Risk register study 1: Impact Spread
by Matthew Leitch, 16 January 2008
| Home / more articles - The author - Contact on your terms - Feedback - Ask a question - Links - Services |
|
| Risk register study 1: Impact Spread by Matthew Leitch, 16 January 2008 |
This is the first of a series of simple studies of real risk registers that aims to provide improved understanding of what people do when asked to work on a risk register.
The objective of this study was to examine the incidence of a phenomenon referred to here as 'Impact Spread'. If we want to characterise risks appropriately we must understand Impact Spread.
The results show that risks that could have a range of impacts are very common for a number of reasons. In fact, they are the overwhelming majority of risks. Consequently, methods of characterising risks that ask people to give views on potential impact must make it clear how Impact Spread is to be handled. Just asking for 'the impact', without explanation, and expecting a single number or rating is inappropriate.
What is Impact Spread? Take a risk like "Building Collapse" (verbatim from a risk register in the research collection). What is the impact of "Building Collapse"? Clearly it depends on the building, the forewarning, whether anyone is in the building at the time, and probably other important factors too.
It could be as trivial as a garden shed falling down during a storm and chipping a garden gnome, or as horrific as a high rise building in a busy city centre toppling sideways, killing thousands.
This is what I call Impact Spread. It is a common feature of risk register items.
The risk register from which this was taken has another box for 'impact' and the answer must be one of the categories 'insignificant', 'minor', 'moderate', 'significant', or 'catastrophic.' Is the impact of "Building Collapse" 'minor'? It could be. What about 'catastrophic'? Again, it could be. This is the problem most people experience as a result of Impact Spread and there are a number of responses to it.
There are several reasons for Impact Spread and this study looks at how prevalent each is across a range of typical published risk registers. Here are the reasons studied, starting with the easiest to spot.
Explicit multiple outcomes: For example, "The organization fails to achieve its corporate plan objectives or is perceived to be ineffective" lists two things that might happen, connected by 'or': (1) failing to achieve objectives or (2) being perceived as ineffective.
Multiple objects potentially involved: For example, "There may be unforeseen problems with site safety during construction" refers to problems, of which there may be none, one, or more. In "The business fails to maintain its IT systems" there are multiple IT systems involved.
Multiple occasions: For example, "Our shop closes due to an emergency" could happen multiple times during a period.
Obvious variable extent: For example, "Increase in the number of people qualifying for subsidy" refers to any degree of increase from just one extra person upwards. Another example is "Inadequate resources at weekends." Here the degree of inadequacy is important. Having too few to provide the usual performance is one thing, while having no resources at all might be much worse.
Other variables extent: For example, "Building Collapse" sounds at first like an all or nothing event. Either a building collapses or it does not, but of course the impact could vary with many variables other than the extent of building collapse, as mentioned in the introduction above, such as the size and location of the building, and how much warning there is.
Uncertainty about impact: For example, "Losing £1m on this next bet" seems at first to provide a very narrowly defined outcome, and yet who can say what impact such a loss would really have on them or their organization? No pure examples of this type have been found in the risk register collection as all items have had Impact Spread for other reasons too. However, in principle, even if one very specific outcome was pinned down by a risk description it could still be uncertain what impact it would have.
Combinations: The above reasons can occur in combinations.
A total of 14 risk registers from the collection were analysed, providing 384 examples of risk register items. Each item was assessed and decisions made about what reasons for Impact Spread were present. Judgement was often needed to decide what the intention of the writer had been. However, only a very small number of risk register items were so unclear that no decision could be made at all. Only 0.83% of judgements were prevented by lack of clarity.
| Reason | % of items affected* |
| Explicit multiple outcomes | 23% |
| Multiple objects | 71% |
| Multiple occasions | 86% |
| Obvious variable extent | 87% |
| Other variables extent | 100% |
* To be precise, this is the percentage of risk register items where a decision could be reached that exhibited Impact Spread for the given reason.
Each reason for Impact Spread, taken individually, is sufficient to require risk characterisation methods to cater properly for Impact Spread.
There were some variations between risk registers.
| Risk Register | Type** | Number of items | Explicit multiple outcomes* | Multiple objects* | Multiple occasions* | Obvious variable extent* | Other variables extent* |
| rr001 | civil | 50 | 36% | 94% | 100% | 100% | 100% |
| rr006 | corp | 15 | 20% | 73% | 100% | 93% | 100% |
| rr007 | proj | 4 | 0% | 50% | 50% | 50% | 50% |
| rr008 | corp | 11 | 18% | 64% | 91% | 55% | 100% |
| rr009 | corp | 16 | 19% | 63% | 94% | 100% | 100% |
| rr011 | corp | 9 | 0% | 33% | 89% | 78% | 89% |
| rr012 | corp | 12 | 25% | 83% | 83% | 75% | 100% |
| rr013 | corp | 6 | 83% | 67% | 83% | 83% | 100% |
| rr014 | corp | 17 | 12% | 59% | 71% | 88% | 100% |
| rr015 | corp | 35 | 40% | 69% | 86% | 91% | 100% |
| rr016 | corp | 7 | 29% | 71% | 71% | 100% | 100% |
| rr018 | proj | 52 | 15% | 63% | 71% | 96% | 100% |
| rr019 | corp | 43 | 28% | 79% | 91% | 84% | 100% |
| rr020 | corp | 107 | 15% | 65% | 86% | 75% | 100% |
* This is a percentage of the total items in the register, not just those that could be classified.
** These mean:
civil = a risk register of civil contingencies
corp = a corporate risk register
proj = a project risk register
For an introduction to this series of studies and more information about the collection of risk registers used, read "An introduction to the Risk Register Studies".
For research on how people like to characterise risks, try "Favourite ways to characterise risks."
About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients.
Words © 2008 Matthew Leitch| Home / more articles - The author - Contact on your terms - Feedback - Ask a question - Links - Services |