Risk management is a topic that keeps many of us awake at night. We are plagued by the question: how to do it? What will be the result of this work? How to manage risk for the auditor to accept it?
In spite of appearances, the answers to these questions are relatively simple and do not require much intellectual effort from us. Before I answer them, I will tell you how not to do it.
How not to manage risk!
As an auditor and advisor, I have visited many public offices where, among other things, I researched the element of risk management. In many of them (fortunately not all of them) I was presented with bloated binders with a risk analysis. On many pages there were presented all the threats that may arise in the office or its vicinity, most often trivial and coused by working on documents. The same pages also included descriptions of the effects of these threats. Based on this description, the risks were assessed along with their consequences, and it always turned out that there were no threats.
Example 1:
Office in southern Poland, located in a large tourist center.
The office building is located in the center of the town, made of wood.
The building is old and very, very dry.
The system of corridors, staircases and rooms creates an intricate labyrinth.
There were no trial evacuations in the building.
There is shortage of firefighting equipment.
The risk analysis states:
hazard: possible fire
cause (susceptibility): non-compliance with fire regulations by employees
effects: fire extinguishing in the bush (within one room)
risk value estimated using the 3S method = 1 (minimal)
risk reduction measures: no need to take
Example 2:
An office in central Poland located in a large city.
The office is responsible for water management in the region.
The office building is located on the local medium-sized river that runs through the city center.
On this river, in its upper reaches, there is a dam that has already passed its glory years, and its technical condition leaves much to be desired (possible interruption).
The counterpart of the Office from the neighboring region is responsible for the dam.
Breakage of the dam will cause a violent flood wave on the river, 3-4 meters high, which will pass through the center of the city (there are several thousand people in the immediate danger zone)
The height of the embankments on the river is 1 to 2 meters.
The risk analysis states:
hazard: the dam may breach and create a flood wave (without specifying the height).
cause (vulnerability): terrorist attack
consequences: evacuation of office staff to the designated assembly point, drainage of the building after the flood (not a word about the threats to the city’s residents)
risk value estimated using the 3S method = 9 (maximum)
risk reduction measures: practice to evacuate personnel to muster once a year
In the risk analysis, there was no mention of the inhabitantsat risk of flooding in the region for which the Office is responsible!
In a private conversation, officials admitted to writing a letter (one letter) to the city’s steward that there was a possibility of flooding as a result of dam breaking, and that’s it.
Step 1: Recognition
What do we know about us?
- annual revenue = PLN 10 million
- annual premium to insure the company against property damage = 10,000 zloty
- no policy against financial and market losses
- we employ 100 people
- we work in two shifts
- we manufacture nostructions for special (civil) vehicles
- we have a warehouse of sections and sheets
- we have acetylene cylinders for welding
- trucks with deliveries enter our area
- we make projects according to our own ideas
What do we know about our surroundings?
- our company is located on the egde of the town (15 thousand inhabitants)
- there is a gas station nerby
- we are surrounded by a forest
- A small river flows near us and a fast-moving route runs
- there are plants near us with a large chlorine reservoir
Secondly, we accept all possibilities in risk management!
When estimating the value and probability of the occurrence of threats, those that are unlikely will drop out (yes, we can assume that a meteor will hit us).
“Is it worth worrying about an asteroid being the cause of our death? According to the American National Safety Council, a non-profit organization dealing with the protection of life and health, the chance for it is 1 to almost 75 million” – source:
Step 2: What can go wrong?
Trade name: identification of threats to the organization’s assets.
In practice, we must define what may threaten our work, our company or ourselves. We need to answer a simple question: What can go wrong? It is good to describe the effects right immidiately.
Example: threats from the environment (in one drastic example)
There is a gas station next to our company. There may be a small fire at the station (the building is on fire and spilled fuel from the dispensers) and a large one will burn and explode the gasoline tanks, then the diesel tanks will burn and the gas tank will explode (low chance, but possible). Threats:
- a small fire at the gas station (the building is on fire and the spilled fuel from the dispensers) – the consequences are a burnt fence of our company
- a large fire in a gas station (gasoline tanks burn and explode, then diesel tanks burn and the gas tank explodes) – the result is the need to evacuate all personnel, vehicles, the entire company will burn down. If it is not possible to evacuate the people in time, they will die in the fire.
Step 3: What we can lose?
Trade name: identification of the effects of the hazard.
We assess what we will lose when a threat occurs and determine the losses. There may always be several scenarios here, but it is most sensible to choose the pessimistic (extremely pessimistic) one. Then we will be able to prepare for all the rest.
We have the effects described above, so I will rewrite them, we will only have to add the value of the losses:
- a small fire in a gas station – the consequences are a burnt fence of our company – losses:
- 1 shift downtime = (annual revenue / (365 * 2)), i.e .:
- PLN 10 million / (365 * 2) = PLN 13 698.63
- repair of the fence with compensation covering 100% of the losses, i.e
- 0 PLN
- increasing in the insurance premium due to the loss by 10%, i.e .:
- 1000 PLN
- total loss = PLN 14,698.63
- 1 shift downtime = (annual revenue / (365 * 2)), i.e .:
- a large fire at a gas station – the result is the need to evacuate all personnel, vehicles, the entire company will burn, if people fail to evacuate on time, they will die in a fire (5% of the crew) – losses:
- destroyed plant – company downtime for a period of 1 year = annual revenue + penalties resulting from contracts with customers + loss of the market (annual revenue), i.e .:
- PLN 10 million + PLN 2.5 million + PLN 10 million = PLN 22.5 million
- death of 5 employees = cost of recruiting new employees (5% of revenues) + loss of reputation of a safe workplace (increase in labor costs by 5% due to employee pressure) + loss of knowledge (know how) if they were e.g. chief engineers (30% of revenues yearly), i.e.
- PLN 0.5 million + PLN 0.5 million + PLN 0.5 million + PLN 3 million = PLN 4.5 million
- total loss = PLN 27 million
- destroyed plant – company downtime for a period of 1 year = annual revenue + penalties resulting from contracts with customers + loss of the market (annual revenue), i.e .:
I did not show the actual reconstruction of the plant in the losses, as this is covered by the insurance.
It’s starting to be awful!
Step 4: Is it possible?
Technical name: risk value estimation
Using the methodology that guarantees reproducibility of the results, we calculate the risk value. If the value is above the adopted limit, we assume that we need to prepare for this event. We can use the IKMJ’s Methodology where we use three parameters:
Effects and their severity (S) where:
- many fatalities or losses exceeding PLN 10 million is S = 100 points.
- several fatalities or losses in the range of PLN 1-10 million is S = 40 points
- …
- no casualties or losses up to 1,000 PLN = S = 0.1
Hazard exposure (E), where:
- permanent exposure = 10 points
- exposure up to 8 hours a day = 6 points
- e.t.c.
Probability of an event occurring in time (P)
- will occur during the week = 10 pts
- will occur within a month = 6 points
- …
- will occur within 10 years = 0.2 points
- will occur within 100 years = 0.1 points
We calculate the probability of an event on the basis of historical events in our neighborhood (cities, commune, district, voivodship, country).
- a small fire occurs in the country several times a year
- a large fire occurs in the country every 10 years
These parameters are used to calculate the risk ratio [R] from the formula: R = P · E · S
We calculate:
gas station small fire is: 0.1 (S) * 10 (E) * 0.2 (P) = 0.2 (R)
big fire is: 100 (S) * 10 (E) * 0.2 (P) = 200 (R)
Now we look at the methodology and see if we need to deal with the topic:
- Negligible risk below 1.5 points – there is no need to take any action. It is also not necessary to monitor the risk.
- The risk is acceptable from 1.5-20 points. – preventive measures are not necessary, it is advisable to observe the indicator.
- Low risk from 20-70 points. – it is necessary to control the indicator, which enables actions to be taken when it grows.
- Average risk from 70-200 points – it is necessary to take corrective actions.
- Serious risk from 200-400 points. – immediate corrective action is required
- Unacceptable risk above 400 points. – until effective corrective action has been taken, work cannot be resumed or continued
It follows that:
a small fire in a gas station R = 0.2 is a negligible risk – we do not have to do anything
a large fire in a gas station R = 200 is a serious risk – it is necessary to take immediate corrective actions (we must prepare ourselves).