October 18, 2015
How much is too much?
Ian McGregor, Ph.D.
In Part I of this two-part series on Risk Profile the concepts of ‘Risk Matrix’ and ‘Risk Profile’ were introduced.
Using the Risk Matrix approach provides a ‘gut level’ assessment of the amount of risk attached to an activity (the qualitative approach), while the Risk Profile process provides a measurable numerical value of the actual risk level (the quantitative approach).
In many situations, the Risk Matrix’s red/amber/grey/green approach is sufficient, and can be particularly useful in assessing a new and immediate potential danger or crisis. For example, if an incident occurs during an Intramural game, it can be useful to have staff ask themselves ‘is this a potential red zone situation?’ If the answer is yes, then it is a call to immediate action.
However, from a risk management planning perspective, the Risk Profile approach has some distinct advantages in that it provides staff with a really good handle on just how ‘big’ the risk of an activity or facility is. While assigning P (probability) and S (severity) values to activities can be somewhat subjective, it is an observed fact that consensus among staff is surprisingly easy to achieve when developing risk profiles for different activities.
This article will take the risk rating approach one step further – by exploring three issues:
1. How breaking activities into their components impacts risk rating
2. How the use of ‘controls’ impacts risk rating
3. The concept of ‘residual risk’ and what this means to risk management planning.
Try the following exercise using the chart below (to download this chart and definitions, go to: http://goo.gl/Lpyxwl
1. Break activities into their components
Pick an activity e.g. Rugby Club, and split the Club into various ‘risky’ components e.g. (a) physical contact nature of activity (b) travel (c) Club administration (d) coaching etc. (Splitting into components is designed to target areas where there may be some vulnerability e.g. if a Club Executive is difficult to deal with and often ignores policy, then you may have a big problem!)
• For each component, assign a P and S value
• Multiply PxS to get the risk level for each component
• Determine the ‘Risk Rating’ for each component
2. Implement Controls
The next step is to revisit each component and apply risk management controls i.e. what you intend to do to decrease the risk. Note that the examples used in the chart below are only a few examples of the types of controls that can be implemented.
• Re-calculate the risk level and Risk Rating
Normally when you go through this type of exercise, the risk level and hence the risk rating will decrease – and often significantly.
3. Residual Risk
The Risk Rating you end up with after implementing controls is often referred to the Residual Risk – the risk that is ‘left over’. The reality is that you will never eliminate risk – and your objective should be to reduce it as much as possible – within reasonable limits. (In other words, while there may be additional controls that can be implemented, they are just too expensive or simply not reasonable).
At this stage, you are now faced with the question – is this ‘residual risk’ too high? This is where you need to seek input and advice:
• Discuss with the Risk Management Committee (and/or Director)
• Seek input from the institutional Risk Manager (after all, it is the institution that will likely have to settle any claim for damages – hence it may be wise to determine if they think the risk is just too high).
Given the fact that you cannot eliminate all risks, and also that some people participate in some activities because of the risks involved, an institution will generally have to ‘eat’ some of the risks – otherwise programs and activities will not be offered. (Note that this is one of the reasons there are insurance plans in place to deal with damages which may be unforeseeable.)
But there is a fine line between ‘safe’ and the point where the residual risk is just too much to be reasonably managed by an individual or department – and this is why there needs to be a broader discussion with others in the department (and across campus) to ensure that you are not taking on too much risk.
The Risk Profile exercise is a useful tool – not only when looking at potential new programs and activities, but also in re-evaluating current offerings. Often circumstances change in a department e.g. new personnel, new facilities etc. and something that was deemed manageable yesterday may not be manageable today.
In addition, splitting programs and activities into their components can become an eye-opening exercise, in that it can expose vulnerable areas which could be the cause for alarm.
For example, the Badminton Club would likely fly under the radar when viewed through the ‘Risk Matrix’ lens and also during a preliminary ‘Risk Profile’ review – unless you split Badminton into components. Hence, while the physical contact nature of the sport is no real cause for concern, the fact that the club travels each weekend to compete elevates this club to a totally different risk level.
For some programs, segmenting into components may help pinpoint the specific area of concern e.g. a program which you believe to be high risk may in fact be safer that you think, since it is only one or two components of the program that are high risk. Hence focusing on these high risk components will result in lowering the overall risk.
It is important to acknowledge the subjectivity and limitations of the Risk Rating approach. However, it can act as a powerful tool to help quantify risk – and thereby initiate discussion around your ability to manage it.