Can risk be controlled? The stakes were high in 1986 when NASA launched its Challenger Shuttle—only to watch it explode 73 seconds into flight. An investigation uncovered serious shortcomings in NASA’s decision-making processes, which lead to warning signs being overlooked and the shuttle’s demise. Chipotle watched its stock drop 20% from the year prior in 2017. It struggled to overcome serious E-coli and Salmonella outbreaks that drove away customers from 2015 through 2017.
What NASA and Chipotle share are failures in the understanding and managing of risk. However, if we can forecast the who, what, when, where, and why of risk, then we can establish a plan to lessen the chances of risk getting out of control.
Although often related to an unwanted consequence, risk should not always be perceived as negative. Being able to effectively manage risks leads to increased profit, establishes good relationships with clients, and allows companies to expand. It appears to have worked for Chipotle. In 2018 they ranked thirteenth out of the top 250 chain restaurants with 4.9 billion in revenue—up 8.7% from the year prior.
The takeaway from these stories is that wise organizations prepare for the worst. In the construction and utilities industries the safety of employees takes center focus. Risk management frameworks embody many forms. At the end of the day, any plan should support regulatory compliance, achieve business objectives, and keep constituents safe. One approach is a five-step virtuous cycle designed to merge the science of risk management (quantitative measures) with the art of it (employee situational knowledge).
5 Steps of Risk Management
Carrying out risk management by way of a stepped process allows us the flexibility to understand changing conditions and manage new uncertainties as they emerge. Managers need a risk road map. There are many actions to accomplish in order to get from A to B to C. If you have 20+ items you need to analyze and account for, the stepped approach focuses attention so that all items are complete at each stage before moving on. The five steps are: Identify, Assess, Evaluate, Manage, and Monitor.
1. Identify Potential Risks
Knowing where and how to look for exposure is the first step in risk management. Mapping risks means navigating the whole business system to understand the liabilities. This includes accounting for the competing goals of departments, individuals, and external factors, like market conditions, agreements with contractors, and reputation among the public, etc. It can feel overwhelming. To avoid this, we recommend using categories to narrow the scope.
Human risk: safety hazards leading to worker accidents and injuries, labor shortages, availability of building materials, poor project management
Financial risk: occurs when there is loss in any asset or an increase in material costs
Legal risk: poorly written contracts, issues with subcontractors and suppliers
Environmental risk: natural disasters, unknown job site conditions
Just recognizing the company’s internal and external hazards is not sufficient. Next, the organization needs a reliable risk rating mechanism.
2. Assess Risk Exposure
Assigning value to risks in the form of severity and frequency is the second step of risk management. Consider the electric utilities. While the chance of a lineman being severely injured on the job is low, the severity of that occurrence is high. On the contrary, a line technician can expect to encounter unknown job site conditions, such as downed tree limbs. A more frequent, but low severity impact.
Within the construction industry, Construction Risk Logs or the Risk Assessment Code (RAC) matrix, are commonly used to assess risk. The RAC Chart (below) ranks hazards from “low” to “extremely high.” Complete the matrix with the hazard labels to quantify risks. From there, managers will be better equipped to prioritize risk preventative maintenance.
3. Evaluate Risk Tolerance
Tolerance for risk is influenced by multiple factors—market conditions, competitors, brand reputation, financial health, and confidence in employees, to name a few. If a mistake is made, what is the degree of loss an organization faces? The ratio of performance to loss in terms of what is acceptable to a company defines their risk tolerance. Some companies transfer risk. For example, a manufacturer could subcontract certain jobs to mitigate their risk or transfer it to someone else willing to take it on. Ideally, risk tolerance should be based in evidence and analytics, and not just a “this is how we’ve always done it” mindset.
4. Manage Risk
Anyone working in high-risk industries needs to account for hazards with resources and planning. A risk management plan identifies the controls used to mitigate dangers and the what to do when there’s a mishap. The plan should include training employees, especially front-line workers, to engage in specific actions designed to avoid hazards and must protect employees during routine activities and emergencies alike. Managerial attention to the front-line workers and contractors responsible for conducting tasks should be consistent and measurable. Allocating resources to achieve risk goals while maintaining regulatory compliance is consequential to the success of
the plan.
However, leadership must also develop a strong organizational culture. A shared set of beliefs creates an employee base that knows how to execute the risk management plan correctly. Furthermore, employees know they will be rewarded when upholding company values. Managers endorse culture by holding open discussions surrounding near-misses and serious incidents, after they’ve occurred. Supportive and corrective feedback encourages learning and reduces the likelihood of repeat offenses.
5. Monitor & Review
Audit the effectiveness of a risk management plan in times of crisis and during sustained periods of normalcy. A process to monitor the five-steps helps determine if collective efficacy is well rooted within the company’s hierarchy. This is because process itself influences whether decision-making is considered successful. As employees become interdependent in completing the job safely and understand their stake, the more likely favorable outcomes will be achieved.
Set up formal reviews at intervals that make sense for your organization. Some can meet bi-annually with the same benefit as those who require daily safety meetings. During these events, exchanges about past mistakes may help reduce over-confident decision-making. Don’t insulate employees from failures. Furthermore, talking stimulates knowledge-management across the organization and reinforces positive behavior-changes.
Whether implementing the five-step virtual cycle of risk management or an alternative format, a framework must be firmly in place before a risk-event occurs. To be effective, it must be activated at every level of the organization, responding to continuous feedback loops, driven by managerial attention, and monitored by formal review. Risk management is a dynamic process. Thoughtful approach to ever-evolving hazards will pay dividends when it comes time for action.