Assessing risks: an potential expansion (3/4)
In my previous two posts you read how risk assessment works in most organizations. Scoring is almost exclusively based on chance and impact. I have never seen a third factor, but I think there may be one. To understand this properly, I first briefly explain which three types of control measures ("controls") there are.
Preventative controls: control measures that prevent a risk from occurring at all. Such as prohibiting the use of open fire (e.g. sigarettes), or the use of fire-safe power cables, etc.
Detective controls: control measures that can detect a risk. This can be done before, during or after the occurrence of the risk. Consider, for example, a fire alarm.
Repressive controls: control measures that can limit the impact of a risk. Think of a fire extinguisher or sprinkler system.
There may also be overlap between the controls. A detective control often also has a preventive effect: the greater the chance of being caught at e.g. theft, the less likely someone will attempt it. It can also have a repressive effect: the sooner you discover a fire, the faster it can be extinguished, limiting the damage. They can also work together very well: water damage caused by extinguishing can be limited by detecting a fire in time. The fire then remains small, less water is needed to extinguish and so the water damage is also limited.
Preventive controls mainly influence the probability of a risk occuring, repressive controls mainly influence the impact of a risk. Detective controls can have an iThe detectability of a risk could therefore also be increased by introducing good controls, but we do not score this when we analyse a risk. While it can be useful to include this factor: a risk that is difficult to detect can ultimately have more impact than a risk that you have noticed in no time. The sooner you get there, the less damage. Just reconsider the fire alarm.
Another practical example, this time from the mortgage business. Prior to providing a mortgage loan, a number of aspects are usually carefully considered in advance: the income of the applicant(s) is a major factor, especially when it comes to the affordability of the loan and how likely it is that it will be will be reimbursed completely and on time. Questions that are then asked are, for example: is the income sufficient to bear the burden? Is the (future) income stable? These are mainly preventive controls: an attempt is made to prevent a loan being granted that is not fully repaid afterwards. A mortgage loan has one major repressive control: the collateral on which mortgage security is provided.
Even if these checks pull through in advance, someone can still have problems with the affordability of the loan afterwards (so during the term of the loan). For example, due to a loss of income, or even the death of (one of) the applicant(s). In such a case, the arrears can quickly increase, I know this from professional experience. A number of lenders are therefore actively looking at how they can detect payment problems at an early stage. In other words, they work on the detectability of the affordability (credit) risk.
I dare to start the discussion: why are we not assessing detectability? What do you think? Let me know in the comments!
Artwork through Unsplash.
Risk Practice Lead at Senscia
3 年I run courses on designing KRIs and an important point I like to get across is what we measure in relation to the space-time event of a risk materialising. There's stuff we need to know before during and after a risk event that can make a real difference on the acceptability/survivability of the risk. We need time to recognise, to react and to learn stuff and good KRIs help us establish a good basis for this. I often think that risk management as a whole would do well if we were more explicit in terms of talking about Probability Management and Impact Management. I think those ideas place a helpful frame around our design intentions when building out (and managing the lifecycle) of our controls environments.