When previously exploring how assumption is the mother of all f*ck ups, a few readers mentioned and asked about risk. What are the different types of risk? How do we avoid risk? If not avoid it, how do we minimize it?
Risk is a part of our every day lives. Whether in investing, working, running outside, or just going about our day, there is risk to be found. But depending on the activity, there are potential ways to minimize those risks.
This got me thinking about my prior role of owning the execution and coordination of my former department’s Risk Control Self-Assessment (RCSA). In this post, we’ll briefly explore the core aspects of a RCSA, as well as look to perform one in future posts.
Background and Definitions for Context
The following terms might sound fancy; they initially did to me. But they’re not if you think of them in terms of your day-to-day life. I’ve included some definitions as well as using the example of walking across the street.
(1) Inherent Risk
Wikipedia defines inherent risk as “an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.”
In other words, there are risks involved in any activity or process that we do. By simply participating in an activity, there are risks. Putting aside what one can do to avoid and/or minimize those risks for a moment, let’s use an example of me walking across the street as the activity.
When crossing the street, I could get hit by traffic, trip on my own feet, step in a puddle and get my shoes wet, slip and fall on ice, etc. These are just some of the risks that inherently come with participating in the activity of walking across the street.
But what can we do to avoid and/or minimize these inherent risks?
(2) Controls
A control is meant to avoid or minimize the chance of a risk occurring, as well as identify or lessen the impact of a risk that has occurred. There are two primary types of controls:
- Preventative Controls – those that attempt to eliminate or reduce the likelihood of an issue before it occurs; and,
- Detective Controls – those that identify an issue that has already occurred and/or aim to lessen the impact of the issue after it has occurred.
Using the same example of walking across the street, a preventative control could be a cross walk signal telling me NOT to walk until traffic has stopped. In this instance, a preventative control is very important: I want to avoid getting hit by a car.
Related: Just a Pet? Why We Spent $10,000 In 10 Days
There might be some detective controls, but I don’t know how meaningful they’d be vs. the preventive control in this specific example. There might be a traffic camera to alert authorities of an accident. I could use my cell phone to call for help after getting hit. But one control might be more meaningful than another (especially if I’m the one who got hit by a car).
Clearly, another part of the control assessment is measuring the strength and effectiveness of a control. We’ll perhaps cover this in further detail at another time.
(3) Residual Risk
After the application of controls to a process or activity, we might have eliminated most, if not all, of the inherent risk associated with the process or activity. But there is usually some type of risk leftover. This is residual risk.
With me crossing the street, the walk signal, the cross walk, and other possible controls (perhaps the speed limit is on 15 MPH) all aim to reduce the likelihood and actual impact of me getting hit by a car. It could still happen, but – depending on the original severity of the inherent risks and the strength or effectiveness of the controls – those risks have likely been reduced somewhat.
(4) Action Plan
This step is sometimes considered the actual “Self-Assessment” part of the RCSA. Different organizations might have different terms, but I view it as an action plan. You’re going to make a decision on whether or not to accept the levels of residual risk. How comfortable are you?
The outcome or action plan might involve not crossing any street at all (one extreme). Or perhaps removing my head phones and not being dumb with my smart phone when crossing will help. It depends on the severity of the residual risk remaining, as well as my appetite for the risk.
Related: Orangetheory Fitness: 25 Things You (Might) Learn or Do After 250 Workouts
Quick Recap
To summarize, and for visual-minded individuals (like me), this is the simple overview of the RCSA framework.
Creating and Executing a Personal RCSA
With a basic foundation and background on the RCSA now provided, let’s outline some potential steps for us to consider doing our own RCSA. Future posts in this series will actually take a few different functions from different aspects of our lives as examples.
For now, here are considerations on what function to identify and how to go about reviewing them.
(1) Pick Your Primary Function For Review
A function can be anything from investing, exercising, your job, a hobby, or any number of areas of our lives. They don’t need to be listed in any particular order – just get them documented somewhere.
It doesn’t matter which one you choose (you could repeat the process for any number of functions), but I’d focus on:
- Time Spent – how much time do you spend on this function? And at what frequency?
- Effort / Input – aside from time, what is the complexity of this function? Is it minimal or require a maximum of your concentration?
- Reward / Satisfaction – how do you feel about what you currently get out of this function?
Give it some thought. Performing an assessment on a function that isn’t meaningful to you might not be worth the time and investment. Although, the process could reveal something to you that you didn’t realize beforehand.
(2) List the Activities or Processes of the Function
After determining your functional area for the assessment, ask yourself what do you actually do as part of the function? These are the steps or actual tasks involved with the function you’ve selected.
For example, at a high-level, if you’ve selected working out, this could be (1) getting ready & going to the gym, (2) exercising at the gym, and (3) coming home and stretching after the gym.
You can get as detailed or granular as you’d like; I’d try to find an optimal balance between your input and output for performing the assessment.
Related: Tax Reform & Your PFUI: Applying the 10 Heuristics
(3) Initiate the Primary Stages of the RCSA
Related to the first part of this post, this would involve applying the following to each activity or process of the function we’ve selected to review:
- Identifying and defining the inherent risks associated with the activity or process.
- Listing out and assessing the controls performed for the activity or process.
- Evaluating and measuring the residual risks remaining for the activity or process.
- Accepting or rejecting the risks and creating an action plan to improve the activity or process.
Overall, executing an RCSA can take an enormous amount of time and resources. Only consider reviewing something worth your valuable time.
Related: 5 Ways to Balance Account Types To Balance Life’s (Un)known Milestones
Wrapping It Up
Some organizations or companies are required to conduct an RCSA or similar exercise on an annual basis. Depending on the industry, regulations require it. Others might consider it a best practice, so they might not participate. But many organization do consider evaluating operational risks an important risk management framework and key part of their business across the functions they perform.
On a personal level, it’s kind of the same thing – you may or not be required to do it. You might consider it a check-the-box exercise or you might view at as the end-all-be-all to self-improvement. Like most things, it’s probably somewhere in the middle for the majority and at one of two extremes for some others.
Looking Back and – More Importantly – Ahead
I’ve found the RCSA to be an interesting framework in my past roles. There are also different names and frameworks that look to do something similar. Regardless of the model or framework, it’s also interesting to see how different organizations, industries, and individuals view the exercise.
We’ll explore a few examples in future posts. With any model or exercise, it’s about finding the right balance – and it’s never-ending.
Readers, have you come across or utilized the RCSA or a similar framework before? In what areas have you found it helpful? What are your thoughts toward considering such an exercise in different aspects of your life?
Related:
(Money) Muscles Checkpoint: Six Week Spending/Saving Status
Post-March Madness: 5 (Plus) Ways To Find Balance
Interesting analogy Mike. Way early in my career I was an internal auditor and I am a Certified Internal Auditor. You are basically speaking that professions language here. Are you an auditor or risk management professional? The concepts definitely apply to personal life. In fact many business concepts do. Tom
Thanks Tom. You have an interesting background as well. I’ve held roles within the operational risk management space. My current role is somewhat of a hybrid of operational, client service, and project management. And agreed – we can find many concepts that cross between different areas of our lives. – Mike
I think many business concepts apply to general life in one way or another. I’m a risk manager myself and some of the things you talk about definitely play into my career. I try to take some of that and translate it to my life in any possible way as well.
Hi Time – thanks for your comment. Agreed – many areas do overlap in some way. What type of area / industry do you typically see? – Mike