We have now looked at describing risk, and controls and assurances – so now we can move onto risk evaluation.
Our risk appetite guides risk evaluation; orgainsations rarely consider risk appetite. Organisations often give risk appetite is a bland label, if they consider it at all. “We’re risk averse” or “we are a risk taking business”. Risk appetite is much more subtle than that, and even in the same business there will be different risk appetites for different types of risk.
Consider a futures trading company, for example, essentially they will take relatively high risk ‘gambles’ against the future price of a commodity. Even against a commodity that doesn’t exist yet – like pork bellies for instance. The company might describe their risk appetite as high, but this would be misleading. For example, the company is unlikely to be comfortable taking enormous risks with their employees safety. They are likey to be equally uncomfortable taking decisions that would put them in breach of legislation. So, their risk appetite might be described as quite low in these areas.
Equally, risk appetite can vary depending on the context of a risk. In our personal lives we might be very risk averse when we consider running into a burning building. We might take that risk if one of our children were in the building though. The same considerations are true for organisations; a hospital might be prepared to undertake a high-risk procedure for a very sick patient with limited alternatives. However, it is unlikely to undertake a high-risk procedure for a minor ailment. A bank may normally refuse to lend for a high-risk project, but might take a different view with a long-standing customer who has a previously good financial history.
Risk appetite, therefore, is difficult to express and capture. Without an adequate understanding of risk appetite though, the evaluation of risk has no context. If your organisation is just beginning the risk journey, a statement of risk appetite that doesn’t adequately cover the position of the organisation is better than nothing. You can amend, adjust and tweak your statement as your real risk appetite is exposed by the organisation’s reaction to the risks that are discussed. Eventually, your statement of risk appetite will be comprehensive and descriptive.
Components of Risk Evaluation
Once we have a risk appetite, we can begin to evaluate our risk. In almost all accepted risk management standards and guidance, the elements that guide evaluation are likelihood and impact. Some systems use different words, so instead of likelihood they may use terms such as frequency, probability, prospect or chance. Instead of impact they may use terms such as consequence or effect; and I’m sure there are others. To save confusion I will stick with likelihood and impact.
The fundamental question is if the risk under consideration materialises, what is going to happen (impact) and how frequently or how probable is that (likelihood). Guidance should give some consistency to these judgements. So we need a table that describes what we mean by our different levels of evaluation.
We might ask two questions at this stage
- Should I describe these levels or use numeric scoring?
- How many levels should I have in my evaluation criteria?
Numbers or Description?
Organisations most frequently evaluate risk using numeric scoring, although some organisations describe risk. The concept for those using a description is that this is somehow more meaningful than a number. The issue, however, is that you need to undertake the same work – levels of impact and likelihood. You must describe how these are to be combined in a risk description or score. Then you have an outcome. In the descriptive mechanism however, you will end up with a result such as “moderate”, which will have different meanings for different people – so for you is “moderate” higher or lower risk than “medium”? Whereas you can’t really argue with “25”, can you?
As for the number of levels, I have seen ranges from two levels for each of likelihood and impact, up to ten levels of each, giving between four and 100 potential risk evaluation outcomes – so the range is huge! The key here is to have enough levels to give appropriate distinctions, but not so many that it causes confusion. The most common that I have seen is five levels of both likelihood and impact (giving 25 potential risk outcomes). I have also seen both four and six of each with the reasoning that there isn’t a “middle option”, which tends to attract those who cannot make up their mind!
Once an evaluation of both likelihood and impact has been completed, these need to be combined into a risk score. In numerical methods this is most frequently achieved by multiplying the individual scores. We need to exercise some caution here because there is a tendency, particularly in new risk assessors, to evaluate the biggest impact and combine it with the most likely.
Let me give you a silly example. Your house is probably on or near a flight path, so every day there will be many aircraft flying overhead. We know that aircraft are involved in accidents. The crash can destroy whole towns and kill hundreds. So, if aircraft are flying over your house every day this is very frequent. Destruction of a whole town is catastrophic. So living in your house means that you are at an unacceptably high risk of being killed by an aircraft! Like I said, a very silly example, but it does show what can happen if we combine the score of the most serious impact with the most frequent occurrence. In reality, this risk does have a catastrophic impact, but the likelihood is so low as to be unworthy of any genuine consideration.
Even if we avoid this pitfall, there are still two problems with risk evaluation.
The first is that evaluation is quite a subjective issue. So, a score for a risk is not going to derive from any absolutes. An individual will make a judgement. So when risk is discussed there is often a focus on the validity of the score rather than dealing with the risk. In fact, the whole process of risk management can be a little like that, where we spend inordinate amounts of time discussing the process rather than the risk. I caution against that, and scoring a risk is the first of those points that can create this fruitless discussion.
Over-interpreting the descriptors
The second problem is the tendency for people to over-interpret risk descriptors, rather than using them as guidance. So let us imagine that we are a manufacturer leasing factory premises in a known flood risk area. The manufacturer has evaluated our fictitious flood risk as a once every five year event with a medium impact (the factory itself doesn’t flood, but access is reduced). When reviewing the event the factory manager says, “but I’ve worked here for seven years and have never seen a flood”.
The issue with this comment is that the evaluation is subjective and the fact that the site hasn’t flooded for, let us say twelve years (i.e. the seven years that this particular manager has worked here and the five years before that), does not mean that it will not flood every year for the next three. The risk, whilst guided by past events, should not simply be a reflection of those events. It should be an interpretation – and that interpretation not done by people who happen to be very senior and so can dictate their view, but by experts within the organisation who have taken a balanced view of the issue. Again, this can cause enormous debate. I caution against allowing the subjective nature of evaluation to get in the way of actually managing risk.
Advantages of Risk Evaluation
So if it creates these problems, why evaluate risk at all? Risk evaluation gives us the ability to:
- compare risks of different types
- observe the effect of our controls
- understand how any particular risk relates to our risk appetite
The difficulty with risk in general is that risks of different types are difficult to compare. Risk evaluation correctly balanced with risk appetite allows a simple comparison of risk. So an organisation can compare a risk of a breach of legislation with the financial risk of mergers and aquisitions. Directors can drive strategy and resource deployment at those things that present the greatest risk to the organisation.
Inherent and Residual Scoring
To understand the second advantage of risk evaluation, there must be a risk evaluation that tells us about the risk when none of our controls were in place, and another evaluation with the existing controls in place (refer to my previous post about controls here). The first score, usually called the inherent risk, is NOT a score with no controls in place at all. It is a score without the controls that we have put in place.
Let us look at the risk of police drivers driving under blue light conditions. They drive very quickly, increasing the risk. They deliberately take risks that other drivers would not, because they are dealing with an emergency. The inherent risk of them having an accident is high, but they have special training that reduces that risk. The control in this case is the special training that police drivers receive to drive under these conditions.
What does the inherent score measure?
The inherent score does not remove all controls, only that special training. The police drivers themselves do lose all ability to drive a car normally – so they will still all hold normal driving licences. The traffic lights will all still work. Other drivers will not suddenly start driving on the wrong side of the road. No one will suddenly remove all road signs and road markings. The risk is specifically about driving under blue light conditions, and so the controls are those that we specifically put in place to manage the risk of driving under blue light conditions.
The score after controls, often called the residual score, shows the effect of these controls. So the difference between the inherent and residual scores (sometimes, just to be a bit technical, called the risk vector) gives an idea of the level of control that has been introduced. This becomes important later when we consider audit.
Evaluation linked to appetite
The third advantage outlined is that the evaluation will show how the risk relates to out risk appetite. So our risk evaluation, whether a score or a description, will show how the risk relates to the organisational statement of risk appetite. We will have a range of scores or descriptions that are within the acceptable range, another range that are unacceptable and we will work on, and a small number that are utterly catastrophic and we need to rectify these urgently.
Evaluation is tricky, but if done properly is rewarding and adds value to both the risk management process and the business overall.