ALARP (As Low As Reasonably Practicable) is a fundamental concept in risk management, as it should be in life in general. It expresses the idea that we should reduce adverse risks as much as possible without excessive cost. The principle is that the benefits should outweigh the costs. ALARP is not a specific cost-benefit ratio; it is a region where cost and benefit play together in harmony.
FIgure 1: ALARP - the point where risk and resources achieve optimal balance
Understanding the concept and measuring it in practice are two different things. There are many challenges, two of the largest being:
You need a consistent performance scorecard with at least two years of historical data. A quantitative or semi-quantitative benchmark that gives you a standard for comparison.
Much of what we spend on risk management is 'hidden' from view. It's easy to quantify the cost of insurance, hedging, risk management training budgets, etc. but that is the tip of the iceberg. A simple example of this would be an organization that relocates its office for safety reasons. It's easy to account for the cost of relocation as a risk management expense. But the intangible costs such as extra taxi fares, higher rent, etc. are rarely considered. Few organizations track this difference, much less apportion it to risk management.
The first questions to ask yourself before building a scorecard to benchmark your performance are 'SIMPLE':
Scope - What is the scope of our scorecard? The whole organization? Or do you want to separate out each division, each geographic location or each separate facility? Maybe the environmental program? What about the safety and health program? Does your organization link Health, Safety, Environment, and Security as one reportable entity?
Indicators - What are the specific indicators that we care about? Are we more interested in lag or lead indicators? Do we have enough information already and if not, what would we need to track?
Measures - How do we measure success? At what point do we read the optimal resource/risk balance? Is there a specific number? If not, can we use client (internal or external) surveys to provide a semi-quantitative measure as a proxy for risk?
Performance - What long-term performance are we seeking? How will our ALARP strategies and measures contribute to organizational performance?
Longitudinal data - What period do we want to consider? Will we measure monthly, quarterly, annual? What is the lifespan of our performance benchmarking tool? If we align it to our risk management framework, it will need updating when the framework changes. Will we need to make adjustments to historical data to keep our long-term information meaningful?
Excellence - How will we achieve excellence? How will we know when our benchmarking is excellent? Is it when the CEO or Board sign it off? What do we need to do to achieve true excellence? Will you describe it as excellent when it's working to plan? Or when independent auditors sign it off? How will we track hidden risk management costs? For example, will you create cost codes to track the hidden risk treatment costs such as the extra cost of rent as in the case above?
If we're serious we also need to think about how to measure the AHARP concept (As High As Reasonably Practicable) for positive risks (aka. opportunity realization). More on AHARP and AHLARP at this link but that's an idea for another day.
