At its simplest, risk treatment involves a process to modify a risk by changing the consequences that could occur or their likelihood. This process requires creative consideration of options and detailed design, both inputs being necessary to find and select the best risk treatment.
Once implemented, risk treatments will either create new controls or amend existing controls.
Risk treatment takes place in two distinctive contexts:
- In the proactive context, where an organisation has successfully integrated risk management into a system of management, risk treatment is integral to and effectively indistinguishable from decision-making. Therefore, at the time a decision is finalised, the risk created by the decision will be within the organisation’s risk criteria.
- In a reactive context, the organisation is looking retrospectively at the risk created by decisions taken and implemented in the past and so any risk treatments that are necessary will be remedial in nature.
In both contexts, those risks that the organisation judges to be unacceptable should be treated.
Risk treatment options
There are several classes of risk treatment options that should be considered. They overlap to an extent, but they are useful categories to prompt or guide the search for feasible actions.
Do something different
This class of treatment options includes risk avoidance and opportunity seeking.
Risk avoidance might involve removing a hazard or a source of risk (What you don't have can't spill), or not engaging in an activity that may lead to unwanted outcomes.
Opportunity seeking may involve new business ventures or initiating operations in new locations or with new partners.
Change the likelihood
Changing the likelihood is directed at enhancing the likelihood of circumstances and events leading to beneficial outcomes and reducing the likelihood of circumstances and events leading to undesired outcomes.
Change the consequences
Changing the consequences of a risk is directed to increasing the extent of beneficial outcomes and decreasing the extent of undesired outcomes.
Some risks, such as those influenced by external factors like economic variations or extreme weather conditions, cannot be avoided, and others may arise despite management action being taken to reduce the likelihood of their occurrence. In these cases, risk treatment must be directed to managing the impacts, to ensure the magnitude of unwanted outcomes is minimised and beneficial outcomes are exploited.
Share the risk
Some risks can be transferred in part to another party, so the other party bears the initial consequences if the risk arises. Sharing a risk with another party usually incurs a cost.
Risk sharing usually occurs through the mechanism of a contract that allocates risk amongst the parties involved. Risk sharing contracts include:
- Supply contracts, where a provider takes the technical delivery risks in exchange for a purchase price for a product or a fee for a service
- Insurance, where an insurer takes the risk of insurable loss in exchange for a premium
- Joint venture and consortium agreements, where organisations with complementary capabilities agree to work together for a common purpose that none could achieve easily alone.
These arrangements are called risk sharing rather than risk transfer because risks are rarely transferred entirely or shed completely. Instead, they are transformed into different risks with different characteristics. For example, a company may outsource the supply of major equipment, thus shedding a technical risk, but in turn it acquires risks that the supplier may not deliver on time or to the required quality. Insuring may appear to transfer the risk of a large loss to the insurer, but the insuring party now has a credit risk associated with claims disputes or a default in payment.
Retain or tolerate the risk
Unless there are statutory, regulatory or policy imperatives, organisations always have an option of doing nothing, of tolerating a risk. However, it is important that this is the result of a positive decision rather than an outcome that arises by default.
Bow tie analysis for identifying control gaps
We often use bow-tie analysis to help our clients identify possible risk treatment options based on control gaps.
Cost benefit analysis
The primary consideration for most risks is whether the risk can be further treated in a way that is reasonable and cost effective. In general this involves considering:
- Whether the risk is being controlled to a level that is reasonably achievable
- Whether it would be cost-effective to treat the risk further
- The organisation’s willingness to tolerate risks of that kind.
Determining the cost effectiveness of further treatment involves the application of cost benefit analysis. This should include the consideration of all costs and ancillary costs (dis-benefits) as well as all the benefits and ancillary benefits (advantages). If most of the costs or the benefits are unlikely to be experienced within the first year or so then it may be necessary to discount them to allow the assessment to be made ‘in today’s money’.
We help our clients identify possible options for risk treatment and then test each of these using cost benefit analysis.
Risk treatment strategy
It is usually not cost-effective or even desirable to implement all possible risk treatments. It is, however, necessary to choose, prioritise and implement the most appropriate combination of risk treatments. Treatment options, or more usually combinations of options, are selected by considering costs and benefits, effectiveness and other criteria of relevance to the organization. Factors such as legal, social, political and economic considerations may also need to be taken into account.
Treatment of individual risks should be part of an overall treatment strategy rather than addressed in isolation. Having a clear understanding of a complete treatment strategy is important to ensure that critical dependencies and linkages are not compromised and to ensure the use of resources and budgets is efficient. For this reason development of an overall treatment strategy should be a top-down process, driven jointly by the need to achieve objectives and satisfy organizational and budgetary constraints while controlling uncertainty to the extent that is desirable.
We advise our clients to be flexible and consult broadly about risk treatment with stakeholders as well as with peers and specialists. Many treatments need be acceptable to stakeholders or those who are involved in implementation if they are to be effective and sustainable.
Risk treatment plans
We help our clients generate and record potential options for risk treatment using simple templates. For each option, the benefits or advantages and the costs or disadvantages are discussed and recorded, and a decision is noted in the final column. The decision is either ‘yes’ because the risk treatment option is value accretive, or ‘no’ because it is not. If the evaluation in inconclusive, a ‘maybe’ is recorded and more detailed benefit-cost analysis may be required.
All those options marked ‘yes’ go ahead as risk treatment measures and plans are developed for their implementation.