In our second instalment of our risk management process series, we are going to look more closely to the process of assessing risks. Fundamental step for risk assessment is the setup of the risk measurement framework. In effect this means that before we start the actual assessment, we must decide a set of criteria that make one risk worse from another.

While this may seem trivial it is the step where most organizations are led astray by the material floating all around the internet, which advocates the use of likelyhood and impact risk matrix. At this time, we will not go into why such a framework is utterly insufficient for any organization.

Attributes of good risk measures

For a starting point I listed below some attributes that make a good risk measure. And by combining numerous such measures we can successfully capture different aspects of specific risk.

Objective The first and arguably the most important aspect of a good risk measure is that it has an objective definition, that is shared among the people in the organization. Far too often one finds organizations basing their risk assessment on categorical risk impact estimate (from high to low), but what is the meaning of what each of the categories mean is changes from organizational unit to organizational unit. As simple definition for risk impact measure, as “financial loss” is often understood in different ways. It can mean a loss of revenues, loss in value of the company, decrease in profit, decrease in cashflow… This means that people are using the same language, but the words mean different things, an optimal setup for a lot of confusion.

Falsifiable A famous anecdote attributed to Wolfgan Pauli (noble price winner in physics), tells a story of when a friend showed him a paper of a young physicist, and asked if Wolfgan thought the papers conclusion was right. His response was “That is not only not right; it is not even wrong”. The moral of the story is that if a claim (such as risk assessment), is so vague, that it can’t be falsified, it is even worse than wrong. For one to ensure that a risk assent is falsifiable, it should relate to some observable phenomenon that the risk measure can them be benchmarked against. It is common occurrence that, risk measures are so detached from reality that one can practically make any estimate, and it would not be wrong.

Relevant and actionable Optimally a good risk measure has direct implications for the management of the organization. In this way the risk assessments results are actionable. For instance, the information that a realization of a given risk would lead to a loss that would put the repayment of a loan in jeopardy, clearly indicates that likelihood of realization has to be minimized even if that would lead to substantial costs. Similarly risk assessment indicating a large change for human injury clearly points the course of action.

Ease of use In the end risk measures have to be used by people. This means that if the risk measure is utterly impossible to estimate or that its meaning is too difficult to understand, it is no good. This is the reason why sophisticated risk measures like “expected shortfall” rarely find their way out of financial institutions. This is also where us risk consultants, often fail the test. Striking the balance risk measure being precise enough to be ‘at least wrong ‘, while being understandable is no mean feature.

Time assessment Risk measure should be most of the time linked to time or time horizon. For instance, common risk measure that is used is “probability of realization”. Most of the time the risk documentation of an organization fails to mention what is the time horizon for a probability. Not defining the probability in terms of time horizon, means that events like “bankruptcy of supplier” would need to be given very high probability ( +50%). This clearly is very uninformative. Much better measure for bankruptcy would be “2% likelihood next year”. Similarly, if we assess the financial implications of “new market entrant”, it is much more sensible in discussing the losses during next year or during the next 5 years rather than losses without any mention of time horizon.

Risk measurement system cannot capture everything

While the guidelines from above can help one design a good risk measurement system, the fact remains that no system can fully capture all aspects that makes a risk ‘serious’. The reason is that the level of risk is a very multidimensional issue, and if one wants to take all dimensions into account, the result is usually more chaos than added value.

Examples of possible dimensions that could affect how serious risk is include: the loss of profit, the decrease of value of the company, The decrease in cashflow or liquidity, how quickly the risks effects materialize, how persistent the effect of the risk is, how likely it is that multiple risks happen at the same time, level of employee health and safety endangered, level of possible environmental damage, level of social impact to external stakeholders, … You get the picture.

Thus, in addition to using a systematic way to assess risk, leave space for judgement calls and common sense!

Key takeaways

– Risk assessment starts with setting up a coherent risk measurement framework;
– Impact x Likelyhood is not acceptable as only risk measurement system;
– Good risk measure is: Objective, Falsifiable, Relevant, Easy to use, and tied to time horizon;
– Risk measurement framework can never be complete, so supplement it with common sense;
– Good risk measurement framework captures multiple dimensions of risk;

Next time I will be putting the risk measurement system in practical use by discussing how to perform a risk assessment.

P.S.: To refresh your knowledege about systematic risk management check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Content on risk management often seems theoretical and something that has little to do with the reality. This is why this time I am presenting a practical example of how we identified the main risks and took measures to prevent their realization, that could in a worst-case scenario jeopardize the very existence of our company.

It happened years ago, when I was working in an information technology company. In the scope of our preparations for obtaining the ISO 27001 Certificate we also needed to assess the risks. Our approach wasn’t just a formality to meet the requirements of the standard, but very practical to prevent the risks we identified.

We soon agreed the sole heart of our activity were the servers and their equipment. If anything affected our infrastructure, we wouldn’t be able to perform most of our services. This is why we solved this issue firstly.

We identified two main risks for the server room, namely the unauthorized access and fire hazard.

To protect the space against unauthorized access or burglary, we installed an anti-theft door and significantly restricted entry with the access control system. To protect the room from fire, we started to follow the room temperature and installed an automatic fire alarm system, which was then extended to other areas too. We have also agreed to store backups outside of the company and coordinated a protocol of quick information and intervention with the security service in the event of triggering an alarm.

Among the measures, we also considered the installation of a stable automatic fire extinguisher system and the possibility of running servers at other location, however we decided not to follow them through.

Another crucial factor for our business was the Internet, because we performed the majority of our services on remote. And when, for example, during construction work the main optical connection was carelessly interrupted, we ended up without having access to the web for almost a day.

Besides the fact that we were unable to offer support to our customers, this seemingly small error had severe financial implication for us. Each hour without Internet meant a revenue loss of between 500 to 1000 euros.

To increase our network reliability, we arranged Internet access through two operators, assuring we had physically separated network connections.

These are just a few of the measures we have taken on the basis of a risk assessment. In a similar way, we analyzed all the processes in the company, from the treatment of employees, to the sale, procurement, development and execution of orders, and took measures for each department separately.

P.S.: If you find this article interesting, you can learn more here:

How to identify risks?
How to manage risks systematically?
How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.