30th Dec 09
Tom
- Image by eMaringolo via Flickr
Let’s take a step back for a minute. Step one of the risk management process is “Identify your risks”. Three little words so it must be pretty easy, right? Not really.
.
A risk management plan is only as good as the risks you identify. They need to be specific. They need to be the ‘root risks’ or the root causes of those potential hazards (or opportunities, remember) facing your business. As you start drilling down into all of your assumptions you’ll find that it is hard to get deep enough. It’s hard to go far enough down into the details without getting derailed on meaningless tangents.
.
To help out the process, I’ve developed a technique I call the “5 Coulds”. I can’t claim this technique as original work. It’s based on a root cause analysis technique called the “5 Whys” that is used in process improvement and the Toyota Production System.
.
Here’s how the 5 Coulds technique works. Start with an assumption you have made about your business. For our example, let’s use the assumption that we will hit our budgeted sales levels. Obviously there are a lot of different risks that could cause us to miss our budget. Now start asking the question “What could cause..?” and keep going until you get to an answer that is beyond your control. In my experience, five levels will usually suffice – sometimes less, sometimes more.
.
Here’s a simple example for finding a ‘root risk’:
Assumption: We will hit budgeted sales
1) What could cause falling short on budgeted sales – a loss of customers
2) What could cause loss of customers – a lower priced alternative is available
3) What could cause lower priced alternative – a lack of perceived value of our product by customers
4) What could cause lack of perceived value – poor product packaging
5) What could cause poor packaging – lack of good taste
If we took the questioning down one more level – What could cause a lack of good taste? – you find that the answer is beyond your control, right? Taste either exists or it doesn’t. So the lack of taste is the “root risk”. It is very specific and it’s actionable. If you need to address the risk you can hire someone – with good taste – to design your packaging. Very specific risks generally present very obvious options for how to avoid or minimize their consequences.
.
Even better, very specific opportunities generally present very obvious options for how to exploit them. You can use the same technique by just tweaking the questions. For our example, change question 1) to “What could cause exceeding our budgeted sales?”.
.
As you use the technique, you’ll find that each questioning level may have multiple answers leading to other potential risks for a single assumption. That’s ok. You’ll also find that some assumptions will share root risks. That’s ok, too. If you did the technique graphically – like on a whiteboard - you’ll see that the end result looks like a tree structure with multiple branches coming off of each assumption. (The technique can also be done with word processing software – contact me for details.)
.
The 5 Coulds technique is pretty informal, but I find it to be effective and simple…and that’s the goal for an ideal business risk management process, right? I’m sure there are other methods out there, but I haven’t been exposed to them.
.
What techniques do you use for identifying specific risks? Please share.
.
P.S. Take a look at the De-Risk blog post Extreme Risk Management – Mountaineers and Project Management for a story about how keeping risks specific applies to climbing a mountain, too.
.
P.S.S. I’m putting together a step-by-step example of creating a risk management plan – from brainstorming risks all the way through planning for them. I haven’t quite decided how to best present the results, but I’ll get it out to you somehow.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_b.png?x-id=c58352e1-7953-49f9-8149-eb192a2faa86)
RSS
Trevor Levine
December 30th, 2009 at 22:34
Good post.
I’ve been using this root cause approach for a while probably since I am trained in Lean Six Sigma as well. Once one looks at risks using this framework, it becomes clear that risks are either causes or effects; so risks must be looked at as a chain. At the 35000 ft level the root causes of all risks are External causes or Governance (internal) and the ultimate downstream effect is shareholders are harmed.
When you follow the internal chain of events forward starting with poor governance, it leads to bad policies and leadership -> bad processes -> bad decisions -> shareholders are harmed.
The beginning and end are always the same. Most risks on your risk register are probably causes by bad processes by the way.
Keith
December 31st, 2009 at 04:58
Great post Tom. This is indeed very similar to how we approach assumption analysis in ABCD ( http://www.de-risk.com/page.php?7 ). Once the assumption is rated for Sensitivity and Stability, the reasons for the ratings is captured and the drill down sequence is very similar to the 5 Coulds to get to the root-cause concern. By the way, the tree analysis can be very effectively mapped with Mind Mapping software sucha as Mindgenius http://www.mindgenius.com/
Tom
December 31st, 2009 at 08:50
Hi Keith. I like the ABCD approach you have put together, especially its simplicity and intuitiveness (real word?) I have heard that others have successfully used mind mapping software for root cause analysis documentation, but haven’t tried it myself. I think we have a license at my day job – I’ll have to play with the tool sometime. Thanks for the suggestion and comment.
Tom
December 31st, 2009 at 09:05
Good day, Trevor and thanks for the comment! I agree that many risks are related to bad processes, or at least immature processes. The rub for small businesses is that many times it is difficult to create robust process without incurring a lot of overhead (expense, time). Small biz owners tend to resist the overhead vigorously so the trick seems to be accepting the risks associated with poor process and putting more effort into the planning/mitigation of those risks. Definitely not the ideal situation, but reality in some cases. Have you had similar experiences?
Trevor Levine (Riskczar)
December 31st, 2009 at 11:22
Tom,
Here’s another file from my archives. Check out page 22 of this document. It’s pretty much what I based my comments on. It illustrates the causal chain of risks to an insurance company and is in line with your post.
http://riskczar.wordpress.com/files/2009/12/london_working_group_report_fsa_causal.pdf
Tom
December 31st, 2009 at 16:38
I took a look through the document, Trevor. It’s a very impressive achievement for the EU folks. The inclusion of case studies is excellent. It’s going to take me a bit to digest all of the information in there.
One concept that caught my attention was the discussion of trigger events. I like the spark analogy. A spark (trigger event) without fuel is not a hazard, however a spark with fuel is very hazardous. In my mind, the presence or amount of fuel translates into the probability of the risk’s occurrence. A little fuel = low probability while a large amount of fuel = high probability.
I’ll keep reading the. Great link! Thanks for sharing here and on your blog, Trevor!