Evaluating risk is important but handling risk is better.
To meet obligations requires contending with threats as well as opportunities. Deciding how best to handle these may well make the difference between staying between the lines or crashing through a guard rail.
Unfortunately, many organizations jump from obligation to risk controls and skip the step of deciding which risk handling strategy to use.
In this post we explore the application of the US Department of Energy (DOE)’s risk handling strategies as defined in the DOE G 413.3-7A – Risk Management Guide to help meet obligations. While this guideline is directed towards projects the same principles can be applied to meeting an obligation – a project in it’s own right – particularly when obligations include targets to achieve net-zero emissions by 2050.
Risk Handling
Risk handling covers various strategies to contend with uncertainty. After obligations have been identified, risks have been evaluated, uncertainty estimated, and consequences determined, a decision needs to be made on how best to handle the risk.
The first step is to chose a strategy which the DOE Risk Management Guide suggests include: acceptance, avoidance, exploit, mitigative, enhance, transfer and share.
Let’s unpack each one.
Acceptance
Acceptance of risk means that it is acknowledged without measures to address the risk. The organization accepts both the positive and negative effects of the uncertainty left untreated using ISO 31000 terminology.
This strategy is often chosen when the risk is irreducible or no other means are feasible to buy down risk. In this case, the risk is assumed will occur and the loss included in the overall contingency fund or management reserve.
Acceptance is not the same as ignoring the risk. Risk is ignored when it is not identified and/or costs are not accounted for in management reserve. Ignoring risk amounts to hoping for the best but NOT preparing for the worst which is the same as gambling.
For opportunities, instead of accounting for the cost in a management reserve the benefit is identified (in an outcomes register) and monitored. If the opportunity happens then further action may be taken to leverage the opportunity further.
Avoidance / Exploit
Avoidance is a risk handling strategy when organizations are risk adverse or if the risk cannot be tolerated. This strategy is accomplished by introducing measures to eliminate / prevent the potential threat from occurring.
For opportunities risk handling introduces exploitive measures to increase the probability of the event happening.
In both cases, the focus is on ensuring that the uncertainty is removed and the opportunity definitely happens and the threat definitely doesn’t. In other words, eliminate the uncertainty / hazard; eliminate the risk.
Mitigation / Enhance
Mitigation is a risk handling strategy to reduce the likelihood of occurrence of an identified negative impact (i.e. consequence) for a threat.
The goal of mitigation is to reduce the risk to an acceptable level (e.g. ALARP, etc.) The rule for mitigation is not spend more on the mitigation than what the risk even would cost if it occurred.
Enhancement is used for opportunities to increase the positive impact or benefit or reinforce the conditions that trigger it. The rule for enhancement is not to spend more on the enhancement costs than the benefits realized from the opportunity.
Transfer / Share
Transferring risk in most cases involves the purchase of insurance as the transference of the risk. This transfers the cost of the effects and distributes it across a larger group. This strategy does not help you meet the obligation. It only helps address the cost of non-conformance provided that you can coverage.
Risk that is shared refers to positive consequences (i.e. benefits). Those that share the risks share in the benefits. For example, achieving safety compliance creates benefits that are shared across an organization.
Applying Risk Handling to Obligations
The best strategy to contend with risk may well be not to accept the obligation in the first place. However, if an organization accepts an obligation it must contend with the associated risk.
If the obligation must be met either by regulation or internally imposed then an organization should do what it can to improve the probability that it meets the obligation.
When deciding on which risk handling approach to take the following should be considered:
1. Is the obligation mandatory or voluntary?
Mandatory obligations are often considered as necessary to avoid fines, and other effects of non-conformance. These may require a higher degree of rigour as the effects may be more immediate and may lead to loss of a license to operate.
However, voluntary obligations tend to be seen as investments and measured against a ROI. One might be more inclined to accept an opportunity risk without introducing any enhancement or exploitive measures.
The risk tolerance for voluntary obligations is usually higher than mandatory ones.
2. Is meeting the obligation necessary for meeting another obligation?
To avoid a cascading or propagation of risk similar strategies should be used to avoid weaknesses in the compliance chain.
Obligations should consider risk handling strategies used by dependant obligations to so that they do not become the weakest link.
3. Do the benefits outweigh the costs?
The cost of the handling should be commensurate with the cost of the risk. This evaluation may position some strategies as too expensive compared with the loss or benefit anticipated.
4. Is the risk handling strategy feasible?
Deciding on a risk handling strategy is necessary, but so is having feasible measures available to implement. It is best not to rely on the invention of new technologies to handle critical uncertainties.
The lack of available risk measures may demand choosing a different risk handling strategy.
5. How effective is the risk handling strategy?
Risk measures may be available, feasible, but not effective enough to buy down risk below the risk tolerance level. This may require additional strategies to contend with the residual risk. In DOE terms this means promoting the residual risk to the primary risk category along with the inherent risk.
Evaluating the effectiveness of a selected risk strategy is necessary to knowing how much residual risk is left which in turn needs to be handled.
6. How long does the obligation last?
Obligations typically have a long life-cycle which means the effectiveness of risk measures should be monitored continuously and adjusted when necessary. To help with this the decision of risk handling strategy should be captured in the obligations-risk register along with other obligation and risk information to provide context for the risk controls.
If over the course of the obligation's life-cycle the chosen strategy does not perform as specified improvements may be required. In some cases, a different risk handling strategy may be needed.
If the obligation is retired then the corresponding controls may be decommissioned if not needed by another obligation.
Conclusion
As regulations continue to expand to include outcome and performance-based designs choosing the best risk handling strategies will become increasingly important. This reflects the growing shift of risk transferring or shared by regulators with industry and individual companies.
The DOE guidelines provide a robust framework for managing project risk that can be applied to compliance to improve the probability of meeting obligations. At a minimum it will help organizations know why risk controls have been chosen so they can better evaluate their effectiveness and make adjustments when and if necessary.
