Risk profiling is here and it means business
By David Towlson, RRC International
Do you get confused with all that terminology that’s bandied about? I certainly do. In the modern world with the internet being a dumping ground for everyone’s thoughts (including mine, I admit, writing this) over the expanse of time, over the planet (well, mostly just the western nations because the East is far too sensible), over all the industries and disciplines you can’t blame a chap for being presented with subtle variations of something you thought you understood. Thus it is with risk profiling and risk assessment.
To my simple mind, I had always assumed they were different, because I’ve met profiling in more of a business context. And profiling to me has always meant a higher level description, so you get the essential features. But it turns out in many documents I’ve read (including HSG65) that where they just used to say ‘risk assessment’ they now say ‘risk profiling’. Are these the same or different?
You could be forgiven for thinking risk profiling seems to be used interchangeably with risk assessment – maybe I’ve missed something here. It’s very popular to nick (sorry, borrow) terminology from other disciplines and subvert them for a purpose not intended. Business leaders do this all the time with words like “Sexy”, applying it to an idea (yes, I thought it misplaced too, the first time I heard it many years ago). Risk profiling is just such a term nicked from the business world.
Anyway, here’s my take on risk profiling and risk assessment. I think, in practice there is a good deal of overlap conceptually but that in practice risk profiling is a more a macro overview level and risk assessment more a detail level. Let me explain….
A profile, in ordinary parlance, is an outline. So a risk profile is an outline of the most important risks your business faces , the potential consequences and what you’re doing about it . In other words, it’s a high level macro view. This is different from most risk assessments I see and do, which tend to deal with the micro-level – the detail in a department, area or even specific task, rather than your whole business. So, it’s a question of scale and detail. A profile will almost certainly draw on the findings of the detailed risk assessments, but go beyond this and look at wider business consequences, such as reputation, business disruption/continuity. It might also consider your appetite for risk (for example, what level of business disruption you might be prepared to tolerate before you take action).
Now this is no real surprise. Business leaders, who do much profiling, are not generally interested in the detail – they are interested in the bigger picture and well, leading the business (and use the word “Strategic” rather a lot, even if they are referring to a toilet break).
Insurance companies and investment banks do what they call ‘risk profiling’ rather a lot too. Insurance companies try to profile you by gathering some basic information and sticking you in a risk category. It is not a complete description of you – just the bits they need to categorise you enough to work out your premium. When it comes to investments, banks try to match your appetite for risk with the products they have.
It turns out too that BS 9999:2008 is also in on the act. It uses Fire Risk Profiling. This takes remarkably little data and puts your business premises into a fire risk category – high, medium, low.
So, for risk profile think course overview (quick and dirty, broad and ‘strategic’). For most risk assessment, think fine and detailed (slow and clean?). Or maybe I’m just old and tired….
David Towlson, Director of Training & Quality, RRC International