Have you ever heard of the butterfly effect? Sometimes referred to as the ripple effect, it refers to the idea that a small change can have drastic consequences. Its name comes from the notion that the flapping of a butterfly’s wings could trigger a tsunami on the other side of the planet.
I believe that this idea perfectly applies to the risk management discipline. Indeed, risk rarely— if ever— manifests by itself; rather, a succession of failures leads to the incident.
A fire can start only if there is combustible material and an unprotected source of ignition, right? That means that there are two ways to avoid the risk: remove the combustible or extinguish the flame. Clearly, one is a preventative measure and the other corrective.
But how exactly would you know what to do if you can’t describe the complete chain of events that led to the risk?
Many companies still have a reactive approach to risk management, and they focus on the potential impacts of the risks—the exposure. From there, they decide what measures to take—one of which is likely to be the transfer of risk to a third party such as an insurance company.
But what if you could target the specifical source of the issue?
This would have two advantages:
- Better protection of both tangible and intangible assets of the organization
- All in all, cheaper risk mitigation. An insurance policy will, of course, help you replace damaged assets and infrastructure, but who will help you regain the business lost during the interruption or rebuild your customer’s trust?
Let’s look at the three steps that could help you counter the butterfly effect in your organization:
1. Document the complete risk chain
This step requires that you de-silo your risk management practice. When you document a new risk or review an existing one, select the other events whose likelihood could be increased by your risk manifestation. Are you reviewing the risk of a successful malicious attack on your system? Then ensure that you link it to the risk of loss of customer private information, as this is what it could lead to.
And inversely, you should also describe the risks that could increase the chances of yours occurring. In the previous example of a successful malicious attack on your system, this would likely be increased by the risk of obsolete cybersecurity.
2. An ounce of prevention is worth a pound of cure
Now that you know what events can trigger your risk, don’t focus only on recovery measures. Yes, they will be required, especially for risks that are above your tolerance, but try to design controls that would prevent the underlying risks from occurring. This is not only cost effective; it also means that you are no longer addressing risks on an event-by-event basis, but are instead designing a global mitigation strategy and therefore rationalizing your actions by making them more tailored to your situation.
3. Be like a meerkat guard
Don’t be taken off guard! Having documented the underlying risks and reducing the probability of occurrence with preventative controls could be sufficient indeed, but what happens if something changes in between control reviews?
Key risk indicators are a great way to keep an eye on these underlying risks and their drivers. And if these indicators are automatically updated, it means that they can be regularly compared against thresholds and that you will be notified only if a negative trend is building.
What about you—do you apply a butterfly effect analysis to your risks?
I look forward to reading your thoughts and comments on this blog or on Twitter: @TFrenehard.