What follows are two examples of how to build a framework from the ground up

Building a complete framework (1)

I promised to show you how all this fits together but there’s not one single risk framework so I’m going to give you two examples, starting with a very, very simple example.

So simple that I jokingly called it TWSRM – the World’s Simplest Risk Model.

First, we need categories and we are just going to use the examples I used earlier as these work for almost every circumstance.

• Market / Financial
• Statutory (regulatory) / political
• Safety / security / health
• Environment
• Licence to operate / reputation
• Infrastructure

Next we need our methodology. Because this is TWSRM, we are going to use a very simple definition for risk where risk is made up of two components: likelihood and impact.

Risk = likelihood x impact

Next, we use the most simple grading system we can so we just rate each component ‘low’ or ‘high’.

For simplicity, we put all of this into a matrix and get the following

(You can see why I write and am not a graphic artist)

This gives us an overall risk rating of ‘low’, ‘moderate’ or ‘high’.

Next, we can jazz it up a little with some color to make the results easier to understand.

So we now have a process for assessing a risk, rating it and differentiating between risks of different severity using the color codes.

Next, we add some simple metrics.

Now we also have a way to combine a number of risks to give us aggregate values or to compare individual risks by value.

Simple though this is, we now have our categories, methodology, and grading system.

So we can assess a series of individual risks, compare these or combine the results to get an overall total.  And simple though this is, if you just add one more row and column and grade the components ‘low’, ‘moderate’ or ‘high’, you end up with a nine-box grid that’s used by companies all over the world.

However, although I love how simple this is, there’s a slightly different approach I prefer which we will look at in example two.

Building a Complete Framework (2)

At this point, you might be thinking “I thought you said this was KISS! Why make it more complicated?”

That’s a fair point so let me explain.

The three x three (sometimes five x five) matrix is fine but there are limitations. However, the reason I think it persists is because it works really well on a whiteboard or flipchart. If we add anything more to the methodology, it gets harder to represent in 2D or we have to cram more into each component which gets messy.

So instead I prefer a methodology that has three components.

Let’s begin with the ISO definition of risk as “the effect of uncertainty on objectives”. We can dismantle this definition to identify three components that form the basis for an individual risk.  Let’s start breaking the definition down with uncertainty.  Uncertainty arises from not knowing what kind of events might affect the organization, when an event could occur, the magnitude of an event or how the event could affect the organization.  To help understand the overall risk, we need to understand the potential event and how vulnerable the organization is to that event.

Firstly, there is a causal event that has the potential to change objectives.

The importance of the event can be considered as a product of its potential magnitude and likelihood.  For negative events, we would normally describe this as a threat although sometimes hazard is used to describe negative events.  Positive events can be described as opportunities.

The second component is vulnerability or exposure to the event which can be physical, operational  or regularity proximity. This can be adjusted during the risk treatment phase to reduce vulnerability to negative events or to increase exposure to an opportunity.

Finally, the last element is what impact the event could have.  This assumes that whatever other protections were in place have been ineffective in some way and that the full force of the event is experienced.  Impacts can include physical, financial or repetitional effects.

Combined together, these three elements give us an expression of risk.  For example:

‘We have a significant risk from event x (threat) due to our physical proximity to the likely affected area (vulnerability) which could lead to the closure of our operations in the affected area (impact).’

If we sketch this out, we get the following

and we can also express this mathematically

R = tvi

We can then use a set of values similar to those from the ‘metrics’ section to describe and ascribe a value to each factor.

This is the approach I prefer for assessment calculations. It provides us with a much more detailed understanding of what’s contributing to a risk which, in turn, gives us more options when it comes to designing mitigation and controls. And although it’s slightly more complicated than a two-factor approach, it’s still relatively simple and the additional complexity is well worth it.

—–

I appreciate that this methodology and approach isn’t the same as the World’s Simplest Risk Model described above. However, although my intent is to keep things simple, KISS means as simple as possible while still being effective. For me, the r= tiv approach strikes the right balance between simplicity and effectiveness. The ability to understand the threat, vulnerability and impact separately becomes really valuable once you have your results and need to actually address your risks.

That’s not to say that this model is for you. A three x three Boston Square may work well for your organization – the main thing is to have a methodology that works for your needs. After all, the perfect tool is of no use if it sits in your toolkit unused.