Accendo Reliability

Your Reliability Engineering Professional Development Site

  • Home
  • About
    • Contributors
    • About Us
    • Colophon
    • Survey
  • Reliability.fm
  • Articles
    • CRE Preparation Notes
    • NoMTBF
    • on Leadership & Career
      • Advanced Engineering Culture
      • ASQR&R
      • Engineering Leadership
      • Managing in the 2000s
      • Product Development and Process Improvement
    • on Maintenance Reliability
      • Aasan Asset Management
      • AI & Predictive Maintenance
      • Asset Management in the Mining Industry
      • CMMS and Maintenance Management
      • CMMS and Reliability
      • Conscious Asset
      • EAM & CMMS
      • Everyday RCM
      • History of Maintenance Management
      • Life Cycle Asset Management
      • Maintenance and Reliability
      • Maintenance Management
      • Plant Maintenance
      • Process Plant Reliability Engineering
      • RCM Blitz®
      • ReliabilityXperience
      • Rob’s Reliability Project
      • The Intelligent Transformer Blog
      • The People Side of Maintenance
      • The Reliability Mindset
    • on Product Reliability
      • Accelerated Reliability
      • Achieving the Benefits of Reliability
      • Apex Ridge
      • Field Reliability Data Analysis
      • Metals Engineering and Product Reliability
      • Musings on Reliability and Maintenance Topics
      • Product Validation
      • Reliability by Design
      • Reliability Competence
      • Reliability Engineering Insights
      • Reliability in Emerging Technology
      • Reliability Knowledge
    • on Risk & Safety
      • CERM® Risk Insights
      • Equipment Risk and Reliability in Downhole Applications
      • Operational Risk Process Safety
    • on Systems Thinking
      • Communicating with FINESSE
      • The RCA
    • on Tools & Techniques
      • Big Data & Analytics
      • Experimental Design for NPD
      • Innovative Thinking in Reliability and Durability
      • Inside and Beyond HALT
      • Inside FMEA
      • Institute of Quality & Reliability
      • Integral Concepts
      • Learning from Failures
      • Progress in Field Reliability?
      • R for Engineering
      • Reliability Engineering Using Python
      • Reliability Reflections
      • Statistical Methods for Failure-Time Data
      • Testing 1 2 3
      • The Manufacturing Academy
  • eBooks
  • Resources
    • Accendo Authors
    • FMEA Resources
    • Glossary
    • Feed Forward Publications
    • Openings
    • Books
    • Webinar Sources
    • Podcasts
  • Courses
    • Your Courses
    • Live Courses
      • Introduction to Reliability Engineering & Accelerated Testings Course Landing Page
      • Advanced Accelerated Testing Course Landing Page
    • Integral Concepts Courses
      • Reliability Analysis Methods Course Landing Page
      • Applied Reliability Analysis Course Landing Page
      • Statistics, Hypothesis Testing, & Regression Modeling Course Landing Page
      • Measurement System Assessment Course Landing Page
      • SPC & Process Capability Course Landing Page
      • Design of Experiments Course Landing Page
    • The Manufacturing Academy Courses
      • An Introduction to Reliability Engineering
      • Reliability Engineering Statistics
      • An Introduction to Quality Engineering
      • Quality Engineering Statistics
      • FMEA in Practice
      • Process Capability Analysis course
      • Root Cause Analysis and the 8D Corrective Action Process course
      • Return on Investment online course
    • Industrial Metallurgist Courses
    • FMEA courses Powered by The Luminous Group
    • Foundations of RCM online course
    • Reliability Engineering for Heavy Industry
    • How to be an Online Student
    • Quondam Courses
  • Calendar
    • Call for Papers Listing
    • Upcoming Webinars
    • Webinar Calendar
  • Login
    • Member Home
  • Barringer Process Reliability Introduction Course Landing Page
  • Upcoming Live Events
You are here: Home / Articles / Now You Understand Your Risks: What’s Next?

by Greg Hutchins Leave a Comment

Now You Understand Your Risks: What’s Next?

Now You Understand Your Risks: What’s Next?

Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Naturally, a lot of time and effort in risk management goes into understanding the risks that you face. After all, if you don’t understand what you’re up against, there’s not a lot of risk management to be done. However, even when you complete a comprehensive risk assessment, this is just the beginning of the process. Now the real work starts and you have to answer the big question.

What do we do next?

At this point, things become very subjective. Not only does the risk depend on your particular situation, but so does the most appropriate response. That’s one of the reasons that it’s so hard to develop a one-size-fits-all set of mitigation measures because the ‘right’ answer will differ, company by company. So instead of a simple ‘if you have A, then do B’, approach, you have to customize the response to meet your specific needs.

This isn’t dissimilar to what you will see in a gym. Imagine a group of people who all want to lose weight and get fit. They will all be given different workout and diet plans to meet their specific needs. They will all have very different paths to get to them to a similar goal: there’s no one-size-fits-all plan.

However, despite the customization, there will be some common elements in each plan: healthy eating, regular aerobic exercise, cut back on PopTarts (my weakness).

It’s going to be the same when you start thinking about what to do about a risk. There will be common approaches that you can use to address a risk even though the exact mix – the specific strategy – will be unique to your organization.

Before I jump into the details, one point on terminology. I call this ‘addressing’ the risk rather than ‘managing’ the risk just to differentiate this particular step from the overall practice of ‘risk management’. So you first understand the risk by assessing it, then you address the risks. (Read more on this basic approach here.)

When it’s time to ask ‘what do we do about this risk?’, your options broadly fall into one of five categories

  • Avoid
  • Treat
  • Tolerate
  • Transfer
  • Terminate

These options (A4T) give you five top-level strategies for addressing a risk which you can then develop into specific measures as part of a detailed risk management plan. Here’s a little more detail on each but also keep in mind that you may well combine several of these to tackle a single risk.

Avoid

This means that you don’t engage with the risk in the first place. If you were considering a new project in a location where there was civil unrest, you might decide not to go ahead at all. Likewise, you decide to not add a new feature to a piece of software because the associated privacy issues outweigh the benefits of the upgrade. The key thing here is that you haven’t engaged with the risk yet so you can avoid it altogether.

Terminate

However, if you are already exposed to the risk, then you have the option to terminate that specific activity and remove the risk altogether. So if you discovered that an existing software feature was now an issue because of new privacy legislation (hello GDPR!) you might terminate that. Or if civil war broke out in a previously stable location where you were operating, closing everything down removes that risk. You terminate the activity that exposes you to the risk.

Tolerate

If a risk falls within acceptable parameters then you can tolerate the risk and there’s no additional action to take that at this stage. There are two key ideas to keep in mind here

  • Your risk appetite is the amount of risk you are comfortable with for the long-term.
  • Your risk tolerance is the amount of risk that you are willing to bear in the short term. This is usually greater than your risk appetite unless you have an extremely cautious organization where it might be the same.

So to tolerate a risk, it has to be below your risk appetite threshold. It either already falls into this bracket or you use one of the other A4T options to reduce to an acceptable level. Keep in mind that it might take a while to reduce a risk but it’s usually OK to tolerate a higher risk as long as you are actively working to reduce it.

Treat

Treating the risk is when you use specific mitigations to bring the risk into line with your levels of comfort (your risk appetite). Treating the risk should make it tolerable (see above) as you are aiming to bring it into line with your risk appetite. Ideally, you are striving to get to the point where it is as low as possible (here the term ALARP is often used – as low as reasonably possible). We often jump right to treatment when we start to plan our risk strategy but make sure you don’t overlook the other options available and remember that a mix of techniques might be appropriate.

Transfer

Finally, you can transfer the risk elsewhere. Buying insurance or contracting someone else to conduct higher risk activities are forms of risk transfer. Just be careful that you don’t end up with a false-transfer where it looks like you transferred a risk but you remain exposed. For example, if you retain responsibility for the actions of sub-contractors, you haven’t transferred your risk. (In fact, you’ve increased it but that’s a discussion for another day).

Now you have five general strategies that you can use to start to consider how to address each risk: avoid, terminate, treat, tolerate and transfer. But remember, this isn’t a one or another choice: mix and match the A4T strategies to get your risks to an acceptable level. For example, it’s very common to have insurance – risk transfer – in addition to other A4T options as part of the strategy for a single risk.

So keep these in mind when you next look at your risks and are deciding what the next steps should be. These five options will help you develop some top-level strategies for what to do before you start working on detailed treatment plans

This is an excerpt from Beyond The Spreadsheet: A Practical Guide to Understanding Your Risks. You can learn more about the book here and CERM-RI subscribers get a special 25% discount if they use this link.

Andrew Sheves Bio

Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.

Andrew has distilled these experiences down to first principles to develop the KISS Risk Management framework, a straightforward, effective and robust approach to risk management. This aims to make high-quality risk management tools, resources, and training accessible to as many people as possible, particularly those starting out in the field of risk.  He has also developed the dcdr.io risk management software platform and several online assessment tools to complement the KISS framework.

Andrew has an MSc in Risk, Crisis and Disaster Management from Leicester Univerity and has written articles for several publications including the RUSI Journal, ASIS Security Manager Managzine and the International Association of Emergency Managers Bulletin.

Email – andrew@andrewsheves.com
Website – https://andrewsheves.com
Software – https://dcdr.io
Linkedin – https://www.linkedin.com/in/sheves/

Filed Under: Articles, CERM® Risk Insights, on Risk & Safety

About Greg Hutchins

Greg Hutchins PE CERM is the evangelist of Future of Quality: Risk®. He has been involved in quality since 1985 when he set up the first quality program in North America based on Mil Q 9858 for the natural gas industry. Mil Q became ISO 9001 in 1987

He is the author of more than 30 books. ISO 31000: ERM is the best-selling and highest-rated ISO risk book on Amazon (4.8 stars). Value Added Auditing (4th edition) is the first ISO risk-based auditing book.

« Myth Busting 25: We need engineers to do RCM
Swiss Cheese and Our Healthcare »

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

CERM® Risk Insights series Article by Greg Hutchins, Editor and noted guest authors

Join Accendo

Receive information and updates about articles and many other resources offered by Accendo Reliability by becoming a member.

It’s free and only takes a minute.

Join Today

Recent Articles

  • Leadership Values in Maintenance and Operations
  • Today’s Gremlin – It’ll never work here
  • How a Mission Statement Drives Behavioral Change in Organizations
  • Gremlins today
  • The Power of Vision in Leadership and Organizational Success

© 2025 FMS Reliability · Privacy Policy · Terms of Service · Cookies Policy