Making a safer bet
Helen Woolston explains why it is important that environmentalists understand risk management
Organisations that effectively manage risk can demonstrate they are protecting their strategic objectives from a range of potential threats, including the changing climate. With many organisations now completing adaptation risk assessments, environmentalists increasingly have to demonstrate that they understand the art of risk management.
Demystifying risk
A number of terms are commonly used in the world of risk management. A risk is anything uncertain that may affect an organisation’s current and future performance. This can mean something that prevents objectives being met, or that opens up new business opportunities. Meanwhile, anything that is 100% certain can be viewed as an issue rather than a risk.
In certain environmental risk assessments, such as one focused on contaminated land, a risk is only deemed to be present when there is a source and receptor of risk, and an identifiable pathway between them.
A full description of a risk must include its cause and effect. Probability is how likely it is a risk may happen. Impact or harm is the effect if it should happen: the undesirable consequence or damage that results from the hazard, whether that is a substance or activity.
Risk management is a formal and continual process of anticipating and managing uncertainty, while ensuring that threats are minimised and opportunities are maximised. A full risk management process is one where risks are identified, assessed, recorded, mitigated and communicated.
Risk assessment is carried out when there is concern about a hazard. It involves identifying and prioritising risks based on evidence or data with a view to determining how they are best managed.
Prioritisation includes methods such as assigning levels of likelihood that the risk will happen and the consequences if it does. Organisations will then use the information and apply a set of rules or thresholds, or an approach to the level of tolerance or risk appetite, that determines what they will do to manage such risks.
Risk management is useful to environment professionals in the following ways:
- for planning, preparation and prioritisation;
- as a management tool for organising and analysing environmental information;
- for identifying significant environmental aspects;
- to assess likely impacts – for example, the possible consequences from climate change;
- for managing environmental incidents and helping to deliver legal compliance – for example, environmental permitting; and
- assisting with making the business case for resources to reduce risks with a potentially high impact on the organisation.
Environmental risk assessment is used commonly in pollution control, because bodies such as the Environment Agency are taking a risk-based approach to regulating industry. They carry out risk assessments to help prioritise the sectors and sites they are going to target their resources at, and when.
According to Simon Pollard, professor of environmental risk management at Cranfield University and contributor to the IEMA handbook, “the management of risk, from or to the environment, has developed into a systematic process for making better and more accountable environmental decisions.”
The systems
Some environmentalists get very fixated with the mathematics and methodology of risk assessment and quantification. However, risk assessment is just one stage to a wider risk management process, albeit an important one. Risk management is most effective when it is an integrated programme that covers everything from risk identification, assessment of priority and record keeping, to mapping out and communicating mitigation plans and responsibilities.
The key element is to remember what the risk management system is aiming to achieve. It should be designed with the objective of delivering options for reducing the priority risks. Good-practice organisations will have a strategy for managing risk that determines their overall approach and plans. One example of such a strategy is as follows:
- Terminate the risk or stop it occurring – through re-engineering a project, for example.
- Transfer the risk – for example, through insurance – to change the financial impact.
- Mitigate the risk to an acceptable level and manage the residual risks.
- “Actively” tolerate – via a plan to manage the risk.
Risk management is best when embedded as a main organisational process. It is useful to have a structured approach to risk management, covering, for example, the top-level strategic risks, business-level risks and detailed operational risks. An organisation with a mature risk management process should ensure that this considers environmental as well as financial, operational and strategic risks.
Assessing environmental risks should not be done in isolation or as a bolt-on. Some organisations find it is effective to have a “top down” tier of risks agreed by, and assigned to, senior management. Others adopt a “bottom up” approach, identifying risks by the operational or delivery areas. It is acceptable to have a system that includes both elements.
The risk management system should identify a structured set of roles and responsibilities for owning and reducing the priority risks. It is good practice for there to be senior risk owners at the same time as making it clear that risk management is the responsibility of all staff, and the organisation should support this with communication, training and competency building.
A good total risk management programme should also include a “feedback loop” – a system for tracking whether actions to lower priority risks are being carried out, and reporting the process and results to key stakeholders. A number of organisations do this with a regular and formal presentation to their board.
The assessment process
For the actual risk assessment, risks are best identified and assessed when a cross-functional team of professional specialists is brought together. Processes that are useful include a combination of brainstorming, checklists, document reviews, analysis of historical data and interviews. It is important to start with good problem definition upfront.
There are many risk scoring schemes, each with their own benefits. A common one is the five-by-five matrix, which uses numerical scores assigned to levels of hazard and probability. It is worth remembering that there is no single correct method and the scoring scheme used should reflect the complexity of an organisation’s activities.
A largely office-based enterprise, for example, would have a simpler scheme than one that has a lot of operations and supply chain activity. What is important is organisational consistency, a detailed explanation of how the scoring works, and the responsibilities and resources assigned to reducing high-scoring risks.
Risk assessment should also consider positive benefits and opportunities, and not solely focus on negative issues. Focusing on the potential for lack of legal compliance, for example, will miss opportunities to minimise waste or other potential benefits, unless they actively include financial benefits as well. Many good-practice risk-assessment methodologies consider issues such as media or political interest.
There are still some challenges, such as what is to be done with risks that have very high consequence but very low likelihood. For example, a one-in-1,000-years flood. The low level of likelihood could potentially leave an organisation unprepared, as it has instead focused on risks with a higher priority or probability.
Examples of risk assessment
UK climate projections 2009 (UKCP2009) This series of tools and reports presents scientists’ best understanding of how the climate operates, how it might change in the future, and allows a measure of the uncertainty of future climate projections to be included.
UKCP2009 also includes probabilistic climate-change projections from modelling done by the Met Office’s Hadley Centre. Users who want to incorporate these into their own risk assessments can generate a range of outputs. Organisations can choose the degree of certainty they require from the projections according to their own risk appetite.
UK national climate change risk assessment (CCRA) At the start of 2012, the government published its first national risk assessment examining climate change. It analyses the key risks and opportunities that changes to the climate bring to the UK and provides a baseline that sets out how climate risks may manifest themselves in the absence of current and planned actions.
The CCRA has reviewed the evidence for more than 700 potential impacts of climate change. Analysis was undertaken for more than 100 of these impacts across 11 key sectors, on the basis of their likelihood, the scale of their potential consequences and the urgency with which action may be needed to address them. It forms the basis of the UK’s first national plan on adaptation and the cycle is due to be repeated every five years.