This is another guest post by Karel Simpson, Corporate Risk Manager at GardaWorld. You can read Karel’s previous posts On risk management and ISO 31000, browse the “Risk & Assurance” category in the left hand margin of this page
Risk velocity as a part of risk management
I have discussed the various elements involved with evaluating risk before but I have just recently come across the term ‘risk velocity’. It attracted my attention enough to make me do a little research and talk to other professionals about it.
My initial research identified “risk velocity” as an element within risk management. It is most often applied in the realms of financial risk but not from what I can gather in any other risk management disciplines, whether that is enterprise risk, safety or whatever.
What is risk velocity?
If we google “velocity” the search results suggest the following is the most widely applied definition;
‘the speed of something in a given direction’
If we extrapolate this definition, and apply it to the velocity of the risk, we are therefore trying to assess how fast it can be felt or soon it can cause the impact we have identified.
I have found a few examples – it must be noted that I am just scratching the surface with my initial research that I have so far conducted into this matter – of this terminology being used outside of financial risk circles but they seemed to be more like individual businesses coming up with something that suits their own purposes rather than an actual standard approach.
Stripping down to the basics of risk, it is most commonly expressed as the combination of Likelihood x Severity. In other words we are trying to work out ‘How likely is it to happen?’ and ‘If it did happen what is the end of result?’. Risk velocity introduces into this equation ‘how fast will this risk develop and/or how fast will the impact be felt?’. There are certainly situations where this additional focus is quite important.
Imagine that you are presenting to your board or senior management team on your corporate risks, you have a total of 10 risks identified (to keep it simple), 3 risks are deemed low, 4 identified as a medium risk and 3 stand out as being of a high risk to the business. Considering risk velocity could offer additional benefits. Imagine, for example, you have identified risk to the reputation of the business and your current mitigation would be to engage an external company PR company to deal with it. Does this reaction account for how fast the impact can be felt these days with the effect of social media? Taking into consideration “risk velocity” may lead you to re-evaluate a “low risk” because your existing control (the use of a PR agent) is not sufficiently rapid to stop things getting out of control. Thinking about risk in this way could also, for example, lead you to re-consider your selection criteria for some suppliers. Can they respond quickly enough? What sort of contact hours do they offer? etc.
Also, financial budgets are commonly restrained in all businesses and you need to focus on what you spend money on, AND IN WHAT SEQUENCE, based on risk and priorities. Consideration of risk velocity as an additional part of your risk calculations could allow you to have a practical means of differentiating between 3 high risks. One risk may take weeks or months to develop, another one days to weeks and the third hours to days.
As you’d expect, risk velocity is easier to think about in conceptual terms than it is to actually incorporate into your risk assessment process. One example I have encountered that simplifies the process was to score Likelihood x Severity then + Velocity so if you use a 5 x 5 matrix and the likelihood and severity was a 4, your initial score would be 16. Rating velocity as Hours to Days = 3, Days to weeks = 2, and Weeks to months = 1, we now then add in “velocity” to the calculation giving respective scores of 17, 18 and 19. This differentiates the risks and allows us to evaluate our course of action, priority and sequence of our response measures.
I would personally recommend looking at risk velocity as I really think that this will push through into the main stream of risk management in the coming years and more importantly will provide a key tool in focusing and managing the subject of risk.