7.1 Event Tracking

<< Click to Display Table of Contents >>

Navigation:  7EVENTS >

7.1 Event Tracking

 

Event tracking is a critical part of Risk Management; it differentiates Risk Management from mere Risk Recording. Risk Management needs to be a dynamic activity, the Risk Profiles used in an organisation need to mature and develop over time. They cannot simply be built and then left static with merely their controls being periodically tested. Event Management is one of the ways in which this dynamism can be introduced.

When the Risk Profiles are first built elements such as the likely size of the impact, the probability of its occurrence, the strength of any mitigating controls, even to some extent the attributes likely to be impacted are all estimates; estimates based on years of experience perhaps but estimates nevertheless. A good, robust system should continuously refine these estimates, replacing them wherever possible with known data; replacing “I think” with “I know”.

 

Event tracking should be an integral part of any Risk Management system but it should not be the heart of the system. In many cases Risk Management systems are built around a “core” module designed to track events; the problem with this is that it is always backward looking, trying to learn from events, trying to install new controls to ward off further adverse events. It is important to be able to do this but it is also necessary to be prospective as well as retrospective, to try and foresee likely events before they happen and design mitigating controls accordingly. The system, then, should have, at its core, risk capture and evaluation mechanisms, supported by event tracking and reporting systems.

 

It is easy to get carried away with the idea that Event Tracking is going to considerably enhance our Risk Management system without giving any thought as to how Event Tracking is to be administered. There are many things to consider and resolve before a robust Event Tracking system can be installed:

 

Actual events vs “near misses”

What is an event?

What happens if an event is to be recorded but the risk isn’t currently in the system?