The Institute of Risk Management (IRM)

2nd floor Sackville House 143 - 149 Fenchurch Street London, EC3M 6BN
+44 (0)20 7709 9808
http://www.theirm.org
  • About IRM

    The Institute of Risk Management (IRM) is the world’s leading enterprise-wide risk education Institute. We are independent, well-respected advocates of the risk profession, owned by practising risk professionals. IRM passionately believes in the importance of risk management and that investment in education and continuing professional development leads to more effective risk management.  

    We provide qualifications, short courses and events at a range of levels from introductory to expert. IRM supports risk professionals by providing the skills and tools needed to put theory into practice in order to deal with the demands of a constantly changing, sophisticated and challenging business environment. We operate internationally, with members and students in over 90 countries, drawn from a variety of risk-related disciplines and a wide range of industries. 

    As a not-for-profit organisation, IRM reinvests any surplus from its activities in the development of international qualifications, membership, short courses and events. 

Understanding risk connectivity following collapse of Carillion

Understanding-risk-connectivity-following-Carillion-collapse

In this interconnected and increasingly digitised world, many (indeed, perhaps most) risks and uncertainties that we contend with cannot be evaluated and managed in isolation.

Common features of interconnected risks and uncertainties include multiple characteristics, causes and consequences. Such interconnected risks can spiral and morph in unpredictable ways and a collection of risks, when combined together, can result in new risks or outcomes.

In one high profile example of such interconnected risk, thousands of suppliers are reportedly owed money following the recent collapse of the UK’s second-largest construction business, Carillion. Some suppliers are even predicted to collapse themselves as a direct result of not being paid for work they have already performed.

Understanding and mapping the interconnectivity of the risks we face doesn’t need to be complicated. It can be done in three simple steps: firstly, understand the risk interconnectivity through systems thinking and network analysis. Second, put good resilience practices in place. Third, maintain awareness of threats and act upon them early.

Understanding risk interconnectivity

Risk managers could use an interconnected risks map to understand the uncertainty that their organisations face and to agree how to respond to it. This can be created by bringing together the appropriate people in a facilitated workshop to identify and review the organisational risks, and then mapping them to each other by discussing the effects of different scenarios that could occur. A technique such as horizon scanning could be useful in this process. Extreme scenarios should be included in the mapping, so that an organisation can test and understand how it would respond if a real worst-case scenario were to occur.

If a risk matrix is used for prioritisation, a weighting factor could be added to risks which relates to their “extent of connectedness”. Interconnected risks network maps will usually include the following patterns, which need to be considered. Those risks that are key nodes or drivers in a network have knock-on effects and influences and should be given a high priority:

  • Key nodes (risks) in the network (regardless of their individual rating/priority) that link many or several other nodes together:
  • Key drivers in the network (represented by the green node – see attached pdf), that directly relate to many others and also link groups of risks:
  • Gaps where risks appear to be standalone and unaffected by other risks (these should be reviewed to check whether they truly are standalone).

Put good resilience practices in place

Organisational resilience allows us to anticipate and respond to sudden changes in our ecosystem.

One way to test and measure resilience is to conduct stress testing against extreme scenarios. The military offers a good example of stress testing, through its varied training exercises, and the banking and finance sector is also often held up as an example of good practice in this regard, particularly since the 2008 global financial crash.

As a recent McKinsey Paper explained, modelling extreme scenarios – for which network analysis of interconnected risks can provide valuable input – can help determine the spiralling effects of interconnected risks that may occur. Looking at outliers outside of the normal range of best, likely and worst-case scenarios can help to prepare for a true worst-case scenario. Looking at extreme scenarios helps organisations to stress test their resilience, and to test how their risk management and control measures can respond in such situations.

Maintain awareness of threats and act upon them early

To best anticipate and adapt to interconnected risks, organisations need open, trusting and transparent relationships with every important stakeholder in their ecosystem. For example, consider one element – the availability of critical components in the supply chain. For complete trust we need to know the status of critical components at all times. In order to have confidence about these supplies, there must be transparent and open relationships with suppliers and customers, including those that are several levels removed (e.g. sub-sub-suppliers and contractors).

What can we learn from the case of Carillion?

Since the liquidation of Carillion was announced (see above), much has been written about the warning signs that were apparent in the lead-up to the collapse, and the many interconnections that this risk has for the UK government, existing private sector clients of Carillion, and the large and extended supply chain.

We cannot know which organisations (public and private sector) that recently worked with Carillion looked at whether there was a risk to doing so through an interconnected risk network (bearing in mind their profit warnings of 2017), but those that did may well be better placed to handle the fallout of this event than those that did not.

Taking the time to understand the interconnections between the risks and uncertainties that an organisation faces and ensuring that the appropriate, stress-tested resilience measures are in place play an important role in protecting not just an individual organisation, but also many others that exist in its ecosystem. This activity is valid no matter how large or small an organisation.

Neil Allan and Gareth Byatt are both risk experts based in Sydney, Australia. The views are their own and do not represent the official position of IRM.