The following contribution was penned by John Schembri, CEO and co-founder of SHIELD Security Consultants Ltd

A question which underpins both risk assessment and risk management is “What causes risk, and how?” Its understanding is fundamental in accurately forecasting risk and selecting, adopting, and implementing relevant and effective mitigation and control strategies.

What is the actual nature of the causes of risk? Is it inevitable that a risk should occur once identified? Should risk practitioners rely solely on expert opinion in estimating probabilities? To understand the implications behind such questions, valid as they are, we need to examine more closely the nature of what causes risk.

Understanding Causes of Risk

Given the binary nature of risk, which determines that risk either happens, or it does not; the material causes of risk come into sharper focus within the risk assessment process. Without a cause there can be no effect, hence no risk can exist without a (causal) event. This principle is fundamental to effective risk assessment, mitigation, and control. ISO 31010:2010 on risk management and risk assessment techniques, clearly states that: “Risk identification is the process of finding, recognizing and recording risks.”

Readers are encouraged to examine this part of the standard very carefully, insofar as it goes on to state the following: The purpose of risk identification is to identify what might happen or what situations might exist that might affect the achievement of the objectives of the system or organisation. Once a risk is identified, the organisation should identify any existing controls such as design features, people, processes, and systems.

The above definition offers an opportunity for further analysis, summarised in a very concise form below.

Process
First process the situation, which is a primary requirement of sound and effective risk management. Evaluate it and view it from different angles and perspectives. This leads to:

Finding
Which implies that the causes of risk exist as an objective reality and require identification. It is clear that looking for the most likely causes of risk is an important step in:

Recognising
The potential causes of risk and their respective criteria are subjected to tests of plausibility to weed out the ones which are least likely or do not fit the context, until you can:

Record
By carefully articulating the risk (event) and the criteria (likelihood and impact) in as accurate and comprehensive manner as possible.

Analysing the likelihood (probabilistic) element of a risk occurring enables practitioners to reason timeframes, while evaluating the impact (consequential) component enables stakeholders to recognise consequences, with concomitant costs. Both aspects are constructs of the risk assessment process, albeit reasonably formulated by expert practitioners interacting with well-informed stakeholders. Clearly risk causation, by its very nature, is essentially dual. However, an actual risk could not possibly manifest without both elements converging in time and space.

Which naturally leads to a conclusion that (a) risk can only manifest as an event, indeed a specific event. As self-evident as it is, this reality is frequently overlooked by both professional risk practitioners and interested parties, both of whom frequently resort to fantastical risks drawn solely from imagination, or “a gut feeling”, paying scant heed to plausibility of the causal event or the concomitant risk factors. From a technical perspective, there is definite value in propounding the idea that the material causes of risk are essentially only two agents: (i) Nature, and/or (ii) Humans. This idea is amply supported by several risk assessment techniques propounded under ISO 31010:2010, although it is particularly evident within the Structured “What-if” Technique [SWIFT] process.

Process is intrinsic to risk management and the accurate, technically sound use of words is indispensable in articulating the case, throughout the lifecycle. An understanding of what causes risk and how it happens, resides at the very core of risk assessment insofar as it imparts agency upon the material risk. When both practitioners and stakeholders can understand risk causation then realistic scenarios can be identified and reasonably accurate forecasts of the likelihood and impact criteria articulated, in turn enabling effective design, construction, and implementation of cogent mitigation strategies and controls.

Risk is frequently complex, particularly when probability of occurrence is low or very difficult to determine and the consequences are unavoidably high, severe, or catastrophic. In such instances, risk management assumes critical importance. Professional practitioners and risk owners (the stakeholders) need to agree upon what causes risk, how, and what can be done about it in realistic, practical terms. The value proposition to categorise sources of risk under “Natural” or “Human” causes simplifies the process, directing risk assessment onto a cause-to-effect pathway. It shall be interesting to observe whether this simple idea catches on, or would risk practitioners prefer Byzantine taxonomies? Time, and risk events, shall tell us.

John Schembri, CEO and co-founder of SHIELD Security Consultants Ltd, is an ex-Serviceman with eighteen years’ experience in operations and command. He specialises in conducting in-depth security risk assessments and designing security risk management systems. Since 2001 John has held a Master of Science degree in security risk management from the world-renowned Scarman Centre, University of Leicester, UK and a PG Cert. in OHS. In addition to this, John is a Specialist Member of the Institute of Risk Management, UK [SIRM] and is also a certified member of the Business Continuity Institute, UK [CBCI].  He therefore has extensive experience in risk management of critical infrastructure, specialising in resilience, digitalisation of risk management and constructing emergency preparedness and response frameworks for challenging environments.