue to take into consideration. Thanks for your comments again.
Dr. Chao
John Mallino
Preventable risks are risks that can be engineered out of the design. With that said, if asked which specific risks are preventable. I would say OSHA top ten most cited violations. No excuse for these risks to be active at your job site.
http://www.safetyandhealthmagazine.com/articles/11136-osha-announces-top-10-most-cited-violations-for-2014
David Brady
John M got it right. The only way to make a risk preventable is to eliminate it altogether, either removing it by re-engineering or or changing the process if possible, e.g. if the risk is flying then drive or take the train. Although remember that eliminating a risk may introduce a secondary risk.
John O'Sullivan MIEAust CPEng
Edward,
Glad to see your comments have brought up numerous valid replies. In my experience these 'internal risks', while being largely preventable or able to be mitigated (or at least should be so) can also be very insidious because many of them can arise from the company 'culture'. But when a company's 'culture' is flawed identifying and mitigating those risks can be a daunting task because people may not even realise the risk exists, let alone where it stems from - 'it's how we do business'. In these companies (read 'large organisations') those people in positions of authority have generally reached those positions because they understand how to 'work the system' and that knowledge and understanding becomes their power base. When you start to identify and address those internal risks be prepared for some potentially serious pushbacks because someone's power base is suddenly being threatened.
Interested to see if anyone else shares these views.
John
Edward Chao
Dear John O'Sullivan,
First, I'm very appreciated with your reply.
Secondly, according to your past experiences which said in your comments,'internal risks', while being largely preventable or able to be mitigated (or at least should be so) can also be very insidious because many of them can arise from the company 'culture'. But when a company's 'culture' is flawed identifying and mitigating those risks can be a daunting task because people may not even realise the risk exists.
In fact, the culture seems to play an important factor in 'internal risks', which can also be very insidious because many of them can arise from the company 'culture'.
Thirdly, when we discuss the risk factor we have to keep in mind it is not risk management but overall management, think of the loop identify, assess, accept/not accept, control. So when we discuss the “internal risks” we have to be aware of them.Finally, you have to determine how much is the project willing to invest in reducing a risk, how to avoid and manage is an important issue to take into consideration.
Finally, I'm very appreciated with your professional comments.
Sincerely,
Edward
John O'Sullivan MIEAust CPEng
Thanks Edward,
From a Quality point of view the causes of these types of risks (ie variations in output) would usually be termed 'common causes'. Any unexpected, uncontrolled or unauthorised variation in output results in risk. The only way to fix them is by fundamentally changing the 'system' or, in some situations, the system's implementation. Common causes arise when 'everyone is doing it'.
John
Edward Chao
Dear John O'Sullivan,
I'm very appreciated with your comments.
I agree with your viewpoints, the better way to fix 'internal risks' is by fundamentally changing the 'system' or, in some situations, the system's implementation.
You provide another solution to fix the 'internal risks'.
Sincerely,
Edward
James Andrae
Edward
I agree with your comments in general, and yes the examples you identified are internal and "preventable" through a variety of actions. (there is no sure fire mitigation for rogue trading).
In Australia we have taken the risk management of physical injury to a new level. I worked for a company that went into the Guinness book of records when it achieved a million hours without any injuries. Preventable risks that have direct impact on the bottom line and lives.
While nothing is perfect and some solutions do open the door to other risks, it is none the less the most important exercise and question for a risk manager to undertake. This is the heart of the process to determine Board risk appetite declarations, Risk Policies, Corporate structures etc, etc...
I prefer to approach an organisation as a blank sheet, identify risks and put them in 3 columns and then spend some time analysing what is the understanding of each risk by the relevant staff. I'm sure you are doing this process since you started at the same point I did .
The bottom line is the identification of the universe of risks I have to have, I want to have, and I don't want to have. Then devise a strategy to address these.
Of course it is a very involved processes and you need to move at least 3 to 6 iterations to ensure no new risks are accidentally introduced and what residual risks remain and so on.
If done right, the rewards are astronomical, and most importantly it sets the culture. Everyone has to get on board and risk management is embedded in the hearts and minds just through the exercise.
Qualitative benefits are numerous, least of all, the insights gained.
I once worked for a company that wanted to address 1 preventable risk.
The cash flow risk. They wanted greater certainty of revenue. In attempting to mitigate this risk, it created new risks, some of which were an even higher order of risk. But once we went through the process and mapped it out down to the most minute issues stressed in 6 different ways, the CEO was so impressed this strategic thinking became the norm for every action undertaken You cannot ask for a better culture.
Happy to provide further details in private if you want to contact me.
Edward Chao
Dear James Andrae,
I'm very appreciated with your professional comments about the topic:"What's preventable risks and how to effectively manage?". According to your viewpoints, the bottom line is the identification of the universe of risks I have to have, I want to have, and I don't want to have. Then devise a strategy to address these. I agree with your viewpoints stated. Your past experiences in two companies which gave me some hints in solving preventable risk. You are an expertise in facing risks, therefore you know how to solve in better way. According to my past experiences,the first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face.
To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. In addition, companies should seek to eliminate these risks since they get no strategic benefits from taking them on in general. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.Finally, you have to determine how much is the project willing to invest in reducing a risk, how to avoid and manage is an important issue to take into consideration.
Happy to receive your comments and if possible, we can discuss more details on risk managements in private if you don't mind.
Best regards.
Edward
John O'Sullivan MIEAust CPEng
Edward,
I believe one principle is worth always remembering when dealing with risk, regardless of the type, source or severity of that risk. and that is:
Regardless of what business you THINK you are in, you are in the PEOPLE business.
Cheers,
John
Edward Chao
Dear John,
Thanks for your reply.
You have mentioned that when dealing with risk, "Regardless of what business you THINK you are in, you are in the PEOPLE business." It is useful for me how to treat the risk happened in the coming future.
In my experiences running on project managements, I usually think that risk management can include the following activities
* how risk will be managed in the particular project. Plans should include risk management tasks, responsibilities, activities and budget.
* a risk officer – a team member other than a project manager who is responsible for foreseeing potential project problems. Typical characteristic of risk officer is a healthy skepticism.
* live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved.
* anonymous risk reporting channel. Each team member should have the possibility to report risks that he/she foresees in the project.
Very thankful for your comments again.
Best regards.
Edward
Edward Chao
There are two questions regarding a significant risk and the desire to "prevent" the risk.
The first question has to be considered is "Is it more important to do the project or not experience the risk?", the second is "if a prevent or avoid response is put in place, is the cost or benefit worth the trade-off of project objectives not being fully met." (Sited from Stephen McManus) I think that it's necessary for us to think about the process how to prevent the coming risk and the best solution.
As what I suggest in the former comments 'Maintaining live project risk database.'
In fact, each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved.
Edward.
Christopher Jeffrey
Several great comments attached here!!! A really good read... So I will add mine.... An essential point to risk management often understated is the risk appetite or tolerance levels for the company. These levels can dramatically change the overall scope and cost of projects! These levels often fluctuate based on the discipline they are within... IE... Safety to personnel, environment, financial or reputation. That is to say some companies will withstand higher risks in let's say a financial discipline as they would not withstand with regards to safety! A true understanding of risk encompasses all disciplines and the tangent way they ALL intersect...
Michael Allocco, PE, CSP
FOOD FOR THOUGHT…SYSTEM THINKING AND SYSTEM RISK…
Getting the big picture is helpful when assessing risk:
Considering system (RISKS) accidents people may not know how to connect the dots within complex systems, nor think inclusively, or holistically, nor comprehend dynamics, induction or deduction, nor understand expensive variables, interfaces and interactions.
A so-called “safe” system equates to the identification, elimination and control of safety-related (system) risks; throughout the life cycle of the system, and system accident. We should go about the effort of system-level hazard analysis and risk assessment, and validating and verifying the system risk controls.
System thinking will not be acquired from a theory, or book, or from formal schooling. System thinking is gained via experience during professional practice.
Unfortunately, many have a limited understanding of complexities within integrated systems comprised of hardware, software, firmware, the human and complex environment. One has to understand interfaces and interactions associated with complex systems. We cannot oversimplify thinking about failures, adverse events and functions. Not everything is stochastic (probabilistic). System analysis requires many forms of additional thinking: abstract, holistic, system, quantitative, objective, subjective, temporal (life cycle), and critical.
System thinking can be applied to an entity. A ’system” is a source of abstraction. System axioms all equate to context. Experienced system risk analysts may be aware that it is all connected. There is flexibility, abstraction, and pliability in the concept of a system, system of systems, and families of systems. These entities are comprised of humans, machines, and the environment. In an oversimplification one must understand the interactions and interfaces of the defined system under consideration. Your system thinking abilities can be limited based upon the knowledge of applied system axioms.
Edward Chao
Dear Michael Allocco, Thanks for your comments. Getting the big picture is helpful when assessing risk, in addition, how risk will be managed in the particular project. System thinking is gained via experience during professional practice. Simultaneously, as you have said 'system analysis requires many forms of additional thinking: abstract, holistic, system, quantitative, objective, subjective, temporal (life cycle), and critical.' The good plans should include risk management tasks, responsibilities, activities and budget, if not, the plans have to take the uncertainty and potential risk.
Thanks for your reply.
Edward