Headline risks – seeing the big picture
Introduction
Definition
A headline risk is a high-level description of sources of uncertainty and their consequences, usually expressed in general terms.
Like any risk, a headline risk is often described in the form
General rationale
In many circumstances risk assessments are undertaken in considerable detail, or several assessments are conducted on different parts of an organisation, project or program. The detail may be appropriate for low-level tactical decisions and specific risk treatment planning, but there is often too much detail for high-level decisions or planning. It becomes difficult to gain an overview and a big-picture understanding of what is happening and what might be important: it is hard to see the wood for the trees. Some sources of uncertainty cannot be understood without adopting a high level viewpoint.
Risks might be summarised for various reasons and in various ways. A headline risk is one useful way to make sense of a large amount of detail by providing a summary of what might happen and what the consequences might be. In this context a headline risk is distinctive in that it is developed from a set of more detailed risks that have common features.
A headline risk might also appear as a risk that can be identified easily only at a high level in the organisation. If a risk is caused primarily by sources that are only apparent at that level, or by external sources that fall outside the view of the detailed analyses, they can pass unnoticed unless deliberate efforts are made to expose them.
Developing headline risks generates many important outcomes (Figure 1).
- Overview and understanding. The high-level summary helps generate a high-level understanding of the risks that are important for the organisation. This supports strategic planning activities and decisions and it allows risk treatment to be dealt with confidently at a corporate level. Note that a summary of more detailed risks may not necessarily expose all strategic and organisation-wide risks, so a separate high-level assessment may be required as well.
- Simplification. ‘De-cluttering’ a large and sometimes messy set of risks into a set of headline risks generates a list that is more manageable and will often bring to light common themes and concerns that affect several parts of an organisation. This supports understanding, and it allows managers to make clearer decisions.
- New insights. The consolidation process can detect systemic risks that might otherwise remain hidden because their individual manifestations each have moderate or low levels of risk. Identifying these risks, usually by identifying common causes or the possibility that actions taken in one department or project might create or modify risks affecting another department or project, allows them to be addressed more coherently from a high-level perspective.
- Confidence. The high-level view of risks, and the understanding that is generated, provides managers with greater confidence as they approach and make decisions. Knowing the underlying detail is available if it is required for more specific decisions supports this.
This resource note addresses three specific processes by which headline risks might be derived:
- Combining risks from lower-level units or projects
- Simplifying a detailed risk register
- Aggregating risks from questionnaires in the context stage of a risk assessment.
Combining risks from lower-level units or projects
Risk assessments are often undertaken for individual business units in an organisation, or individual projects in a larger programme or portfolio of work. However, an organisation also needs to understand how uncertainty affects it as a whole; individual risk registers are not best suited for providing a high-level corporate, programme or portfolio view.
Figure 2 shows the risks that might be included in a corporate risk register that is based in part on risk assessments conducted in individual business units.
- Major risks that arise in any one unit may be important at corporate level, particularly if they might have large impacts on corporate objectives. For example, failure of a critical business process or a critical item of equipment in an individual unit might have strategic implications for the business and so should appear in the corporate risk register.
- Risks that feature in several units may be important at corporate level, when they are taken as a whole, if they relate to systemic matters, or if their treatment might require intervention from outside the individual business areas, even if the associated levels of risk are low. For example, reduced productivity caused by high staff turnover and an inability to hire skilled personnel quickly might be a mere nuisance for an individual business unit; however, if this risk featured across many different parts of the business it might indicate an endemic problem requiring attention from a corporate perspective. In this case a strategic approach to recruitment and retention from the centre might be better for the organisation than tactical or reactive treatments in the field.
- Some risks may only be visible from the top of the organisation and either invisible or irrelevant in most business units. For example, changes in legislation or political climate might not affect individual units, but they might have profound impacts on the strategic direction of the organisation.
Similar circumstances arise when a program-level perspective is required over risks generated in individual projects (Figure 3). Interactions between projects, such as competition for the time of scarce specialist resources or subcontractors, or schedule inter-dependencies, may be important additional features in this context.
Figure 4 illustrates the process used to derive a manageable set of corporate risks in a large organisation with which we worked. We facilitated a set of 11 workshops with individual business units.
- The 11 workshops generated 552 individual risks
- Removing duplicates reduced the list to 324 distinct risks
- Of these, 81 were low and could be set aside as inconsequential for corporate purposes
- A further 177 were operational risks that should be treated within the confines of the individual business units in which they arose, with appropriate priorities
- There were 66 individual risks, identified at the lower level, that were directly relevant for senior executives
- Risks with common causes were consolidated to form 23 corporate headline risks.
Simplifying a detailed risk assessment
An initial risk assessment sometimes needs to be very detailed, to allow detailed analysis of risks and development of treatment options, and occasionally to meet regulatory requirements. This often occurs in technical areas, where individual risks might be quite specific. However, there may be too much detail for senior managers to gain a clear high-level understanding about what is happening and where the major uncertainties lie.
Developing a set of headline risks follows the approach we used with one of the large organisations with which we worked, which was described earlier.
- Risks that have high levels of risk are flagged for attention
- Risks that have very low or inconsequential levels of risk are set aside
- Duplicates are combined
- Risks are grouped according to common causes, and combined where it makes sense to do so.
Table 1 shows a simplified example of how a headline risk might be presented in a report for senior executives.
- The top section of the table is concerned with the headline risk itself, with a statement of the risk, the impact criterion that is affected most by the risk and an analysis of the consequences, likelihood and level of risk
- The corporate executive who is accountable for the risk is named
- The individual risks that are part of the headline risk are noted next
- Finally the actions for treating the risk are noted, with the task owners and the due dates.
Table 2 shows an example from technical risk assessments at a wastewater treatment plant. It illustrates many of the matters noted in the earlier discussion.
- The individual risks are all related to the potential causes of pump failure and consequential operating problems, either directly or indirectly, even though they were described in different parts of the assessments and under different key elements The individual risks are technical matters and are best managed at a technical level; however, when taken together their combined effect could lead to a significant strategic impact on the organisation
- The risks overlap, and have different levels of detail; for example, ‘electrical-induced pump trips’ is noted as a risk in the ‘main pumps’ key element, but the ‘power supply’ element provides additional and related detail
- Both the headline risk and the detail are necessary for a full picture of the risk, but different parts are important to different stakeholders: the headline for site executives and the detail for technical managers in the mechanical, electrical and controls departments.
With one of our clients in the agribusiness sector, we consolidated detailed risks from corporate and business unit risk registers into strategic headline risks, based on common causes or sources of risk. We then expanded the headline risks, their causes, impacts and controls, using bow ties. The aim in this case was to facilitate the development of treatment options with the senior executive team (Table 3).
For another client, a joint venture consortium in the oil and gas sector, we developed a risk register with a high level of detail. This was a deliberate choice, to facilitate detailed management of specific risks in the development of an important technical and commercial proposal. However, further analysis and consolidation of the risk register was necessary before final documents were prepared for project tollgate approval. The benefits of using headline risks in this case were:
- A distillation of the detailed register produced a set of more general headline risks that senior managers could comprehend and address easily
- Detail that would clutter the decision-making processes for high-level approvals was avoided
- A concise representation of the main issues facing the consortium was presented, with at most one or two pages of background per headline risk Confidence was generated amongst the senior management team that the detail existed and had been addressed within the project team.
Aggregating risks from questionnaires
We sometimes issue questionnaires to a business or project team to collect their initial thoughts about threats and opportunities. Table 4 shows an example in which the focus is on risks to the organisation, but the focus could easily be expanded to include risks in individual parts of the organisation or project.
There are several benefits in this approach:
- The process starts people thinking about uncertainty in their area of the business or project, and from a wider business or project perspective, before they participate in a risk assessment workshop
- It gets them involved, so they feel part of the process from an early stage; they are drawn much more closely into the topic of interest and its associated risks, rather than just participating in a workshop
- The aggregated headline risks form a sound starting point for a risk assessment process; having an initial list of risks allows risk identification to proceed quickly, for a more efficient workshop.
There are several drawbacks to questionnaires too:
- There may be a large number of individual risks identified, with many duplicates
- People use different words to describe similar things, so it is important to read each description clearly to discern the intent
- Substantial effort is needed, as there is no ‘mechanical’ or algorithmic way of combining individual risks – the process requires a lot of thought and insight.
With one of our clients, a scientific research organisation, we used an expanded questionnaire to explore the environment in which the organisation operated as well as the risks it faced. We asked senior managers about:
- The main external factors and changes that might impact on the organisation over the next five years
- The organisation’s strengths and weaknesses
- The most important opportunities and threats confronting the organisation as a whole over the next five years
- The most important opportunities and threats in that part of the organisation in which the respondent worked.
Table 5 indicates the level of detail of the responses. These were aggregated and analysed, to develop an initial headline risk register containing 20 opportunities and 32 threats. This formed an important starting point for strategic workshops for the organisation, as part of its strategic planning process.
Topic |
Individual items |
---|---|
External factors |
108 |
Strengths |
87 |
Weaknesses |
90 |
Opportunities |
190 |
Threats |
208 |
Analysis of headline risks
In the example in Table 1, a partial analysis of the headline risk was shown, with the primary criterion (linked to a corporate production objective in this case), the consequence C for that criterion, the likelihood L of that level of consequence and the associated priority (this particular company’s term for level of risk). It is reasonable to ask how these analysis outcomes were obtained.
Ratings for headline risks represent the judgement of the organisation’s senior management. They cannot be derived mechanistically from the ratings of the individual risks from which they have been derived. In most circumstances each headline risk must be rated independently at the ‘rolled up’ level. This was the case in the example shown in Table 1.
However, the individual lower-level risks and their associated analysis ratings do provide useful information that can contribute to the higher-level risk analysis. Table 6 provides guidance on how the lower-level analysis components might be used.
Component |
Guidance notes |
---|---|
Control effectiveness (CE) |
Control effectiveness is a relative measure of the design and implementation of the all controls for a particular risk, rated against the best that could be achieved by a similar organisation using a world-class approach. Because it is an aggregate rating across all the controls, the high-level CE rating may not be linked directly to the lower-level ratings. For example, two CE ratings that are less than fully effective may lead to a more effective combined CE rating if the combined controls are complementary and cover a broader range. |
Consequences |
Generally, if consequences are rated on absolute scales (as they should be), then the maximum of the lower-level consequences provides a guide for the higher-level consequence rating. However, consequences are rated after considering the controls, so this rating must be adjusted according to the combined CE. |
Likelihood |
In most cases the likelihood of the new high-level consequences must be rated separately, as the sources of risk are often disparate and they may not be independent at the higher level. |
Level of risk |
The level of risk should be derived from the accepted organisational framework guidelines. |
Potential exposure (PE) |
Potential exposure measures the maximum consequence for the organisation if all the controls were to fail. The maximum of the low-level PE ratings is usually a good initial guide. |
It is important to remember that the notes in Table 6 provide guidance only. They are not fixed ‘rules’ that apply in every case, just prompts to stimulate the risk analysis process. There is no substitute for sound judgement supported by detailed thinking.
Lessons
Aggregation is a manual process that requires focus and effort. There are few technical shortcuts, and a great deal of thought is required if sensible headline risks are to be developed, with sensible risk analysis ratings.
The detail of the individual risks is important. The detailed causes, controls and consequences that are recorded in the risk register are invaluable as guides for grouping and generating descriptions of the headline risks that make sense and are consistent with the underlying component risks.
Significant individual risks, whether identified in specific parts of the business or project, or discerned from a higher level in the organisation, may also be important headline risks. Significant individual risks, and those risks developed by consolidating lower-level risks, can together form the basis for a comprehensive but comprehensible risk register at corporate or programme level.
There is rarely a single 'best' set of headline risks. There is often a lot of trial and error involved, and a great deal of judgement is needed to generate a high-level list that is suitable for its intended purpose. The detailed risk information, collected from various parts of a program, portfolio or organisation, is a valuable resource that can be exploited to derive a better overview of risk, and more efficiently than would be possible without it.
References
Some of the case material discussed in this note can be accessed through the links below.