The FIRM Scorecard

Risk Management

Within the field of Risk Management, there are various ways of identifying risks. Depending on the way in which you wish to realize these risks, there are certain risk classification systems to choose from. One of these is the FIRM scorecard, which at some points serves the same purpose as the Business Impact Model. Both of these aim at identifying risks, whereas FIRM also takes notice of risks outside of the organization. Additionally, the FIRM scorecard also puts more focus on the causality between the organizations planning/business model, its stakeholders and the organizations position in the market.

Let us dive into the core of the model and see how it help us asses certain risks. For a better understanding of the model, this figure will be a good starting point for illustrating the many factors that come into play:

To better comprehend the figure, let us look at it starting from the top. So first of all, we have the mission objective. The Mission Objective of an organization is its designated mission, a mission that is influenced by a line of factors, such as:                                  

  1. Significant risks: Which risks have meaning for us and are relevant?
  2. Key dependencies: Functions within and outside of the organization that can cause a disruption for our operations. This is where the organizations robustness (capacity) and resilience (restoring activities) come into play.
  3. Core processes: The primary activities which helps the organization realize its goals.
  4. Planning: Planning which is conducted on a strategic level, and choice of business model.

To understand what is meant by planning on a ‘strategic’ level, we need to differentiate between the strategical, tactical and operational level.

On the strategical level we have the board of the company, those who decide the company’s policies and decide the long-term strategy for the organization. On this level, planning is usually based on what will happen for the next 12-18 months. This is just a ballpark figure, as some projects may take years before they become operative.

Next, we have the tactical level, which consists of middle-upper management. Management on this level will usually be the mediator between the strategic personnel and the operatives. This is also why they are the ‘first line of defense’, since they are the ones on-site with enough authority and day-to-day presence. Planning on the tactical level will usually be based on a time period between 6-12 months.

On the operational level is where all of the practical activities take place. This is where we have our costumer care, cleaning personnel, security, and so forth. They are the ones making sure that our operations run as they should, and the planning for this level is usually revolved around 1-2 weeks.

Lastly, we have the compliance level, and this one is a little outside the hierarchy. An organization’s compliance revolves around all of the legal criteria for an organization. This includes everything from the organization’s responsibility for the staff’s safety, environmental laws, anti-corruption, etc. It will usually be lawyers whom makes it clear for the board what activities are or aren’t legal, and later have HR implement relevant activities that ensures that there is compliance across the organization. Complying with the law is an absolute must, for if caught, the organization will lose their ‘license to operate’ and therefore cease operations.

By using the terms above, we can get better insight into how these affect the FIRM scorecard The acronyms cover the following:

Financial: Risks that can impact the way in which money is managed and whether profitability is achieved. In order to reduce risks within this department a risk manager can perform certain to reduce fraud, actions such as: reducing the motive for fraud, minimize the opportunity to steal, improve detection of fraud and record keeping and increase level of supervision.

Infrastructure: Risks within the infrastructure are elements that can affect and/or cause disruption within our core processes and efficiency. For this department of the organization, a BIA analysis would be an optimal tool. Depending on the nature of the organization, the hazardous risks can vary but will usually include things such as: Electrical & fire safety, dangerous machinery, radiation and so forth.

Reputation: How does the public, stakeholders and competition view us? Depending on which sector the organization finds itself it, the reputation may be more critical than others. Public organization are for example reliant on their reputation, since their operations are funded by the taxpayer, and therefore has a responsibility to withhold a standard of professionalism, integrity and transparency.

Even for private organizations, a bad reputation can lead to boycotts and ultimately a decline in profits. It is therefore important for an organization to protect their brands, and make sure to have appropriate franchisee behavior, whilst avoiding counterfeiting and fake goods.

Market: The market is a force that cannot be tamed. The outside world can influence the organization’s business potential, both quantity and opportunity wise. The constant evolution of digitization changes the terms on which business is conducted, and how products are shaped, delivered and reviewed. Organizations are always challenged by different forces from the external environment, such as the buyers, suppliers, competitors and even the replacement of an identical, yet better product.

Lastly we have the 4P’s. These are factors that can bring potential disruption and harm to our operations. They are defined as:

People: Lack of skills, unexpected absence of key personnel, ill-health accident or injury to people.

Premises: Theft or loss of physical assets, property damage and contamination on premises.

Processes: IT-failures, inadequate management of information, disruption by hackers/viruses.

Products: Poor product/service quality, delivery of defective goods or components, disruption caused by failure of supplier, failure of outsourced services and facilities.

Relational coordination

Risk Management

When cooperating across sections there may arise a line of potential problems, mainly in regards to the communicative aspect. These problems arise as a result of the clashing of different expertise, authorities and cultural differences. In relation to this a professor within the field of management by the name of Jody H. Gittel has come up with her theory of relational coordination. This theory is mainly focused on the public sector, it is however still applicable for international private organizations. By using this theory as a tool, this theory can help analyse the interpersonal processes, which could potentially be barriers for optimal efficiency. This theory has furthermore been the foundation for multiple Danish consultants, whom have come with their own additions to this theory. Consultants such as Carsten Hornstrup claim that the definition of a good relationship is subjective, and a certain relationship can therefore be seen in two completely opposite ways. A relevant factor in this is the individuals authoritative position within the hierarchy of the organization, whereas leaders will often have a more positive outlook on the relation.

Jody H. Gittel has put up a negative and positive spiral with the purpose of illustrating what indicates a positive and negative relationship. The reason it is illustrated as a spiral is that, a relation is heavily built upon the communication and likewise. There is therefore no real ‘starting point’ and one should try to improve one of the following aspects, in order to breakthrough the next until it comes into full circle.

The theory of relational coordination is based on two different dimensions: Relations and communication. The quality of these aspects are defined as such:

Relations:

  1. Mutual goals: Same interpretation of the mission objective within an organization, where a task is solved based on a set of common, clarified goals. This is also synonymous with the organization’s vision, so it is crucial that everyone is on the same page regarding the overall goal.
  2. Mutual knowledge: To which degree are the different groups familiar with each others professional field and competences? This is not only about perfoming one another’s list of duties, but also knowing and understanding them.
  3. Mutual respect: Whether the different groups feel acknowledged for their contribution to solving the common task. This is where the higher placed personnel may show a lack of respect other groups, which ultimately affects the common engagement in a negative way

Communication:

  1. Frequent and timely: This indicator revolves around whether communication is timed correctly, often and interpreted in a meaningful way. The overall coordination suffers if the communication is too frequent, too rare or timed incorrectly.
  2. Precise and problemsolving: Is the communication constructive, practical and relevant? The task needs to be presented in a comprehensive way for the receiver, and needs to address the actual issue at hand.

Business Impact Analysis

Risk Management

Business Impact Analysis

There will often be many active pieces within an organization. Some may be critical for the organization’s infrastructure, and others may be not as essential for the survival of the company. When conducting a business Impact Analysis (BIA) one needs to consider what is it, that brings actual value to the company. A company’s wealth and value is not only decided upon by its monetary value, but its cultural and social values as well. By first off, we need to establish ‘what value are we creating’ and thereafter ‘who do we create value for’ in order to get an idea of the organization’s output and paint a picture of the overall process.

By reviewing the following steps, we can in a systematic way review relevant elements for our company’s value creation. The steps are as follows:

  1. Value creation: Who are we creating value for? To understand this business model, we need to identify potential hazards that can cause disruption to our operations. In this step, you can use models such as Porters Value Chain and Business Model Canvas.
  1. Identification of critical activities: In this step we pool in a bunch of processes, which together constitute an activity. For example, the production line makes value for us, so we need to recognize where potential disruptions within this productionline would be critical for our operations.
  1. Mutual dependencies: Which activities rely on each other to function? In this part, it is also relevant to consider how dependent we are on our suppliers. Do we have an alternative suppliers, in case our Tier 1 is unable to perform their part?
  1. The robustness of critical activities:  How do we test our robustness? In this step we test the minimal operative level. For example, if the power is out, can we still keep an overview of our logistics on paper rather than electronics? The system’s robustness is defined by being able to absorb disruptive activities, whilst keeping our operative integrity? An analysis can be conducted by doing the following:
  2. Identifying vulnerabilities/minimum operational levels.
  3. Identify where an increase in resources can strengthen our robustness.
  4. Different types of exercises can also help in this phase (e.g. contingency plans).
  1. Internal and external ressources: The ressources that the company is reliant on, such as:
  2. Infrastructure; roads, stand-alone systems.
  3. Physical ressources; storage/inventory, equipment,
  4. Intellectual ressources; skills, employees educational background, capabilities.
  1. Maximum Tolerable Downtime (MTD): MTD describes the point where an organization is unable to keep their operational integrity after a disruptive event (post-crisis). The costs of restoration is so high that it would not be worth it.
  1. Recovery Time Objective (RTO): RTO describes when management wishes for an activity to be back up and running. RTO requires resources and therefore an allocation of economic funds. The RTO can be influenced by mitigating intervention, by having Risk Management as an integral part of the organization.

This figure can help illustrate what the MTD and RTO means during a disruptive event.

The risk manager

Risk Management

Over the last months we have on a weekly basis posted comprehensive articles covering tools and models which are useful for any risk manager to know of and be familiar with. In this article we will make a summary of these and dig into exactly what it means to be a risk manager.

Introduction: What is a risk manager?

A risk manager is an individual responsible for managing an organization or project’s risk. The person’s goal is to minimize or remove risks that can result in losses to the organization. This is done by identifying the risks, evaluating them, and deciding on which approach is the safest and most efficient. The risk manager can come in many shapes and forms, since risks are involved in almost any type of work done around the world. This means that whether you are within the construction industry, finances, or consulting, you can most likely benefit from having a risk manager to overview your operations. With there being this many varieties in risk manager approaches, there is equally many models, theories, and tools ready for risk managers to use.

Summary of tools and theories

Below you will find an overview of the articles previously made on the website. This is to help guide you towards what is relevant to you. You can access each article by simply pressing the title of the article.

Black Swan theory: This theory in short explains how to be prepared for what you cannot predict will happen. It is about bolstering your organization so it can get through a crisis of large proportions.

Sendai Framework: This article digs into how the Sendai Framework needs to be taken into account when building new constructions or rebuilding constructions after catastrophes. Furthermore it’s goals are to understand risks and how to efficiently mitigate them.

Fault Tree Analysis (FTA): The FTA is an important model in the risk manager toolshed. This model will help understand where and when disasters happen and how to reduce the likelihood of them.

Risk Management Decision: This article takes a deeper look at how a risk manager can get help in their decision making. It bases the decision making off of three different parameters which a risk manager should take into consideration.

The Perception of Risk: This is a theory made by the American professor Paul Slovic. The theory revolves around how an individual perceives risk and what factors play into it. It is one of the most important theories in regards to understanding your employees/co-workers risk perception.

Risk Management: Safety Risk Management: This article takes a closer look at safety risk management, with the goal being to identify the safety hazards and then mitigating these.

Even more articles and posts can be found in the RICO section on the website. Make sure to carefully study these when engaging in a large project or day-to-day work in an organization!

Risk Strategy. Safety Risk Management

Risk Management

This article describes how safety risk management is a key component of any safety management system and involves identifying safety hazards to your operations and assessing the risks of mitigation. To successfully identify hazards you should think laterally and be unencumbered by past ideas and experience   

Introduction

The term “safe”

Those involved in disaster  management are often faced with defining what level of safety from hazard exposure is considered sufficient. There is not necessarily a correct answer to the question “how safe is safe enough?” ( Derby and Keeney, 1981). Most people assume that referring to something as “safe” implies that all risk has been eliminated. However, because such an absolute level of safety is virtually unattainable in the real world, risk managers must establish thresholds of risk that define a frequency of occurrence below which society need not worry about the hazard. Derby and Keeney (1981) contend that a risk becomes safe or acceptable if it is “ associated with the best of the available”

This definition can cause great disagreement between the public and disaster risk management officials. The public may expect a level af safety determined to be zero risk for some hazards, such as terrorism in the United States. Officials may need to recalibrate the public’s perception of these hazards continually to let the public know that although the risks are in fact stille possible, they have been mitigated to the best of the country` s social, economic, and technological abilities. Although the chances of a terrorist attack will always exist, governments strive to attain levels of security dictating that the risks are so low that people need not worry.

To determine what level of safety is most acceptable, Derby and Keeney ( 1981 ) contend that “the best combination of advantages and disadvantages” must be chosen from among several alternatives. For instance, although the risk for car accidents is one of the greatest we face on a daily basis, eliminating the risk by prohibiting the use of cars is impractical. However, we can make cars more resistant to impact, add seat belts and airbags, and enact laws and regulations that limit the ways in which cars are operated. The result is a level of safety upon which society agrees is acceptable in relation to the benefits ( mobility ) retained.

Paul Barnes of the Australian Department of Primary Industries explains the importance of establishing an agreement on what constitutes safety in the community. He writes:

Is our goal Community safety or Safer Communities? As a societal outcome, Community Safety can be sought via efficient  and effective regulation at an institutional level. Associated with this regulation must be similarly high standards of risk management applied at the community level. The establishment of safer communities , however , is a different matter. Before this can be sought as a goal, determinations must be made about what safety means to the communities themselves. To do this, institutional regulators must ensure that use of their expertise does not promote inflexibility in understanding the world – views of the public. 

 Feel free to comment, or contact us for more information!

        source:

          Coppola, D. (2021): “Introduction to International Disaster Management”   

The Perception of Risk

Risk Management

Introduction

Paul Slovic is an American professor of psychology at the university of Oregon. Slovic mainly studies human judgement, decision making and risk perception. He has released a large amount of research papers on the before-mentioned subjects and is considered one of the leading theorists within the risk perception field.

One of Paul Slovic’s most famous publications is “The Perception of Risk”. A publication where he researches and discusses how an individual perceives risk, in regards to extreme events and catastrophes.

The theory

What Slovic found out is that the relations between risk and benefit are never the same, but however based on how the individual perceives the risk. This perception is based on the past experiences that the person might have with such events or catastrophes.

Furthermore his research shows that if you ask people to answer what risks they think should be prioritised, the person will rely on subjective preferences to determine which risks they deem large or small. Thus there is a difference in regards to when a risk is perceived as large or small on an subjective level.

In the book “Perception of Risk”, Paul Slovic adresses two different factors which play in to how a person perceives risk; dread risk and unknown risk.

Dread risk revolves around the factors of which the person is aware of and have knowledge about. The variables within this factor includes fear, controllability, the potential of the catastrophe and fatal consequences. Typically the fear within this factor is the lack of control.

Unknown risk is about new risks which the person have little to no knowledge and awareness of. Examples of this is new technology, invisible risks, non-material risks and non-observable risks. These are typically perceived as a bigger threat than the dread risks for the simple reason that people cannot fathom the risk or consequences of it.

Why is this important?

As risk managers it is important to us that we know which tools and theories are relevant to our field of work. The perception of risk is one of the most important publications and theories in regards to understanding the people you work around on a deeper level. Knowledge of this can help predict and control how an individual will react in a potential crisis situation, but it can also help guide you when assigning roles on a complex project.

For example, by having knowledge of the perception of risk you can be more aware that you shouldn’t assign a person an assignment, if that person has had bad experiences with similar assignments perviously. Furthermore you can as a risk manager create more safe and comfortable working environments for the people around you.

Risk Management Decision

Risk Management

Risk strategy. Risk management decision-making 

This article describes how problems have been identified in processes, which are not always perfect, and how there is often anomaly and unreasonableness in deciding what is passable, what treatment options could be dominant in the three areas where problems can be identified. 

introduction 

Decision-making processes in risk management are not perfect, and in fact there are often biases and injustices in determining what is acceptable and deciding which treatment options are best. 

The following are three areas where such issues have been identified: 

  1. Individuals with money and interests can influence the process of determining whether risk can be accepted. Because the process of determining (including the costs of mitigation and regulatory practices) is influenced by politics and may be shaped by political ideology, it is possible for companies or interest groups to lobby and influence these decisions. This can be seen with dangers such as handguns and assault rifles, environmental degradation, soil and water pollution and construction in hazardous areas. Increased citizen participation in the process can reduce the type of injustice. By increasing the decision-making power of the general public, a more democratic outcome is possible (although not guaranteed).  
  1. Putting a dollar number (in cost-benefit analysis) on a human life is unethical and incomprehensible. This is primarily a factor related to involuntary risks. For those whose lives are at risk, any dollar figure will seem low or inappropriate as a trade-off to accept the risk. Many people would feel that their life is too great a price to pay for the existence of involuntary risk. The cognitive processes that dictate these decisions about “people in a human life” are often different for voluntary risks. As the example of car safety illustrates, people are willing to accept some increase in risk to their own lives in favor of more affordable products. How much more affordable is different from person to person. Nevertheless, as evidenced by lawsuits against tobacco companies from smokers who became ill, people may be reluctant to accept some voluntary risks despite prior knowledge of these risks. Due to the controversial nature of putting a value on life, it is rare that a risk assessment study would actually indicate a dollar figure for the amount that could be saved per. Accepted human loss of life. Subsequent studies have calculated the dollar numbers used per. Life during a crisis, but wondering how much a company or government is willing to spend to save or risk a life would be extremely distasteful to most people. 
  1. Risk management is usually an undemocratic process because those who may be harmed are not always identified or asked if the danger is acceptable to them. It is not hard to remember a case where a vulnerable or disadvantaged group of people were exposed to a risk whose benefits were enjoyed by others. Many landfills for toxic waste are located in poor parts of the city, towns and states, although people in these communities did not have much to say in determining the location of such materials. Related to these materials. In the context of this injustice, the reality is that the poor are usually less able to avoid such risks because the properties or jobs available to them are often associated with the same risks. It is often the poor who have to live in areas at high risk of floodplains, or under high-voltage power lines or along highways. These carry a greater proportion of the population risk, whereas many others enjoy much lower risk levels from these particular dangers, even though they enjoy a disproportionate share of the benefits. Risk communication and public participation are thus important in counteracting these injustices. 

  Feel free to comment, or contact us for more information! 

         source: 

           Coppola, D. (2021): “Introduction to International Disaster Management”   

 

          

   

Fault Tree Analysis (FTA)

Risk Management

Introduction

The fault tree analysis, also known as FTA, is a model used to understand how systems or processes fail. Furthermore, it helps with identifying the best way to reduce risk and to determine the probability of an event occurring. The FTA shares many of the same aspects as the BowTie Analysis (BTA). The model was originally made by H.A. Watson working at Bell Laboratories with the goal of evaluating ballistic missiles. Since then, the FTA has spread to a wide range of industries where identifying risks and calculating probability is relevant.

The Model

The model usually consists of 4 elements:

The main event: The event at the top of the model which shows what is being analyzed within the fault tree.

Intermediate events:Events that occur between the basic events and the main event.

Basic events: A failure or error which results in another event happening. These are shown as circles on the bottom of the model

AND/OR gates: These are the link between the events in the fault tree. AND gates are symbolized with a flat bottom and means that all of the underlying basic events have to happen in order to trigger the intermediate event above. OR gates are symbolized with a curved bottom and means that just one of the underlying basic events have to happen to trigger the intermediate event above.

How can we use this in our projects?

A single fault tree is used to analyze and understand a single event, therefore we need to have conducted a risk analysis of the project before an FTA becomes relevant. Once we have the risk analysis we use the FTA’s on each of the hazards we have identified. It basically comes down to the following five steps:

1: Define the undesired event to study

2: Obtain an understanding of the event

3: Construct the fault tree

4: Evaluate the fault tree

5: Control the identified hazards

By following these steps you can reduce the risk within your project and at the same time determine which risks you are already protected towards and which risks you need to put more ressources into.

Sendai Framework

This article describes the disasters page, how The Sendai Framework on Disaster Risk Reduction reduces disaster risks in people’s economic, physical, social, cultural and environmental assets, community economics and business.   

Sendai Frankework monitor

Introduction

A project manager encounters problems, without notice. No matter what you plan, those questions will occur. Therefore, Sendai Framework methods are an important tool to use, to reduce risks that a project manager encounters in the daily work. Thus, how more specific approaches in this regard can be made effective in the treatment of historical areas worldwide. For example, risk management is now considered important in the context of historic buildings, as they are strongly related to cultural identity as well as to resilient communities and can have a major impact on local economies. This indicates that cultural heritage can be the central focus area for capacity building in less vulnerable places, and the protection of it is one of the main tasks to take care of in reducing vulnerability. Including what actions could enable better protection of cultural heritage. Can do by involving local communities in reconstruction plans, as well as in capacity building and self-directed projects? How can we preserve that cultural heritage? Additionally, how have reconstruction plans been administered recently worldwide? 

Moving forward

The purpose of the Sendai Framework “ambitious agreement” to reduce local vulnerability is the biggest and still unattended challenge that can make a difference in the immediate aftermath of a disaster, but also in advance by preventing damage. This challenge has grown critically due to increasing climate change, natural disasters and man-made disasters along with rapid urbanization. These factors are also associated with the transformation of peripheral areas around cities around the world, often with very poor build quality. Population of marginal rural areas, where historic centers of high cultural value are often located, is another of the consequences of disasters, leading to the general lack of local recovery policies. Today, situations of prolonged crisis and recurrence of conflict are becoming more frequent. As a result, the opportunities for rapid recovery of the cultural sector are significantly reduced, which in turn leads to further irreversible loss and vulnerability. There is today a growing recognition that the protection of cultural diversity and the promotion of cultural pluralism by protecting society’s tangible and intangible heritage and protecting human rights and fundamental freedoms is more than a cultural emergency. It is a security and humanitarian imperative in conflict and transition situations and an essential element in ensuring sustainable peace and development. It is also crucial for risk management due to lack of maintenance among other factors.  

Have you considered black swans in your planning?

What are black swans? 

Every project will run into problems and unexpected risks. No matter how much you plan, these issues will arrive. They often come in different sizing from minor to devastating. Often the minor problems can be solved by carefully laid out contingency plans and great planning. However greater risks and problems can become of such magnitude that any basic planning won’t be sufficient, and more drastic measures must be taken. These can be categorized as black swans. The term black swan originally came from an ancient saying that black swans didn’t exist, this was then later reinterpreted when the first Europeans encountered it.  

The theory, in regards to disasters and management, was developed by Nassim Nicholas Taleb, a Lebanese American risk analysist and mathematician. The point of the theory was to explain the hard-to-predict and rare events that are beyond what normal history, science and technology can expect. Examples of such are the financial crisis of 2008 and the dotcom bubble of 2001. Some would argue that the COVID-19 pandemic also is a black swan, however Taleb thinks otherwise because according to statistical analysis it was predicted that such a pandemic would happen eventually, therefore it can’t fall under the category of a black swan.  

How knowledge of black swans can help us in our own projects: 

So how can we use knowledge of this and bring it into our own project management? Well, the entire point of black swans is that they are unpredictable, therefore we should not try to predict them. Instead, we build up a resilience within our organization or project. Resilience refers to the ability to regain quickly after something bad has happened. Resilience is built up by investing more money into the risk-safety budget and having more staff ready to help and act when a black swan hits. Often these investments will be hard to fit into the budget and many will deem them unnecessary costs. However, the consequences of these disasters will result in a monetary loss that is far greater than what you would have invested into the risk-safety budget.  

Key takeaways from the post: 

  1. A black swan is an extremely rare event with severe consequences, that cannot be predicted.  
  1. Resilience is the best way to mitigate the consequences of the disaster
  1. Resilience can be build by careful resource management and rehearsing