Skip to main content

It is important to choose which risks are worthy of investment to reduce their likelihood and/or minimize their impact – but it is not easy. The risk register is always too long and there are never enough resources to address every high-priority risk.

Even if resources were limitless, some risk management is just not worth the effort.  It’s clear, a more informed approach to risk management is needed.

Choosing which risk mitigation efforts should be resourced to deliver the best results


Florence Nightingale was an English social reformer, statistician, and the founder of modern nursing – and an innovator in data visualization and applied risk management. Nightingale was a self-taught expert in statistics; she represented her analysis in graphical forms to make it easy for others to draw conclusions and take actions that were data-driven.

Her pioneering work in risk management and her data communication skills helped to significantly reduce death rates by improving field hospital hygiene. 

Any competitive landscape where resources are scarce and risks are high, in business or in battle, will benefit from the risk management tactics she utilized. 

Following its introduction in the Crimean War, triage has become a standard response to critical medical resource shortages and continues to be utilized today.  In a war zone triage means sorting patients into four categories of need:

  1. No Need: Those who are likely to die, regardless of what care they receive.
  2. Severe: Those for whom immediate care might make a positive difference in the outcome.
  3. Moderate: Medical care is required, but not immediately.
  4. Minimal: Those who are likely to live, regardless of what care they receive; 

Thanks to Florence, triage replaced the default approach of prioritization by rank. This got more wounded soldiers back into the fight faster.  

Applying triage techniques in Risk Management is a very useful approach to allocating scarce resources for the best outcomes.  In this way scarce resources could be deployed, first to Category I, then continuing in sequence to get the best outcomes. 

How can we apply Triage to Risk Management?  

After risks have been prioritized based on  likelihood, impact, and mitigation, triage can be applied to the top-priority risks: 

  1. No Need: Risks that cannot be mitigated regardless of the effort deployed  
  2. Severe: Where mitigation can prevent a risk from happening, and/or dramatically reduce the impacts. 
  3. Moderate: Where mitigations can reduce the impact of risks to some extent.   
  4. Minimal: Risks where the impacts are not significantly affected by mitigation actions. 

Assign resources first to category I severe risks and, when these mitigation actions are fully resourced, move on to the other categories.  For example, perhaps you identify a risk that malign agents could put poisoned versions of your food products in random supermarkets and there is nothing you can do to mitigate that risk, apart from your existing crisis Public Relations plans. Then nothing is what you should do. Or there is a high likelihood of severe weather which in turn will have a high impact on all your distribution channels, but you can’t identify any mitigation actions that will help. The solution is, to do nothing.  

The decision to commit zero resources to a priority risk in ‘No Need’ is always an interesting discussion. Just as in battlefield situations, it is hard to ignore the most dramatic problems, but it is the right thing to do. And the discussion around putting some risks into that classification can be enlightening for the team involved. 

Finally, it is worth saying that the data is important here

All of these techniques in risk management are reliant on having good information to support risk assessments. Therein lies the problem. Acquiring good, trustworthy data is incredibly challenging, especially for large, complex organizations with huge amounts of data, and heterogeneous systems. 

A part of Florence Nightingale’s success was her ability to capture the relevant data and communicate it clearly. Solving the data challenge is different in a large complex organization with diverse IT systems, but it remains a fundamental requirement for good risk management decisions.

Discussions around prioritization and triage will break down if there are information blind spots that make it difficult to reliably estimate the likelihood and impact of risks. Without a single source of truth, you may find yourself investing resources where there is no hope of a good outcome. Trying to cure a fatally wounded soldier, when there are others you can save.