Risk assessment [Part 1]: Setting up the risk measurement framework

In our second instalment of our risk management process series, we are going to look more closely to the process of assessing risks. Fundamental step for risk assessment is the setup of the risk measurement framework. In effect this means that before we start the actual assessment, we must decide a set of criteria that make one risk worse from another.

While this may seem trivial it is the step where most organizations are led astray by the material floating all around the internet, which advocates the use of likelyhood and impact risk matrix. At this time, we will not go into why such a framework is utterly insufficient for any organization.

Attributes of good risk measures

For a starting point I listed below some attributes that make a good risk measure. And by combining numerous such measures we can successfully capture different aspects of specific risk.

Objective The first and arguably the most important aspect of a good risk measure is that it has an objective definition, that is shared among the people in the organization. Far too often one finds organizations basing their risk assessment on categorical risk impact estimate (from high to low), but what is the meaning of what each of the categories mean is changes from organizational unit to organizational unit. As simple definition for risk impact measure, as “financial loss” is often understood in different ways. It can mean a loss of revenues, loss in value of the company, decrease in profit, decrease in cashflow… This means that people are using the same language, but the words mean different things, an optimal setup for a lot of confusion.

Falsifiable A famous anecdote attributed to Wolfgan Pauli (noble price winner in physics), tells a story of when a friend showed him a paper of a young physicist, and asked if Wolfgan thought the papers conclusion was right. His response was “That is not only not right; it is not even wrong”. The moral of the story is that if a claim (such as risk assessment), is so vague, that it can’t be falsified, it is even worse than wrong. For one to ensure that a risk assent is falsifiable, it should relate to some observable phenomenon that the risk measure can them be benchmarked against. It is common occurrence that, risk measures are so detached from reality that one can practically make any estimate, and it would not be wrong.

Relevant and actionable Optimally a good risk measure has direct implications for the management of the organization. In this way the risk assessments results are actionable. For instance, the information that a realization of a given risk would lead to a loss that would put the repayment of a loan in jeopardy, clearly indicates that likelihood of realization has to be minimized even if that would lead to substantial costs. Similarly risk assessment indicating a large change for human injury clearly points the course of action.

Ease of use In the end risk measures have to be used by people. This means that if the risk measure is utterly impossible to estimate or that its meaning is too difficult to understand, it is no good. This is the reason why sophisticated risk measures like “expected shortfall” rarely find their way out of financial institutions. This is also where us risk consultants, often fail the test. Striking the balance risk measure being precise enough to be ‘at least wrong ‘, while being understandable is no mean feature.

Time assessment Risk measure should be most of the time linked to time or time horizon. For instance, common risk measure that is used is “probability of realization”. Most of the time the risk documentation of an organization fails to mention what is the time horizon for a probability. Not defining the probability in terms of time horizon, means that events like “bankruptcy of supplier” would need to be given very high probability ( +50%). This clearly is very uninformative. Much better measure for bankruptcy would be “2% likelihood next year”. Similarly, if we assess the financial implications of “new market entrant”, it is much more sensible in discussing the losses during next year or during the next 5 years rather than losses without any mention of time horizon.

Risk measurement system cannot capture everything

While the guidelines from above can help one design a good risk measurement system, the fact remains that no system can fully capture all aspects that makes a risk ‘serious’. The reason is that the level of risk is a very multidimensional issue, and if one wants to take all dimensions into account, the result is usually more chaos than added value.

Examples of possible dimensions that could affect how serious risk is include: the loss of profit, the decrease of value of the company, The decrease in cashflow or liquidity, how quickly the risks effects materialize, how persistent the effect of the risk is, how likely it is that multiple risks happen at the same time, level of employee health and safety endangered, level of possible environmental damage, level of social impact to external stakeholders, … You get the picture.

Thus, in addition to using a systematic way to assess risk, leave space for judgement calls and common sense!

Key takeaways

– Risk assessment starts with setting up a coherent risk measurement framework;
– Impact x Likelyhood is not acceptable as only risk measurement system;
– Good risk measure is: Objective, Falsifiable, Relevant, Easy to use, and tied to time horizon;
– Risk measurement framework can never be complete, so supplement it with common sense;
– Good risk measurement framework captures multiple dimensions of risk;

Next time I will be putting the risk measurement system in practical use by discussing how to perform a risk assessment.

P.S.: To refresh your knowledege about systematic risk management check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.