- It is continuous
- It is objective
- It is managed
Process Risk is Continuous. Risk isn’t really thought of in a binary fashion despite the outcome being binary (i.e. the risk was realized or not realized). Rather, Process Risk is on a spectrum because the probability of an event is on a continuum. The chance of an event occurring exists between 0.0 and 1.0. (For example, a coin flip resulting in “heads” has a probability of 0.5, or 50%. Until recently the probability of the Philadelphia Eagles ever winning a Super Bowl was widely considered to be 0.0 or 0%. Most of us supported this doctrine, until they went up against the Patriots.)
Not only does outcome live on this continuum, but the detectability of this outcome also exists between 0.0 and 1.0. Detectability is the probability of the process owner even realizing the outcome even happened. Best example of this? You are not enjoying your meal at a restaurant, yet you LIE like a dog to the server who dutifully asks “how is your Beef Stroganoff?” You know you do. Admit it. And I don’t even know you.
Note that the severity of the outcome is also continuous. As proof I’ll leave it to your imagination just how bad that Beef Stroganoff was (“was that beef?”). We incorporate these three continua into a wonderful tool called a Failure Mode and Effect Analysis, but that, dear readers, is another story.
Process Risk is Objective. Fear is not. Risk is analysis of fear. Analysis requires objectivity. Bring your fears into the light and they become assessed risks. When working on replacing the process that governed the home page at a Large Bank You’ve Heard Of (LBYHO) from a IT run/hand code approach to a business run/content managed approach, we discovered the fear that making this page easier to change would make it possible for a bad actor to vandalize the page. (Let your imagination run wild here. I’ll wait.) Given at the time LBYHO’s page was getting about half a billion page views per month, one could understand the concern and exposure. But this was simply a fear. Once we analyzed it in the terms above and considered the in-place controls, we logged it a process risk, and it ended up ranking very low, somewhere between Antarctic forest fire and losing a gerbil farm to a molasses plant explosion.
Process Risks are managed. Just as in life, in our process we should not expect to eliminate risk but to minimize it. Meteors Happen. Elimination may become far too costly for the benefit, and this is where risk appetite comes in. I suspect to bankers that this attitude is more easy to accept in that banks don’t make money unless they lend, thus taking on risk. Banks take on risk every time they even open an account for a business or individual customer given account takeover and anti-terror concerns, thus accepting reputational and regulatory risk. Insurance companies actually make money explicitly managing risk, hopefully taking in enough premium money to cover losses, with a little profit for the shareholders and some Herman Miller chairs. In the military and aviation realms, risk management culture spans from top to bottom, and everyone learns how to assess it with tools such as acronyms and laminated risk management cards.
Managing a process inherently means managing Process Risk. Hopefully this short article has spurred some new thinking about how you approach that risk. Once you’re comfortable with these basic principles, I’d recommend learning more about the Failure Mode and Effects Analysis. This is psychotherapy for your process: it’s time-consuming and you often don’t see the point while you’re doing it. Although your parents don’t come up quite as often in the conversation, you often wish you were lying down. But in the end, you’re so much better for it. Gather the team for a couple of multi-hour sessions, cater in some Beef Stroganoff, and get to work.