Once an organization’s risks are understood, it is important that appropriate action is taken to address these risks to ensure that the organization’s objectives are protected or enhanced. Some risks are severe enough to require immediate action. Others can be dealt with in the short term whereas some risks require longer-term attention over months or even years. This essay explores the key ideas and terms associated with addressing risks and outlines the steps to take to ensure that the appropriate action is taken once a risk is identified concentrating on five main options: avoid, tolerate, treat, transfer and terminate.
Note this article was updated on Aug 22, 2017 to include additional notes on risk controls.
Addressing your risks
The first phase of the risk management system is designed to ensure that we understand the risks the organization faces. In the second, we address these risks to ensure that appropriate action is taken to minimize downside risks and exploit any upside risks. Addressing your risks can be broken into both short-term and long-term objectives.
(Note that the example timeframes shown are illustrative and can be adjusted to suit the organization.).
Short term (e.g. by the end of the next quarter)
- Deal with any emerging issues or crises
- Ensure that all legal and regulatory requirements are met
- Ensure downside risks do not exceed the organization’s risk tolerance
- Exploit immediate opportunities
Mid to long-term (e.g. 6 to 24 months)
- Ensure downside risks do not exceed the organization’s risk appetite
- Implement steps to make all risks are as low as reasonably possible
- Optimize upside risks
A couple of technical terms have crept in already so let’s define these before we go any further.
- Risk appetite is the amount of risk an organization is comfortable with on a day-to-day basis or the amount of upside risk that it wants to pursue.
- Risk tolerance is the amount of risk an organization can bear for a short period of time. For organizations with a lower risk appetite, the gap between appetite and tolerance is likely to be relatively narrow. Organizations with a higher risk appetite maybe willing to tolerate very high levels of risk for short periods of time.
- As low as reasonably possible (ALARP) defines a level after which it would be too expensive or disruptive to reduce the risk any further. In other words, from a cost/benefit perspective, the cost of any additional risk mitigation measures don’t justify the benefits.
The primary activity in the address phase is determining the appropriate action to take for each risk and subsequently develop action plans to address these. Risk action plans will include a series of short-term and longer-term actions with the overall aim of protecting or supporting the organization’s objectives
You will see two actions in the short-term objectives that might not immediately seem to fit within risk management: addressing any legal requirements and responding to any issues or crises. Although these two activities may not fall within the risk manager’s responsibilities, a thorough risk assessment may identify a slow-moving or emerging issue that could interrupt or affect the organization’s objectives. Similarly, the assessment may also uncover instances where laws or regulations are not being complied with. Both situations would negatively impact the organization’s objectives and require immediate action so it is important to highlight these for action if discovered.
Options for addressing risks
The risk assessment process has helped us identify, assess and prioritize risks which gives us an order in which these should be addressed. However, before we do that, we need to understand what options are available to help us address these risks. There are several different techniques for addressing risk but many of these boil down to a variation of the 4Ts: tolerate, treat, transfer and terminate. We will use a similar approach with the addition of one other option, avoid, and summarize this as A4T. Note that these terms do not define a strict set of actions and sometimes a combination of approaches is necessary.
These terms can be used to describe the general approach to addressing a risk in a clear, understandable way. Having an agreed set of terms makes the development of risk management plans more straightforward and ensures that everyone involved in these discussions understands the general strategy being proposed.
To help explore these topics, one of the risks from the XYZ Co risk assessment is shown below.
This example will be used throughout this article to illustrate how XYZ Co could address this risk.
A4T in detail
A4T gives us a basic set of options we can use to design strategies to address the risks. These options present different approaches to managing a risk and can be used individually or in combination, depending on the circumstances.
Avoiding a situation is sometimes the only strategy available to address a particular risk, particularly where is the threat is something pervasive and completely outside the control of the organization. For example, coastal erosion or terrorism are both threats about which a company can do little and, no matter what additional measures are put in place, the resultant risks may remain too high to tolerate. Relocating a site or ending operations in the threatened area avoids the threat and negates the risk altogether. This may not be an option for mature operations and may be more appropriate in the early stages of a project but avoiding a risk altogether should not be discounted as a potential option.
The civil unrest in Janwick is ongoing and there is no real option to physically relocate the facility in the short-term. Janwick is critical to the organization’s overall business objectives so the XYZ Co senior leadership don’t see a way in which they can AVOID the risk at this stage.
If a risk falls below the organization’s risk appetite it should be something that the organization can tolerate, even if it is not ALARP. In the longer-term, reducing all risks to ALARP should be an objective but a risk that can be tolerated would not be a priority for action. A risk that exceeds the risk appetite but not the risk tolerance, could be accepted for a short period of time but this would still require treatment in the long term. Take care to ensure that in circumstances where an organization is tolerating higher-levels of risk, that it is not actually dealing with ‘live’ issues which require immediate attention.
During the assessment, this risk was rated as HIGH and this is above the organization’s risk appetite so the risk cannot be TOLERATED in the long-term. In the short term, the risk will have to be tolerated but it is prioritized for action.
At some point, most risks require treatment. Treatment will focus on priority risks in the short-term but treatment plans to reduce all risks to ALARP should be part long-term risk planning. Risk treatment is the activity that probably takes up most time as determining the most effective way to treat a risk can require a significant amount of research and planning. As discussed, an organization can normally only influence its vulnerability to an event or the event’s impact so treatment plans would normally focus around manipulation of one of these elements.
Bob convenes a team to brainstorm ideas for treating the risk from civil unrest in Janwick and they produce the following options.
(Note that this is a partial, illustrative list of options as an example, not a full treatment plan for XYZ Co in Janwick)
Transferring or sharing risks is another common strategy either through insurance, by outsourcing activities or partnering with another organization. Each of these options offsets an organization’s share of the risk but these benefits come with additional challenges. Outsourcing and partnering require careful consideration to ensure new risks are not being created. For example, what precautions do you have in place to ensure that a subcontractor is not breaking the law when operating in your name? Do you have quality control in place to ensure that they are not using substandard materials? When you partner with another organization, you add the complexity of two management teams, two perspectives and potentially two different sets of objectives. So while you may have reduced the original risk by outsourcing or partnering, you may have created other risks in the process.
An action is identified to review any insurance that applies to operations in Janwick and to look at other options to transfer some of the risk via additional insurance. Although Xavier is opposed to selling off the Janwick facility, outsourcing this part of the operation is an option. There may be additional business efficiencies with this course of action and this is recorded as a longer-term option for consideration.
The final option might be to terminate an activity where risks cannot be reduced to an acceptable level. This is not the same as avoiding the risk where the activity continues under different, more acceptable circumstances. Terminate means that the activity must end completely. Prohibition of the use of DDT as a pesticide in the United States and the end of Arctic drilling by some oil and gas companies are examples where the high degree of risk led to the termination of an activity.
The XYZ Co feels that between the treatment and transfer options they have identified, they should be able to bring the risk in Janwick to an acceptable level so there is no need to consider TERMINATING the activity at this stage.
So we now have this toolkit of five options – avoid, tolerate, treat, transfer or terminate (A4T) – but how do we actually manage the process to address our risks?
A process for addressing risks
The overall process for addressing risks can be broken into six steps. This process ensures that actions are taken in the correct order and, most importantly, that the right stakeholders and decision-makers are included at the right stage of the process. Some of the elements here touch on risk governance which we will look at in more detail separately but it is important to note that oversight, high-level decision-making, audit and review are all important hallmarks of effective risk management.
These six steps are:
1. Review the risk assessment and agree the priorities for action. Take immediate action on any legal / regulatory breaches and respond to any emerging issues or crises. At a minimum, all risks that exceed the organization’s risk tolerance must be addressed immediately.
2. Outline potential courses of action for each risk in priority order. Use the five A4T options to outline potential courses of action to address the risk and highlight the key points of any treatment plan. Multiple options should be suggested where possible along with the associated cost / benefit analysis.
3. Conduct a peer review of the proposed strategies for each risk to assess the feasibility of the proposed courses of action and to identify any unforeseen consequences. The risk owner should incorporate peer-feedback into their courses of action.
4. Have the risk owner or committee for each risk review the options and decide on the appropriate course of action for each risk. Ensure that these decisions are elevated to the appropriate level for consideration.
5. Gather the feedback from each risk owner or risk committee and consolidate feedback into a risk action plan. The plan will summarize the response to each risk using the A4T options and describe the general details of any proposed treatment strategy. Convert the risk action plan into a project plan by allocating responsibility and assigning a delivery date for each action.
6. Execute the plan, reviewing progress regularly to ensure that strategies are mitigating or exploiting risks as intended.
Depending on the organization, this whole process could last weeks or months and in some circumstances, executing the action plan could take years. The objective is still to address risks as quickly and effectively as possible but it is important to be aware of the time that may be necessary to shepherd this process though a busy organization. One important point to bear in mind is that the longer the period from risk assessment to executing the strategy, the greater the chance that the situation might develop and risks could change.
Prioritizing risks and identifying courses of action
Prioritize risks for action using the results of the risk assessment. Importance will be determined by the overall value for each risk which should also broadly align with the priorities
1. Ongoing incidents or issues
2. Regulatory or legal breaches
3. Risks exceeding risk tolerance
4. Risks exceeding risk appetite
If these conditions are met, work through the risks in priority order with the objective of reducing each risk to ALARP.
Once an order to address the risks has been determined, the potential courses of action can be considered. The risk owner, along with the process owner if these are not the same, will review the risk and determine which of the A4T options might be applicable. They will then develop courses of action that would address each risk consulting with other stakeholders about these options.
Similar to the need for consultation during the risk assessment, there is a need for wide consultation when developing strategies. Without consultation and consideration, the actions taken to address a risk may result in additional problems or be impractical to implement so the owners of key risks and processes should be involved. This is not the same as the peer-review of the final set of strategy options but there will be some natural overlap between these two activities. Another benefit of wide consultation is that you might find mitigation measures that address a range of issues.
As an example, on one of my first projects, we were keen to implement an access control system to enhance site security at a gas plant. During discussions with the management team, it became apparent that the system would also assist HR who were struggling to account for people’s time on site which was complicating payroll. Moreover, the health and safety manager also liked the idea of using secondary access control to restrict entry to the more hazardous parts of the site. This meant that the access control system could help address the risks associated with unauthorized site access, avoid conflict with the labor ministry over payroll violations and reduce the impact of potential incidents in the production area. An additional benefit was that cost was now shared across three departments – HR felt that this system could even reduce losses that were occurring due to falsified timecards. This made the overall business case for an access control system much more robust and this was quickly approved.
There are three additional points to consider when developing strategies.
- Be data driven. Present the key facts and figures to help compare and weigh the different options available. Include a comparison of the initial or ‘raw’ risk versus the estimated post-action residual risk. Include an outline of costs, resources and time required to help with cost / benefit analysis.
- Present the key information in a standard format. Specify the main approach using the A4T abbreviations and a short summary of the overall strategy. Remember, you are only trying to identify options at this stage so you don’t need a complete solution at this stage, just enough to guide the decision-maker(s).
- Refine the options but don’t over plan. The management of any organization is normally starved of time so presenting them with all potential options for each risk would be overwhelming. Present the most viable options but be careful not to streamline too much and don’t just present your own preferred option.
This may seem like a lot of effort to only generate options rather than a detailed strategy and part of the process can definitely be time-consuming. However, thorough development of options and wide consultation at this stage makes it much more likely that the eventual strategy will be successful and this effort now will make it easier to implement in the future.
Peer review and strategy agreement
Once strategies have been identified, these can then be formally peer-reviewed by the organization’s key functions. The peer-review is not the forum for final decision-making but this is an opportunity to identify overlaps, dependencies or where a particular strategy may have unintended consequences. Feedback during peer review may require a strategy to be refined or objections may have to be noted for consideration by the final decision makers.
The final decision on appropriate strategy will be taken by the risk owner or a risk committee. Minor risks are normally addressed by the owner but organizations should also specify that more serious risks need to be elevated for more senior consideration. The forum for this is a risk committee and these usually exist at various levels within an organization up to board level for the most severe risks. The risk manager must be aware of where the ultimate decision for a risk lies and any applicable timetable as some committees may only meet at specific intervals. Operation of the risk committees will explored in more detail in the risk governance section.
The decision-maker(s) will use the strategy summaries and cost / benefit analyses to determine the most appropriate approach for each risk in the overall context of the business’s objectives. Remember, you are now moving from ‘pure’ risk management into business decision-making which brings additional factors into play. Once a decision is made, this must be recorded in the risk report or register so it is clear what approach is being taken along with details of when the decision was made and by whom.
Risk action plans and addressing the risks
Once the approach for each risk has been agreed, the outline strategy can be developed into a detailed action plan. These action plans will be project plans in their own right and should specify the actions, owners and deadlines for each step required to put the agreed strategy into effect. The risk owner, not the risk manager, owns these individual action plans but the risk manager should have a top-level plan of her own to monitor progress for each risk action plan. This allows the risk manager to keep track of progress to ensure that the overall risk strategy is on track.
While executing the action plan, the risk owner should monitor its effects to ensure that the strategy is effective. Even if the overall risk might not reduce immediately, the effects of the strategy should still indicate whether or not steps will be effective. For example, if a contributing factor to a risk was insufficient incident reporting, observed improvements to the reporting process indicate that the risk should be reduced.
As risk strategies advance or are completed, the revised situation can be incorporated into the next phase of reviews or assessments and the risks recalculated. Assuming that the strategy has been effective, that particular risk action can be considered closed and should be recorded as such in the risk register. Where a strategy has not achieved its set objective, a revised strategy may be necessary.
As you address your risks, you move from the theoretical to the practical, translating the findings of the risk assessment into actionable steps that will help protect or enhance your organization’s objectives. The assessment provides the prioritization for action to ensure that the more severe risks are tackled first using one of the five A4T options: avoid, tolerate, transfer, treat or terminate. Utilizing the six-step process ensures that all actions are undertaken in the correct sequence, that strategies have input from around the business and that decisions are made at the appropriate level ensuring that the organization’s objectives are protected or enhanced.
A short note on controls
This note has been added as a footnote to this article which will be updated in due course.
Completion of the assessment and development of risk mitigation strategies help the organization understand their risks and what it can do to bring these risks within the levels of its risk tolerance and appetite. The elements that ensure that these risks stay within the permissible levels are risk governance and system controls.
Governance is centralized although all managers will have some role to play in the governance system. Controls are exercised across all parts of the organization at all times. Controls are what help keep the system in equilibrium or prompt a reaction where things begin to deviate from ‘normal’. Controls are going to be very specific to the organization, its operations and the risks it faces. So where it is possible to provide some specifics concerning other elements of the risk management process, there are too many variables to offer much more than some broad principles for risk controls.
That said, please don’t think that controls are less important. As a reminder, controls are what help keep the system in equilibrium or prompt a reaction where things begin to deviate from ‘normal’ so it the risk controls that actually manage risks. The assessment, register and governance activities are processes to help achieve understanding and to manage the risk management system: controls manage the risks themselves.
For simplicity, controls can be broken down into two different categories: control ‘norms’ and risk-specific controls. Controls that are applied on a day-to-day basis in similar situations worldwide can be termed control norms. Fire suppression systems, IT passwords and quality control monitoring are all examples of control norms. These are so deeply embedded that the only time these would arise in a risk assessment context is where these are missing or inadequate.
The second set of controls are risk-specific controls. These are controls that will be identified and designed during risk mitigation planning. For example, in addition to the normal fire detection systems that most industrial facilities have, locations that use highly corrosive or dangerous chemicals may want specific sensors to detect which chemicals are involved in a blaze as this will determine the best fire-fighting strategy. This knowledge would avoid causing additional damage if, for instance, the fire was simply doused with water which subsequently washed the dangerous chemicals into public areas. So we will have a mix of normal controls and risk-specific controls that can be applied to manage our risks.
Unfortunately, controls are highly specific to an indicatory or function so, for simplicity, so this article cannot advise on the appropriate controls to implement in different circumstances. However, we can use some of the existing concepts we have applied elsewhere to help develop a process for designing controls. Firstly, we can consider which element of the risk the control is meant to affect – is it to influence the threat, vulnerability or impact? Secondly, we can introduce some simple objectives for the control summarized. Detect, deter, disrupt, delay and distribute are some objectives that are often applied when designing controls. Finally, we can categorize the control by assigning it to one of the 3Ps – people, paperwork or purchases – used to describe the risk management system. So let’s look at each of these in more detail.
First, we should specify where the control being applied – towards the threat, vulnerability or impact? You can use the risk assessment itself to help determine where you might have the greatest effect of best bang for your buck as you can use a version of try risk assessment to model the effects of different control. (The flexibility provided by having three factors to work with is a major reason that Riskademy uses the three-factor approach to assessing risk.)
Once you know which element you are trying to effect, you can consider the objective of the control. For example, is it meant to do detect, deter, disrupt, delay or distribute the event? Threats could be controlled by a mix of detection and deterrence measures such as CCTV systems and guard patrols. Vulnerability can be enhanced by disruption or delay tactics. This could be improved physical security to prevent an attack or more robust log-in processes for It systems to lessen the chance of brute-force attacks.
Threat and vulnerability are pre-event factors but sometimes events can still take place so impact controls can also be introduced. These could focus on delaying the effects, allowing more comprehensive response to be initiated, or try to distribute the effects to lessen the impact.
The final elements of the control will be to determine how to best achieve the objective. Would a process control work best or does it need a people-centric solution? Maybe some equipment is required? Usually, there are a mix of elements in a control system which is where risk management overlaps with day-to-day operations. This brings the risk management system full circle and integrates the risk management process with daily activities. The closer this alignment is, the more effective the system will be.
Controls are the elements of the risk management system that will be most specific to the organization, its situation and risks. Moreover, controls are the measures that actually manage risks as these keep the system in equilibrium despite the constant pressures from inside and outside the organization that threaten to a system out of normal operation. Control norms are deeply embedded in most organizations and these will provide a great deal of the control reared to keep a system in equilibrium. Where additional risk-specific controls are required, a simple process considering 1)where the control is being applied, 2) the control’s objective and 3) the elements required to implement the control will help risk managers and owners design appropriate, risk-specific controls.
 Previous comments about threats being elements the organizations cannot normally reduce remain. Detect and deterrence measures will not diminish the capability and intent of a threat such as violent attacker but they will prompt that threat to perhaps go elsewhere or at least give the organization some warning of what might be about to happen.