Open Sourcing Risk Management

Risk management is about managing uncertainty arising from a lack of knowledge about what will happen, or will not happen, in the future. Risk management is going through a paradigm shift with the broad application of the Australian/New Zealand Risk Management Standard (AS/NZ) 4360:2004. This tool moves risk management away from a central command and control approach in the hands of a few technical experts to allow personnel working at the coal face to establish their own operating context and self manage their own risk. A useful tool then for business, international agencies, and NGOs who move increasingly in a complex world where events can change swiftly and timely response can be hampered by institutional decision-making and communications.
Once risk management was the exclusive domain of actuarial science boffins housed in the great reinsurance centers of Munich, Zurich, New York, and London. Their perception of risk was quantified through tables of historical data that could tell you the probability of dying at 51 years was 1 percent, at 73 years it was10 percent, and 50 percent by age 97.
The effective use of data to underwrite life insurance, and predict the future, saw risk management spread to the Occupational Health and Safety sector, where its used to predict the likelihood of accidents and equipment failure. From there risk was picked up by government agencies to combat crime and drug smuggling. In mid 1990s, the Barings bank fiasco and Shell’s management of Brent Spar kicked-started risk compliance. Now, post-September 11th, risk management has become the mainstay of preventive security.
So risk management is everywhere, a natural response to a riskier world, or at least because communications and media have made the world more aware of the risk events out there like epidemics, terrorism and climate change. In determining the significance of such risks there is, as Paul Slovic Professor of Psychology at the University of Oregon points out, « a fine line between assessing risk analytically and assessing such risks emotionally. »
In the global village one of the impediments to assessing and managing the consequences of risk events is no international standard or ISO exists to appraise risk. Different cultures, whether national or workplace, have traditionally had differing perspectives to managing risk. Some cultures view risk incidents in fatalistic terms as « an act of God, » other cultures try to hide risks, because acknowledging risks may suggest a venture is unsafe or too risky. Others have created hierarchical systems which have a much higher « power distance ». Employees, in these circumstances, are reluctant to speak up for fear of being disrespectful, losing face and responsibilities to broader social networks.
One of the tools likely to be cornerstone for future risk management standardisation is the ASNZ 4360:2004 designed by Australian Standards. This framework allows risk management skills to be transferred to the operational level and permitting practitioners to adapt their risk treatment to local surrounds. Such a tailored approached ensures more cost-effective use of resources than an organisational « one size fits all » approach to risk management. More importantly from a work place culture perspective, local « ownership » of the risk management process means there is greater likelihood of compliance to procedures implemented.
Within the process practitioners can work systematically through the risk management process to identify and analyse risks; make cost effective decisions whether to treat risks (See Diagram 1.) and, as the framework is iterative, risk managers can continuously drill down till a specific risk concern is addressed.
One of the complementary benefits of a risk management tool is the creation of a knowledge management system, one that gives stakeholders through the collection of data over time, a greater understanding of their operating environment. This historical data is crucial to determine cost effective solutions to treat risks and mitigate consequences should a risk event occur. Significantly important in a burgeoning information economy data collected for risk management purposes can distil essential risks needing treatment that otherwise might have gone unheeded due to distractions arising from surrounding noise.
The knowledge management system facilitates the robustness of a risk management regime by facilitating the exchange of information via technical networks. Better communication within an organisation is likely to strengthen the monitoring and evaluation process and build capacity.
In short, implementing a risk management regime around AS/NZ 4360 is creating a cultural shift in risk management, allowing practitioners greater control to manage risks within their operating environment, with the added benefit of enhanced communication and knowledge of an organisation’s operations.
Robert Sadleir & C?dric Jolidon
Robert Sadleir is Director of Sadleir + Sadleir, a firm linking risk advisory services with knowledge management best practice to create sustainable risk management processes. C?dric Jolidon runs Sadleir + Sadleir’s operations in Geneva.