In this day and age, Risk is the biggest buzzword in the compliance industry. We've talked about it, you can't go anywhere without hearing about it, and everyone's got a Risk-Based solution. I think the primary reason why we focus on Risk Assessment and Risk Management, is because in business, we need to quantify our actions. We can no longer rely purely on "gut instinct" to execute on events, whether Quality, Financial, Social or similar areas. The world moves too fast, and one misstep can make or break you as a business. Risk provides the objective metric to help the decision-making process. But, you need to know how to use risk.
How do you define Risk? It's not as easy as you may think. Companies spend plenty of time and money coming up with a scheme on how to calculate risk for their organization. Risk is defined as the "systematic application of policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk". All this really means is that we put tools in place to help us look for risks, assess those risks, and then take action on the risk. The trick here is finding the risk, isn't it? How do we find the risk?
The components of risk usually manifest themselves in two forms- Hazards or Harms. Hazards represent the potential source of a harmful event (the cause). Harms are the resulting damages to products, persons or the environment (the effect). Risk is essentially cause and effect on a defined scale. It's the scale in which most struggle.
Usually, when trying to quantify hazards and harms, most organizations look at two metrics: Severity and Frequency(or likelihood). Often a third metric, Detectability can be used - but we'll keep it "simple" with two. Taking these metrics into account, we can develop a scale in which to measure hazards and their harms. This can be numeric (scale of 1-5), verbal (good to bad) or both. Below is a list of verbal and numeric scale.
If you were to graph these scales, you would come up with a numerical matrix, one that highlights the Risk "zones" by their multiplied(or some other mathematical method) number on the axis, much like this one below:
You can see that we have a Low-risk or Generally Acceptable Risk zone, and a high-risk or Generally Unacceptable Risk zone, but what about the middle? There's a gray area of subjectivity here. How do companies determine this gray area?
This is not always an easy answer. Some companies have to weigh the costs versus benefits on these risks, without creating a disproportionate cost to risk (Example: spending $1M to prevent a blister is disproportionate; spending $1M to prevent a fatality is proportionate). Companies will carefully vet these zone, and typically adopt a concept called ALARP (As Low as Reasonably Practicable). Simply put, this means that the risk is as low as we can possibly get it, or it is "Tolerable" or "Undesirable" - but it isn't critical or catastrophic. So then, with the ALARP in place, you have a Risk Matrix:
Now you can go off and start using it, right? Well...you need to "vet the matrix" - put it through real-world historical examples and see if the risk matrix comes up with the correct risk based on historical events. You may need to "tweak" the matrix based on the vetting process. Hard mathematics will not properly assess the risk without a little real-world honing. Once you've fine-tuned the matrix, you can start utilizing it in your Compliance system.
Risk assessments and Risk Matrices are wonderful tools to help guide decision-making in an organization. But they are not meant to be stand-alone tools. They help to provide a guide for risk assessment, using quantitative and repeatable metrics to ensure a consistent method of determining risk. Most best in class organizations will assemble a "risk team" to go over adverse events and determine the risk. It is up to the team to decide how an event will be handled, and what the true risk is. Risk Matrices are the keys to unlocking quantitative risk-based processes, but the people are the drivers of the system.