Time to ditch risk matrices and take a new approach to assessing risks, writes Tony Thornton, ERM and business continuity expert
One of the (many) significant concerns I have with the traditional approach to risk assessment – likelihood vs, impact – is that, in attempting to be clever, it really achieves three conflicting things:
1. It insults our intelligence
2. It needlessly introduces error, and
3. It is contrary to the fact that risk is defined by uncertainty
The common approach to assessing ‘likelihood’ involves using sub-categories. Below is a typical example – (the gravity of the occurrence of the event increasing from Left to Right):
There is, arguably, enough things wrong with this to warrant a separate article, but just to highlight a few:
1. Having ‘possible’ included as a discreet category is nonsense. Something is either ‘possible’ (regardless of the ‘probability’) or it’s not. Therefore, if we decide that an event is not ‘possible’, then the first two categories become redundant.
2. The concept of something being ‘highly possible’ confuses ‘possibility’ with ‘probability’
3. ‘Probable’ is meaningless without further clarification/quantification.
4. Finally, risk deals with uncertainty. The more uncertainty, the higher the risk.
As risk managers, our job is to reduce the amount of uncertainty. If something is classified as ‘almost certain’, then the level of uncertainty should be minimal. Therefore, the risk is much reduced. However, in the classification above, ‘almost certain’ is associated with the highest level of risk.
There are many other variations on the theme of trying to sub-categorise ‘likelihood’, all laden with error. For example:
- Alpha/numerical ordinal scales which only really tell us that event ‘C’ is more likely than event ‘B’. This is no unless we know what event ‘B’ actually means, rather than just being ‘less than ‘C’ but more than ‘A’.
- Semi-quantitative scales that looks back to the past in order to try to determine the future, is rather like predicting engine trouble in a 2019 Ferrari, based upon prior experience with a 1920 Ford Model T.
A Reasonable Approach to Risk Assessment - The Rules
- Accept that we live in an improbable world, and that the future is defined by the occurrence of events.
- Convene a team of risk owners, stakeholders and subject matter experts.
- Brainstorm all future events that may occur within your sphere of interest – no matter how obscure they may seem at first
- Determine which of the identified events would it be ‘reasonable’, in the combined opinion of the group, to dismiss. Such events as ‘meteorite collisions’, or ‘nuclear war’ would be filtered out at this stage
- Determine which of the remaining ‘reasonable’ events might possibly occur within the timeframe of interest. Simply answer ‘yes’ or ‘no’. Only those events that have unanimous ‘No’ vote should be dismissed.
- Determine which of the remaining events, if it materialised, would affect the objectives against which the risk assessment is being conducted.
- Brainstorm impact scenarios (being careful to distinguish ‘consequences’ and ‘impacts’)
- Debate and decide upon prioritised mitigation plans
The three questions of Risk Assessment:
- IS IT REASONABLE?
- IS IT POSSIBLE?
- WILL IT AFFECT THE OBJECTIVES?
Summarised in the flow chart below:
KEY CHARACTERISTICS / BENEFITS
- NO NEED FOR LIKELIHOOD CATEGORIES
- NO NEED FOR LIKELIHOOD RATING
- NO NEED FOR RISK RATING, and therefore…
- NO NEED FOR A RISK MATRIX!
For more articles from Tony, visit: www.theriskmanager.co.uk