As a risk professional, you have a good idea of the tasks that are part of your job. But are you making mistakes or ignoring important elements?
We identified five sins committed by risk managers, that you should avoid:
1) You confuse hazards and risks
Most risk professionals know very well the difference between a hazard and a risk. But there are still too many instances where both are used interchangeability, which can lead to miscommunication around risk in your company.
A hazard is a source of potential harm to people, equipment, physical assets, or the environment. A hazard can lead to illness, injury, fatality, loss, or damage. A risk is the likelihood of an adverse event because of exposure to a hazard. Check out this video to learn more.
To reduce any confusion, both for yourself and your organization, use visual bowties. For each risk, you’ll be able to clearly view the hazard, top event, threats, consequences, barriers, and escalation factors.
2) You rely too much on a risk register
You probably use either an Excel-based risk register or one from risk management software. A risk register can be useful (e.g., creating a report that shows the breakdown of risks by category), but it’s a mistake to rely too much on it.
First, a risk register is not good at showing connections between risks, causes, controls, and consequences. The same risk can have multiple causes associated to it. Similarly, the same risk can have many different preventive and reactive controls. By contrast, the bowtie method is great because it allows you to visualize a risk in just one, easy-to-understand picture.
Second, a risk register is not visually appealing. But the Bowtie Suite gives you a dynamic overview of different scenarios in a single picture and can differentiate between proactive and reactive risk management. In summary, a bowtie provides a simple, visual explanation of a risk that would be much harder to explain through a static risk register.
3) You rely too much on a risk matrix
A risk matrix is a common tool in risk assessment to determine the priority in which risks must be addressed.
But a risk matrix has flaws. First, it’s mostly a qualitative tool. The likelihood and severity of risks are mainly determined arbitrarily on a scale (e.g., low/medium/high, numeric value from 1 to 5) and not based on mathematical calculations.
Second, a risk matrix does not offer enough granularity, whereas, for example, a bowtie diagram provides the underlying analysis that informs your decision-making.
Finally, a risk matrix may not give enough attention to risks with high severity but low likelihood (those at the top-left corner). But high-severity risks, regardless of likelihood, should always be taken seriously.
4) You ignore gray rhinos
Many were quick to label Covid-19 as a ‘black swan’ event. A black swan is an unpredictable and unexpected event that has severe consequences. But Covid was not a black swan. There had been infectious diseases before (e.g., SARS, Swine flu, MERS).
Covid was more of a ‘gray rhino’. The term was devised by Michele Wucker and it describes a big, obvious danger that is ignored or not taken seriously by decision-makers. The effects of climate change and disruptive technologies are also two examples.
As a risk manager, be sure not to ignore or minimize red flags that can turn into gray rhinos that overwhelm your organization.
5) You don’t evaluate the effectiveness of controls and barriers
Risk management is not a one-time exercise. Identifying risks and implementing controls and barriers is just the start. Controls and barriers can weaken due to changing circumstances.
It’s good to check the effectiveness of your controls and barriers if an incident happens. But it’s even better to be pro-active and conduct regularly scheduled inspections to verify their effectiveness.
In addition, consider having a visual representation of the health of your barriers through barrier management software. Also, bowties allow you to identify and visualize escalation factors. An escalation factor is something that can make a barrier fail. This gives you a good overview of potential weaknesses in your control framework.
Want to learn more about how bowties help you succeed in your role as a risk manager? Visit our webpages on the bowtie method and the BowTieXP Enterprise solution, and reach out to us at [email protected] for any questions.