Brian Toft explains a risk ranking methodology that can help when looking at the cost effectiveness of risk reduction measures

In order to survive, the people running organisations have to make decisions that determine the most appropriate course of action at any particular time. Resources are usually finite, and many of those decisions concern how they allocate the available resources to the risks confronting them. Unfortunately, there are some people who make a tacit, if not explicit, assumption that they can treat the risks as if they were concrete physical entities which can be precisely defined and unambiguously measured in objective terms. That is to say, risks and their assessment can be considered to be value free and neutral.

This notion is, to say the least, contentious, and experts have taken issue with it. In fact, research shows that for human beings perception is all. This means that when our perception of a situation is incongruent with 'reality', the decisions we make and the actions we subsequently decide upon may be inappropriate. This clearly undermines the whole notion of an unbiased objective approach to quantitative risk assessment and the confidence that society can place on the results. If the assessment of risks is subjective - in other words, the probability and magnitude of risks only existing in the mind of the beholder - then it is not possible for anyone to measure risk objectively in the same way as they would a physical phenomenon.

A letter written to The Honourable Mike Gavel of the US Senate by the Comptroller General of the United States will serve to illustrate this.

It addresses the Senator's concerns over the confidence that could be placed on quantitative reliability predictions regarding the possibility of a catastrophic nuclear accident. He reported that: 'As far as we could learn during this brief review, DOD (Department of Defence) and NASA officials can offer little guidance as to how very rare failures or catastrophic accidents to systems can be anticipated, avoided or predicted ... NASA goes to extraordinary lengths - reliability cost is hardly an object - to prevent disasters in manned space vehicles ... Still, three astronauts were lost in one vehicle. The Soviets suffered similar losses in other attempts. No one can tell if and when such catastrophic failures will be repeated.'

The deaths referred to by the Comptroller were those of the Apollo space capsule crew who perished in a fire during practice drills in January 1967, and the crew of the Soyuz XI space capsule who died following the capsule's decompression during re-entry in June 1971. Since that letter was written, there have been a considerable number of major incidents involving tragic loss of life, large-scale financial loss or both. These have very clearly illustrated our inability to accurately predict the probability of disaster scenarios occurring.

Despite these difficulties, decisions still have to be made and resources still have to be allocated. Fortunately, it is possible to make useful estimates of the risks associated with a hazard and to make decisions about them, providing you explicitly recognise such problems as limiting factors and exercise due care.

Risk ranking

The methodology outlined below is intended for use when carrying out a risk reduction cost-effectiveness exercise. Since the assessment of the risk of a hazard will to some extent be subjective, the methodology is based upon the notion that knowledge about reality begins with experience.

As Brown and Sime(1) assert: '... people can and do comment on their experiences, and ... these commentaries are acceptable as scientific data.'

Risk calculation

Technically, the term 'risk' is usually considered to consist of two components: first, a numerical probability (that is, a number between 1 and 0) that a particular hazard will occur; and second, a numerical estimate (frequently in financial terms) of the consequences that might result. Multiplying these two terms together provides a 'risk index' that can help you to rank hazards in relation to the degree of risk they offer.

This relationship can be expressed in the following way:

Probability x consequence = present risk

It is important to remember that the risk index thus produced is not the same as the value at risk. For example, if it were estimated that a particular hazard had a one in a million chance of occurring within a particular period, and that, should it occur, the financial consequences to the organisation would be the loss of £5m, mathematically the hazard would have a risk index value of five:

Probability of 1*10-6 x consequence of 5*106 = 5

Similarly, if it was thought that another hazard had a one in 10 million chance of occurring in the same period, with the potential financial consequences involving a loss of £100m, mathematically the risk would have an index value of ten:

Probability of 1*10-7 x consequence of 1*108 = 10

Under this scheme, the hazard with the risk index value of ten would be ranked as having the higher priority of the two hazards.

Assigning values to subjective probability assessment

When asked to assess the probability of a hazard occurring, people often use qualitative categories such as high, medium, low, or negligible. But in order to carry out a risk reduction cost-effectiveness exercise on a hazard, numerical values must be substituted for the qualitative categories.

One solution is to assign nominal probability values which are broadly accepted as representing these qualitative categories(2). Thus, when the probability that an event will occur is judged to be high, its numerical equivalent can be taken as less than one chance in a thousand; when medium, one in ten thousand; when low, one in a hundred thousand, and when remote, one in a million:

High = <10-3 Medium = 10-4

Low = 10-5 Remote = 10-6

It should be remembered, however, that these probabilities do not reflect the actual likelihood that a risk might occur, nor do they show how acceptable or tolerable a particular hazard may be to the employees of an organisation or to the general public, regardless of the opinion of those carrying out the risk assessment exercise.

Calculation of the financial consequences

The monetary value assigned to the financial consequence of a hazard occurring may also contain some subjectivity. In some cases, such as accurately calculating the total damages a court might award to a plaintiff, or the amount of time a revenue-generating activity may be out of action, there will be no way in which an objective figure can be produced. In such circumstances, robust estimates should always be used.

Potential for control

In order to ascertain the ranking order for risk priority, it is also necessary to estimate the amount by which an appropriate intervention strategy could reduce the risk associated with a particular hazard. This can be expressed in percentage terms. Here, there are no publicly agreed numerical values, so the control potential of the risk reduction interventions in the example is arbitrary.

In order to calculate the potential size of risk reduction per pound spent, an estimate must also be made of the cost of a control intervention, creating a risk reduction cost benefit priority index.

Using the numerical equivalents of probability, magnitude of consequence and control potential estimates allows you to calculate the following:

Probability x Consequence = Present Risk
Present Risk x Control Potential = Potential Improvement
Present Risk - Potential Improvement = Improved Risk
Risk Improvement / Cost of Intervention = Risk Reduction Cost Benefit Priority Index

After completing these calculations, you can create a risk reduction cost benefit priority ranking list by ranking each hazard's risk reduction cost benefit priority index from largest to smallest.

This methodology does not seek to provide scientific or optimal results.

It is a heuristic device, which is designed to help management make decisions about the allocation of resources, with respect to the hazards that face their organisation; in other words to gain the maximum reduction in risk for the minimum outlay of resources. To put it yet another way, it seeks to achieve 'the biggest bang for every buck'.

You will also always have to exercise judgement regarding the creation of a risk reduction cost benefit priority list. There may be occasions when a perceived hazard's severity or probability is so high that it requires immediate attention, although its risk reduction cost benefit priority index makes the hazard a low priority in those terms.

The inherently subjective nature of assessing risks and the biases that are present within the human condition lead inexorably to the conclusion that the search for an absolute objective way of calculating all risks is the equivalent of searching for the philosopher's stone. However, there is a way in which risks can be assessed and priorities for action established using subjective assessments and a simple mathematical technique.

(1) Brown, J and J A Sime (1981) 'A methodology for accounts in social method and social life', in Social Method and Social Life, Brenner, M (Ed), Academic Press, London.

(2) Paling, J and S Paling (1994) 'Up to your armpits in alligators?', The Environmental Institute, Florida, USA, p.118.


(Risk 1) Present Risk = 1*10-5 x 1*106 = 10 x 15%= Risk Improvement 1
Present Risk = 10 - Risk Improvement 1 = Improved Risk 9
Risk Improvement 1, Cost of Intervention £10.00 = 0.1 units per pound
(Risk 2) Present Risk =1*10-4 x 1*106 = 100 x 85%= Risk Improvement 85
Present Risk = 100 - Risk Improvement 85 = Improved Risk 15
Risk Improvement 85, Cost of Intervention £100.00 = 0.85 units per pound
(Risk 3) Present Risk =1*10-3 x 5*106 = 5000 x 85%= Risk Improvement 4250
Present Risk = 5000 - 4250 Risk Improvement = Improved Risk 750
Risk Improvement 4250, Cost of Intervention £1000 = 4.25 units per pound
(Risk 4) Present Risk =1*10-3 x 3*106 = 3000 x 85%= Risk Improvement 2550
Present Risk = 3000 - 2550 Risk Improvement = Improved Risk 450
Risk Improvement 2550, Cost of Intervention £ 200 = 12.75 units per pound
In cost benefit terms the allocation of resources to the risks above in decreasing order of priority is:
Risk 4 = 12.75 1st
Risk 3 = 4.25 2nd
Risk 2 = 0.85 3rd
Risk 1 = 0.1 0 4th