We are used to identifying a risk, analyzing the potential consequences and their likelihood and then establishing a "risk level."
We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria or the like.
But is that sufficient?
Adding Up All of the Risks
Let’s imagine we are planning a trip from our home in Paris to Lyon, France. The plan is to take a taxi to the train station and then a fast train to Lyon. An uncle will meet the train and bring us to his home, where we will spend a few days.
You and your spouse assess the risks.
There’s a possibility that either of you or the kids will get sick. You assess that risk as low but will monitor it as the date gets closer.
Strikes in Paris are always a possibility — you are vulnerable to either a taxi or train strike. In addition, if the Metro workers go on strike, good luck finding a taxi. Again, you accept the risk but agree to monitor it.
Other risks include the possibility that your uncle or members of his family will be sick, or that either you or your spouse will be called into work to handle an emergency.
Overall, though, the risks are each assessed as low but need to be watched.
The week before the trip, two of your children start to show the symptoms of a bad cold. You have to make a decision. Is there time to treat them so that it’s ok to travel? You decide that more likely than not they will recover in time and the risk is acceptable.
But meantime, your spouse is hearing from a manager that there’s a 30 percent chance a potential major deal will close in a couple of days. If that happens, you will need to cancel the vacation. Your spouse decides the risk is acceptable.
That evening, you get together and share your assessments of the individual risks.
While each may be acceptable individually, the combination troubles you. You decide to check the weather and see that there’s a 30 percent chance of rain in Lyon every day you will be there.
You decide to cancel. You don't like the overall situation. You are not going to take the risk.
No Risk Is an Island
The same thing can happen in business.
If your company is considering opening an office in Japan, you might identify a number of risks such as:
- Inability to hire Japanese-speaking employees with the experience and contacts necessary to make the new office a success
- The ‘stickiness’ of Japanese companies when it comes to being open to buying products from you rather than traditional Japanese vendors
- The ability to deliver products to the Japanese market, given the long supply chain from your factories in Europe
- The level of competition, including the possibility of competitors lowering prices to keep you out
- Your unfamiliarity with Japanese customs and regulations, leading to potential compliance risk
- The increase in cyber risk from extending the network into Japan, especially as you expect the staff there to need Japanese language cloud-based systems
- The additional cost of providing materials in the Japanese language
- The ability to find warehouses with the necessary conditions to support sales in Japan
Each of these might be assessed separately, perhaps by different teams.
While each may seem to be individually acceptable, it is possible that the aggregate effect is such that there’s an unacceptable level of risk of failure.
Why is this important?
A risk register or heat map that focuses on individual risks does not easily support business decisions like this.
Your thoughts? How do you address this?
Are you helping decision-makers understand the aggregate effect of risks on their objectives?