First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

A risk case study

risk

I returned this week from a vacation in Mexico, including a day at the Copper Canyon.

Our tour guide took about 20 of us down the mountain side to see some Tarahumara Indian homes. I decided that I wanted to come back ahead of the group, finding my way back up the path and steps to our hotel at the top.

Let’s walk this through.

My objectives were:

  • Get back to the hotel ahead of the group. Many of the members were slow and I would find it frustrating keeping to their pace instead of mine.
  • Do so safely. While the path was not bad, it also was uneven and unpaved with a lot of rocks and steps to climb. The likelihood of a severe injury was very low indeed and I could accept a slight stumble. But if I moved too quickly, I could fall and bruise myself or worse.

What might happen along the way? In other words, what would a risk manager put on a list or heat map?

  • I might fall. The range of pain and injury went from slight (perhaps 5%) to severe (less than 1%).
  • I might get lost. There were multiple paths and I could easily take the wrong one. If I did that, I was confident (>90%) I could either find my way back and take the right path, continue on the (well-worn) path that would eventually take me back to the hotel, even if the arrival would be delayed, or ask one of the other people that I could see on the paths.

But there was also an opportunity: the chance to enjoy the walk back more than if I were in the middle of a muddling-along group.

I assessed the overall picture and decided that the opportunity outweighed the possibilities for harm.

I started walking, enjoying the faster pace and the fresh air.

But soon I caught up with another member of the party who, unbeknown to me, had also decided to head back early. He was older, with a walking stick, and I was faced with my first decision.

Do I try to pass or do I slow down and follow?

If I tried to pass, the possibility of injury would go up quite a lot. I didn’t try to calculate it, just decided quickly that it was not a ‘risk’ I wanted to take. At the same time, the possibility of getting to the hotel before the crowd was receding. I had to accept that, while looking for an opportunity to pass safely.

The opportunity came a few minutes later when the gentleman stopped to take a rest. I stepped past him with care, but was then presented with a dilemma.

There’s a saying that when you come to a fork in the road, you should take it. That’s what I saw: a fork.

To my right, the path went steeply up the hill. It looked a bit rough, while the path on the left continued straight and level and was clearly well used. There was no sign indicating which way led to the hotel, and the older guy remarked that he had no idea which was the right path to take.

I flipped a mental coin and decided to go left. I was swayed by the fact that the path up the hill presented a greater possibility of falling. It seemed steeper and more uneven than my memory of how we came down. I doubted that was the right way.

The path continued straight and level for a while. Soon, I was wondering whether it was the right path because I couldn’t see where it would start going up the mountainside.

An Indian lady approached. My Spanish is not very good, but I pointed ahead and asked whether it went to the hotel. She said it did. Si!

But after a few more minutes I was starting to believe it was the wrong way. I didn’t think I was lost, because all I had to do was retrace my steps back to the fork.

The foliage cleared and I was able to look up the mountain and see the hotel – which was behind and above me. Now I knew I had gone wrong.

I had to make another decision. Do I continue to where this path might find its way up the mountain (I hoped), or should I turn around? I considered the likelihoods of harm and opportunity and decided that, on balance, it was better to go back.

A few minutes later, I saw a second path leading up. Decision time! This was definitely not the way we came down, but it looked like it should work. Do I take the new option or continue to retrace my steps back to the fork? I weighed the possibilities of getting lost or delayed and the opportunity to get back faster than going all the way back. In addition, the path looked less steep that the way we had come down, so it should be somewhat safer (if my guess was right, since I couldn’t see all the way up the path to the top).

I decided to take the path up. Soon, I saw a path joining mine – with the rest of the group climbing it.

I got to the top, where my wife was waiting for me and asking where I had gone.

What can we learn from this?

  1. The levels of ‘risk and opportunity’, or the effects of uncertainty on my objectives, changed often and without warning. Relying on a list of risks at the start of the journey back would not have been useful.
  2. My ‘risk management’ was iterative and continuous. A periodic assessment, even every few 10 minutes, would not have been of great value.
  3. To make my (hopefully informed and intelligent) decisions, I needed to consider all the things that might happen and see which way the scales were tipped.
  4. Trying to assess likelihood and impact with any level or precision was unnecessary. Common sense was sufficient. Many practitioners may have a problem with that, but in real life it’s very often quite clear when the possibility of severe harm is unacceptable.
  5. We do this all the time. ‘Risk management’ is neither new nor a separate process from running our business, making as intelligent and informed decisions as reasonably possible.

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.