Risk events and the importance of learning from near misses
Our next few blogs are all about managing Risk Events using operational risk software. Here Tony and John introduce the topic, explaining what is meant by a risk event, what is meant by a near miss, and what can be learned from both.
Taken from: Mastering Risk Management
Events and losses are a fundamental part of risk management. They are a clear and explicit signal that a risk has occurred. This may be due to the failure of a control, the lack of a control or simply a very unusual event that was not foreseen.
Events are one of the three fundamental processes of risk management. They provide a valuable objective challenge to the subjective nature of risk and control self-assessments. They are also often used as indicators of risks and controls.
Enterprise-wide Events and Strategic Events
What is meant by an event?
Typically, the term ‘event’ is used to describe the occurrence of a risk – whether or not an actual loss is suffered by the firm. Events can be categorised as hard or soft and direct or indirect. Examples of these categories in the event of a loss of an IT system are:
- A direct hard event is the overtime money paid to the software and hardware engineers to restore the system – this is the money which actually flows out of the firm
- An indirect hard event is the extra food and hotel bills paid to feed and accommodate the software and hardware engineers while they will restore the system – this is also money which has flowed out of the firm
- A direct soft event is the loss of sales that were unable to be concluded – although this is difficult to quantify, it is a direct consequence of the event
- An indirect soft event is less growth achieved by the firm than it had budgeted – this is also difficult to quantify, although it is still a consequence of the event.
Near misses
Events can also be categorised into actual losses or near misses. An actual loss is easy to describe in that it is a debit to the profit and loss account of the firm or the reduction of the value of an asset held by the firm.
There are at least two different definitions of a near miss:
- An event which would have occurred if the final preventative control had not worked.
- An event has happened, but it did not result in an actual financial or non-financial loss or harm due to either the correct operation of detective and/or corrective controls or simply the random nature of events.
Clearly, in the first definition, there is no actual loss because the risk has not occurred. However, valuable information can be captured by identifying and analysing even this sort of event, since one or more controls have failed in order for a near miss to have occurred.
In the second definition, either a positive value is attached to the event (a gain) or there is no financial impact at all. Some firms which adopt the first definition as a near miss characterise the second definition as an incident, to differentiate it from an event which has a negative financial impact. Again, there is significant risk management information: preventative controls have failed (or they did not exist) and need to be analysed, while the detective and corrective controls may have worked; or the firm may have been very fortunate. As an example, a brick falls from the top of a building on a building site, but nobody is hit or hurt.
Near misses are therefore invaluable for challenging risk and control self-assessment scores. They are particularly helpful in assessing the performance of controls. If there have been a number of near misses relating to a specific preventative control, the current score of that control should be questioned, especially if its performance is assessed as good or even very good.
Using major events
Major events, whether internal or external, are particularly valuable for risk management as the analysis of these can prevent the future loss of the entire firm. Of course, after a major event, many firms will carry out an audit of the specific controls which failed (or are perceived to have failed) and therefore caused the events, and take remedial action. But special audits can be delayed for good business reasons and not all firms will carry out an audit. This nevertheless begs the question: ‘How valuable are the historic data relating to a major event?’ The answer is that major events are of use for conceptual, rather than numeric, analysis in trying to get to the true cause of the event and prevent future similar events.
Lost data
One of the great problems with risk management is that it depends on the comprehensive reporting of events and losses, near misses and gains in order to build up as accurate a picture as possible of the scale of risk in the firm, or whether controls are effective. However, events and losses are rarely reported fully. Actual losses are the best reported, although even these are frequently incomplete. Near misses are less frequently reported and gains are rarely reported at all. Considerable amounts of information are therefore in danger of being lost.
One way some firms have successfully tackled the problem of lost data is by a monthly reconciliation of the losses reported to risk management to the losses written off by the finance department in the monthly accounts. This is a time-consuming process, although it does mean that the firm knows that it has captured at least all of the losses that have a value. However, this approach still does not capture events that have no financial impact.
Another way to capture lost data is by making the risk function responsible for the insurances of the firm. The head of risk (in conjunction with the chief financial officer, CFO) then assures the business line heads that any potential loss which is reported to risk within 12 hours of first being identified will not be charged to the business line of profit and loss, even if it ultimately results in an actual loss. This approach:
- Encourages more complete reporting of events and losses
- Encourages earlier reporting of events and losses
- Encourages near miss reporting, as events are reported before they become losses
- Does not disadvantage the firm, as losses simply move from one account centre to another (business line to risk management)
- Results in the insurance buyers in the firm being more fully informed.
In our next blog Tony and John discuss the various strategies for collecting risk event information, the potential effects on whistleblowers, and why this is so important to effective risk management.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information contact us today on sales@risklogix-solutions.com
