I've done a lot of IT projects in my time and rattled off a fair few risk registers. If any NHS IT project holds patient identifiable data (and most of them do) then in that risk register is bound to be entries about that data being taken or being revealed to unauthorised users by mistake. It's a serious thing and any project should be ensuring that this risk is constantly reviewed and always kept at a complete minimum.
What is Risk?
Lets start with the simple question. What actually is "risk". The problem the press and public has is that they use the word lazily in common speech when they really mean "probability". People say "I'm at risk of losing my job" when they really mean "there is a high probability that I will lose my job in the short term". OK. Fasir enough. But lets try an example...
Lets look at the overall risk of going to Tesco shopping in the car. We'll call the risk, "being killed or seriously injured whilst going to Tesco in the car".
Risk Name: I am killed or seriously injured whilst going shopping at Tescos in the car
Probabilty: Extremely unlikely (I've never had an accident or even seen one whilst doing this)
Impact: Very, very high (if this actually happens I may be dead or living my life in a wheelchair etc etc)
Overall risk score: High enough for me to think about mitigating (ie. lowering) this perceived risk
As with most risk situations, we decide to try and mitigate the risk. First off, we lower the impact. In this case, we wear a seatbelt. So, at least if we had a crash, we've got a better chance of survival.
Then we maybe also lower the probability. "I never go to Tescos during the rush hour. The by-pass is like a bloody racetrack!". If there's less cars about, it seems reasonable that the probability of a crash is less likely. Likewise we all generally decide that it is a good idea not to drive to Tescos after a good night in the pub and six pints of strong ale. That would actually raise the probability!
Mitigation: Wear seatbelt at all times
Travel at less busy times
Do not travel if drunk or tired
Risk after mitigation: Now low enough for me to happily go shopping at Tesco and not worry about getting hurt.
So if you don't understand what you're reading a risk register can look like a very scary place to live. It can look like bad things are happening all the time. But in reality the reverse is true. Its exactly because we put an entry on the risk register and seriously consider how to avoid it happening or make it less horrible if it should happen that should be a reason for solace, not fear.
Ben Goldacre Peddles Risk Fear
My Twitter popped up the other day with a feed from @bengoldacre, a respected authority on things to do with healthcare data. He'd downloaded the HSCIC corporate risk register and then unhelpfully clipped out a tiny bit. Here it is:
The HSCIC give a risk a value of 0-5 for probability and for impact and then multiply the two together to get overall "risk". Its crude, but thats how they do it.
What's the biggest impact? Risk 8 has an impact of 5. So the HSCIC thinks this is the worst thing that could possibly happen in the list. Risk 7, not sorting out the legal gateway for the data flows leading to the reputation of the HSCIC being damaged, is not viwed as being such a catastophe.
However, it is more likely to happen and is therefore the biggest risk that needs to be mitigated.
Back in Twitter world, the next posting appears:
And immediately the first commenter already gets the wrong end of the stick. No Pascale, the HSCIC thinks that identifiable data becoming public IS the worst thing that can happen...
But wait. Hasn't Mr Goldacre been a bit economic with the truth? When we look at the risk register itself, rather than this selective cut, we find there is another column telling us all about the mitigations that HSCIC has, or is planning to out in place. And finally another column where they report a revised probability AFTER the mitigations. Suddenly things look a whole lot different. Here's the final scores for these three risks...
So how do you review a risk register?
You have to check that the impact and probability AFTER mitigation is correctly estimated. And you have to check that those mitigations are going to be effective. And finally, you have to be able to spot the missing risks. Trickier than just doing a selective copy/paste and writing a scary headline.
No comments:
Post a Comment