6 July 2020
Neil Cantle, Principal at Milliman, blogs on the value of risk registers and why we might need to reconsider how we use them in the future.
At the heart of many risk frameworks is the humble “risk register” – a list of potential future events that you think could cause problems for the organisation. These are things that “could” happen but might not. Members of the organisation are periodically prompted to go through a process of updating the list, checking that it is materially complete and that the assessments of likelihood and impact are appropriate. They will also normally contain information about the controls that are being applied to try to reduce the likelihood of the event occurring and/or the impact if it does. It all sounds rather sensible doesn’t it? If a risk is in the register then that means we have thought about it and that we know at least some of the things we would do to reduce the negative effects it has on us. It makes us feel safer and more prepared.
Well, it is therefore very comforting that we have a national risk register. We note from the 2017 version that “The UK has been described as one of the pioneers in coordinated risk management for emergencies, because of the systematic way in which we assess the risks and use these assessments to help planning.” Very good news indeed. In fact, top of the 2017 risk register was “Pandemic influenza”. Great. However, it seems that this didn’t quite turn out to be the advantage one might have hoped for. Now, of course, one could be generous and point out that the pandemic we are currently experiencing is not influenza, but the more detailed description of the risk does include “new and emerging infectious diseases” so it seems reasonable to consider the current situation to be covered by it.
So, what went wrong? We had the risk on the register (at the top), plans were developed that should have acted to reduce the effect of the risk, and yet it seems as though the national response to the pandemic has not gone entirely smoothly to say the least. To be fair, this is actually rather a common problem with risk registers. A lack of engagement coupled with a false sense of security.
Risk registers are a place to record things. They are not a good place to drive action. Staff fill them out because the risk function tells them to – the organisation generally goes about managing risk without looking at the register and views it as a reporting overhead. Someone in each team usually draws the short straw and has to go through the task periodically to keep the register up to date, ensuring that action plans to improve controls, etc. are being progressed on time and that the ratings remain appropriate. However, they represent quite a linear and simplified view of the risks and are very seldom consulted by anyone actually “doing” anything. When dealing with relatively simple risks, this approach works because they are amenable to being represented as simple events that happen, or don’t, and there is an assessable impact if they do. However, in the real world, risk events are more complicated – complex even. These risks in the real world, like pandemics, do not lend themselves to being nice simple risk register entries. The actual risk will not be exactly like the risk in the register and so people quickly have to adapt their plans and think on their feet. It will involve multiple strands, each interacting with the others. And centralised control does not work well at all stages of a complex risk’s evolution.
So, if risk registers are essentially a library, how do you do something more “active” – something which demands action? The short answer is: story-telling, with a question. Whereas a risk register files away what we do know about the risk, the story-telling asks us what we don’t know. This process has different names – you might call it emerging risk assessment or scenario testing – I call it modern risk management, because the reality of the modern environment is that nearly all risks live in the more complex inter-connected world than they do in the nice, tidy, taxonomy-ridden library of the risk register.
The purpose of the story-telling is to engage everyone in an ongoing conversation about the risks you care about, i.e. the ones that most significantly impact your goals. For the pandemic, the risk generically represents a situation where significant numbers of lives are at risk and the economy cannot function. Other stimuli could lead to a similar outcome (war, national infrastructure shut-down, etc.), but it is one of the most likely causes. It is, however, more nuanced – cyber crime has increased, social unrest is rising, etc. – the risk is complex and not the same as the one on the national risk register in important ways.
Repeatedly telling stories about how this situation could arise and asking how previous plans would hold up forces active engagement with the questions: “Would we see this coming?” and “Are our plans good enough if it happens this way?” The emphasis couldn’t be more different compared to the classic risk register where you are simply asked to estimate the residual risk arising from the application of the plans you have thought of. This approach constantly demands that you do better. So, simply having a risk on the register is not sufficient – the people who need to “act” have to engage with it, contextualise it and constantly challenge their understanding of it. Using the register as a data source that can provide information about common themes, systemic issues, etc. to support the telling of engaging narratives will make it more worthwhile. The story-telling creates an ongoing conversation between the front line and the governing body with the question, “Could we do better?” driving it.
It seems likely that we will continue to live in interesting times for a while yet, so engaging the organisation in a more active learning cycle about risk and regularly critically challenging yourself about whether plans are good enough will help to improve resilience.