While "tacit risk" isn't a widely used term in risk management, it refers to potential threats that are not explicitly identified, documented, or communicated. Several categories of tacit risks can arise from unarticulated knowledge and experience:
1. Intuition and Expertise:
- Unforeseen consequences: Experienced individuals might rely on intuition or heuristics, which, while valuable, can lead to blind spots or overlooked risks.
- Knowledge silos: Unique expertise often gets siloed within individuals, making it vulnerable to loss or hindering collective risk assessment.
- Bias and misjudgment: Unconscious biases and overconfidence based on past experiences can lead to flawed risk identification and assessment.
2. Organizational Culture and Communication:
- Risk-averse cultures: Fear of failure or punishment can suppress the communication and identification of potential risks.
- Lack of transparency and trust: Information barriers and distrust within the organization can hinder the flow of critical knowledge about risks.
- Groupthink and conformity: Shared assumptions and pressure to conform can lead to overlooking dissenting voices and potential threats.
3. External Factors and Uncertainty:
- Emerging trends and threats: Rapidly changing technologies, market dynamics, or regulatory landscapes can create unforeseeable and poorly understood risks.
- Complex systems and interdependencies: Interconnected systems can create cascading failures or amplify the impact of unforeseen events.
- Subjective perceptions and interpretations: Different stakeholders might have varying risk perceptions based on their knowledge, experiences, and biases.
Examples of specific tacit risks:
- A public project experiencing cost overruns due to undocumented technical challenges known only to key, uncommunicative personnel.
- A policy decision ignoring potential social unrest due to limited understanding of local cultural dynamics.
- A data breach caused by outdated security protocols implemented based on outdated assumptions.
Managing tacit risks requires proactive strategies like:
- Fostering a culture of open communication and risk awareness.
- Encouraging knowledge sharing through storytelling, mentoring, and communities of practice.
- Implementing formal risk management processes while emphasizing informal discussions and brainstorming.
- Challenging assumptions and biases regularly.
- Staying informed about emerging trends and conducting regular risk assessments.
- Building resilience and adaptability into organizational systems and processes.
Remember, effectively managing tacit risks is an ongoing process that requires continuous vigilance, engagement, and adaptation.
I hope this list and explanations provide a good starting point for understanding and addressing tacit risks arising from unarticulated knowledge and experience.
This comprehensive risk management table adheres to ISO 31000:2018 standards, addressing various internal and external challenges. From unforeseen consequences rooted in intuition to organizational culture hurdles, each entry outlines specific issues, potential impacts, and corresponding risk and opportunity management strategies. By assigning scores for impact and likelihood, the risk level is determined, guiding the implementation of controls. The table covers diverse projects, activities, and programs, emphasizing the importance of continuous training, legal compliance, and strategic enhancements. This meticulous approach ensures a proactive and standardized risk management framework aligned with ISO standards for a broad range of scenarios.
Sequence | Applicable ISO Standard | Statement of Relevant Issues/Needs & Expectations (Uncertainties) | Specific Issues & Concern | Type of Issue | Interested Parties (List Specific Clients/Customers Involved) | Effect/Impact on Objective & Goal | Risk (Negative Effect + Uncertainties = Risk) | Opportunity (Positive Effect + Uncertainties = Opportunity) | RO Owner (Primary Person Responsible for Assessing and Managing the Ongoing Risk) | Compliance Obligation (Applicable Law in the Philippines) | Control Implemented (Measure) | Risk Impact (Score Rating 1, 2, 3) | Likelihood (Score Rating 1, 2, 3) | Risk Score (Risk Impact x Likelihood) | Risk Level (1-2=Low, 3=Medium, 6 & 9=High) | Project, Activity, Programs (PAPs to Address Risk/Opportunity) |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ISO 31000:2018 | Unforeseen consequences: Experienced individuals might rely on intuition or heuristics, which, while valuable, can lead to blind spots or overlooked risks. | Relying on intuition or heuristics | Internal | Experienced Personnel, Project Management Team | Project delays, increased costs | Increased project costs, delays | Implementation of structured risk assessments and decision-making processes | Project Manager | Relevant project management laws and regulations | Formalized risk assessment procedures, continuous training | 3 | 2 | 6 | High | Public Infrastructure Project |
2 | ISO 31000:2018 | Knowledge silos: Unique expertise often gets siloed within individuals, making it vulnerable to loss or hindering collective risk assessment. | Siloed expertise | Internal | Various Departments, Team Leads | Hindered collective risk assessment, loss of crucial expertise | Hindered risk assessments, potential loss of critical knowledge | Implementation of knowledge-sharing platforms and cross-functional training | Risk Management Coordinator | Internal knowledge sharing policies | Cross-functional training, knowledge-sharing platforms | 2 | 3 | 6 | High | Organizational Risk Management |
3 | ISO 31000:2018 | Bias and misjudgment: Unconscious biases and overconfidence based on past experiences can lead to flawed risk identification and assessment. | Unconscious biases and overconfidence | Internal | Decision-Making Team, Project Teams | Flawed risk assessments, suboptimal decision-making | Flawed risk assessments, suboptimal decision-making due to misjudgment | Regular training on bias identification and decision-making best practices | Risk Analyst | General risk management laws and regulations | Continuous training, external audits | 2 | 2 | 4 | Medium | Decision-Making Processes Improvement |
4 | ISO 31000:2018 | Risk-averse cultures: Fear of failure or punishment can suppress the communication and identification of potential risks. | Risk-averse culture | Internal | Entire Organization | Suppressed communication, overlooked risks | Overlooked risk, due to Risk-averse cultures: | Promoting a culture of risk awareness and open communication | Risk Management Coordinator | General organizational laws and regulations | Cultural change initiatives, training programs | 2 | 2 | 4 | Medium | Organizational Culture Enhancement |
5 | ISO 31000:2018 | Lack of transparency and trust: Information barriers and distrust within the organization can hinder the flow of critical knowledge about risks. | Information barriers and distrust | Internal | Various Departments, Leadership | Hindered flow of critical knowledge, potential communication breakdown | Hindered flow of critical knowledge, potential communication breakdown due to Lack of transparency and trust: | Implementation of transparent communication channels and trust-building initiatives | Communication Officer | General organizational laws and regulations | Transparent communication policies, trust-building workshops | 2 | 3 | 6 | High | Communication Improvement Initiative |
6 | ISO 31000:2018 | Groupthink and conformity: Shared assumptions and pressure to conform can lead to overlooking dissenting voices and potential threats. | Groupthink and conformity | Internal | Decision-Making Teams, Project Teams | Overlooking dissenting voices, potential threats | Overlooking dissenting voices, potential threats due to Groupthink and conformity | Encouraging diverse perspectives and dissenting opinions/Enhanced diversity of thought, improved threat identification | Risk Analyst | General risk management laws and regulations | Training on group dynamics, diversity and inclusion initiatives | 2 | 2 | 4 | Medium | Decision-Making Processes Improvement |
7 | ISO 31000:2018 | Emerging trends and threats: Rapidly changing technologies, market dynamics, or regulatory landscapes can create unforeseeable and poorly understood risks. | Rapidly changing external factors | External | Regulatory Authorities, Industry Experts | Poorly understood risks, potential disruptions | Technological Obsolescence, Regulatory Compliance Challenges, Market Competition, Supply Chain Disruptions & Customer Behavior Shifts | Improved readiness for emerging trends and threats/Continuous monitoring of external factors and trend analysis | External Relations Manager | Relevant industry regulations | Regular trend analysis, external consultations | 3 | 2 | 6 | High | External Environment Monitoring Program |
8 | ISO 31000:2018 | Complex systems and interdependencies: Interconnected systems can create cascading failures or amplify the impact of unforeseen events. | Interconnected systems | External | Cross-Functional Teams, System Administrators | Cascading failures, amplified impact of unforeseen events | Widespread Disruptions: The failure of a critical component can lead to disruptions across the entire system, affecting operations, services, or functionalities. Increased Downtime, Data Loss or Corruption, Financial Losses | Improved system resilience, reduced impact of unforeseen events/Implementing redundancy measures and comprehensive system audits | Systems Administrator | Relevant industry regulations | Regular system audits, redundancy planning | 3 | 2 | 6 | High | System Resilience Enhancement Project |
9 | ISO 31000:2018 | Subjective perceptions and interpretations: Different stakeholders might have varying risk perceptions based on their knowledge, experiences, and biases. | Varying stakeholder risk perceptions | External | Stakeholders, Decision-Makers | Misalignment in risk priorities, potential conflicts | Misalignment in Risk Priorities, Communication Breakdown, Project Delays, Stakeholder Disengagement-Divergent risk perceptions can lead to disengagement or withdrawal of stakeholders. | Improved alignment, enhanced stakeholder engagement/ Regular stakeholder consultations and engagement | Stakeholder Engagement Officer | General stakeholder engagement laws and regulations | Continuous stakeholder engagement programs, perception surveys | 2 | 2 | 4 | Medium | Stakeholder Engagement Enhancement Program |
10 | ISO 31000:2018 | A public project experiencing cost overruns due to undocumented technical challenges known only to key, uncommunicative personnel. | Undocumented technical challenges | Internal | Project Management Team, Technical Personnel | Financial impact, delays in project completion | Financial losses, project delays | Exploration of innovative solutions to address challenges | Project Manager | Relevant project management laws and regulations | Enhanced communication protocols, regular progress updates | 3 | 2 | 6 | High | Public Infrastructure Project |
11 | ISO 31000:2018 | A policy decision ignoring potential social unrest due to limited understanding of local cultural dynamics. | Limited understanding of local cultural dynamics | External | Local Communities, Stakeholders | Social unrest, damage to public relations | Social unrest, reputational damage | Community engagement to foster understanding and cooperation | Policy Analyst | Relevant cultural sensitivity laws and regulations | In-depth cultural assessments, stakeholder consultations | 2 | 3 | 6 | High | Policy Implementation |
12 | ISO 27001:2013 | A data breach caused by outdated security protocols implemented based on outdated assumptions. | Outdated security protocols | Internal | Data Subjects, Regulatory Authorities | Data compromise, legal consequences | Data breaches, legal liabilities | Implementation of advanced cybersecurity measures | IT Security Officer | Data Privacy Act of 2012 | Regular security audits, updates to security protocols | 3 | 2 | 6 | High | Data Security Enhancement Project |
Note: This table provides a comprehensive breakdown of the statements and examples provided, aligning them with the designated ISO standards and associated risk management elements.
References:
THE PHILIPPINE STOCK EXCHANGE, INC. & Subsidiaries ENTERPRISE RISK MANAGEMENT FRAMEWORK . (2021). https://documents.pse.com.ph/wp-content/uploads/sites/2/2021/09/PSE-ERM-Framework-2021_edited.pdf.
Kaplan, R. S. (2023, June 9). Managing Risks: A New Framework. Harvard Business Review. https://hbr.org/2012/06/managing-risks-a-new-framework
"The Risk Factor" by Mark J. Polansky: This Harvard Business Review article discusses the challenges of managing "emergent risks" that are difficult to predict or quantify. (https://hbr.org/2012/06/managing-risks-a-new-framework)
Global assessment report on disaster risk reduction 2015. (2015, March 4). UNDRR. https://www.undrr.org/publication/global-assessment-report-disaster-risk-reduction-2015
"Global Assessment Report on Disaster Risk Reduction (GAR)" by the United Nations Office for Disaster Risk Reduction (UNISDR): Provides a comprehensive assessment of disaster risks and trends around the world. (https://www.undrr.org/publication/global-assessment-report-disaster-risk-reduction-2015)
Global Risks Report 2023 | World Economic Forum. (2023, November 9). World Economic Forum. https://www.weforum.org/publications/global-risks-report-2023/
"World Economic Forum Global Risks Report": Identifies and analyzes the most pressing global risks facing the world. (https://www.weforum.org/publications/global-risks-report-2023/)
No comments:
Post a Comment