Key messages: The do’s and don’ts with Risk Criteria Tables
I have decided to tackle this article on a series of do’s and don’ts type process. In my experience there are some critical do’s and don’ts that if the practice continues then our relevance as risk managers diminishes greatly. The risk criteria tables are at the heart of the risk assessment process where this process starts with the identification goes through the analysis and then ends up with the risk evaluation.
It is too late to start developing/reviewing/confirming the tables once you have started the initial risk assessment. Do make sure this is all done in the “Establish the Context” step. Basically this step is the risk planning process and a vital part of that is determining how many tables, the types of tables that are needed and that to recognise that a one size fits all approach to risk tables is good enough. Take the time to understand with the context does the following risk assessment need to establish both threat and opportunity tables.
Will these tables include qualitative descriptions or quantitative values embedded in specific ranges or somewhere in-between? If quantitative tables are used then there is probably little value in establishing the overall risk rating table. Rather, it would be more prudent to focus on the risk rating results and assign ranges that are applicable to each level of risk appetite. Do use “even” (4, 6 or 8 rather than 3, 5, or 7) levels of granularity. My argument is simply one around human nature.
If you are given a problem and seeking a solution the general consensus is to take the middle ground. Give a choice of judging an impact as whether it is high, medium, or low the majority would pick the medium if there was any degree of uncertainty. However, given the choice between extreme, high, medium, or low we are forced to go one side or the other depending on how we view the impact at that specific point. Forcing individuals to decide on which side of the fence they are willing to sit is far more valuable that having everyone sitting on the fence itself.
Courtesy of Getty Images
Having decided on the number of levels, when constructing the actual tables themselves try to use empirical evidence wherever possible. It should be noted that historical data or empirical data whilst good in itself may bring in a number of biases when we are talking about future events, their probability of occurring and if they do occur their impact on the objectives. Using historical data to predict the future is fraught with danger. One clear example of this is the one in one hundred year flood. As Queensland, Australia found out recently this event can occur two years in a row. So much for historical data and mathematical modelling. Be sure you have a clear understanding of the assumptions that underpin the numbers. Risk management has gone sophisticated and uses tools such as Monte Carlo to help bring in a level of confidence when using quantitative data. Again a warning to be careful what the numbers tell you and on what assumptions the input numbers are based.
Do consider using Qualitative tables as a first pass to assist the prioritisation of the risks and thus enable you to rule a line in the sand when it comes to risk appetite. Use a quantitative approach for subsequent risk analyses where you are focussing on those events that are well beyond our risk appetite to absorb and we need to take either significant proactive action and/or develop comprehensive fallback plans.
Do use the same Probability Table for threats and opportunities. My argument here is that it does not matter whether the result is positive or negative on your objectives the same probability ranges and levels can and should be used for both. For example if we are going to analyse the probability of a risk event as rare, unlikely likely or almost certain then when we focus on the likelihood it does not have any effect on the subsequent impact as this could be either positive or negative.
Don’t make complicated impact tables but do separate the Impact Tables for threats and opportunities. This is where the one size does not fit all is exemplified. For example, when an organisation is trying to determine the top 10 risks that the BOD should focus on. It is a multibillion dollar company and one of its projects within one of its subsidiaries has identified a risk that has a million dollar negative impact. Whilst the project in which this risk event has been identified has analysed the event and determined that it would be catastrophic to the project if this event actually occurred. When it is placed in the overall organisational context a loss of a million dollars would not disrupt or have only minimal impact on the business as a whole. Therefore the risk appetite for the project and for the organisation are necessarily different which may then require either separate tables or tables that enable the translation of a catastrophic risk at the project level and that equates to a minor risk at the organisational level.
Do discuss the risk appetite and potential tolerances when developing the risk rating table. Many organisations use a colour coding approach to assist in the identification of risk appetite. Colours such as Red, Yellow, Green & Blue have been used. Regardless of the colours selected do make sure that their meaning is well articulated in a legend that supports the table. Generally the legend refers to the action to be taken, the time in which the action must be taken and to whom the event should be reported. Colour coding of the risk appetite also aids in identifying those risks that need urgent attention.
Don’t just rely on the mathematics for this table. If you use a semi-quantitative approach be careful using simple mathematics to populate the boxes. Consider a low probability catastrophic impact risk event. On a semi-quantitative the score may be a 1 x 5 = 5. If you had created the tables indicating that the risks that are the highest value are the ones to be concerned with then there is some danger. The maths tell one story but when you look at the words and think well there is a low probability of the risk occurring which is positive but if it does occur then it will be catastrophic.
Do you assess it as acceptable and therefore within your risk appetite and trust the maths or actually say wait a minute I should be also worried about this risk event because if it does occur it will be catastrophic for the project/activity/organisation.
Whilst there are several other do’s and don’ts I think that if we can get these sorted then Risk Managers will be well on their way to undertaking valid risk assessments.
Note: there is an assumption that those reading this article are aware that risk criteria tables are used in the risk analysis process