I have never been completely satisfied that professional literature has correctly addressed the concept of Risk Assessments. COSO’s Enterprise
Unfortunately, these two concepts – likelihood and impact – tend to be an ineffective way to measure risk in the real world.
The Problem
Although it seems like you should be able to look at a particular risk and make these two evaluations – “what is its potential impact?” and “what is its likelihood?” – you immediately run into problems. Here’s an example. You’ve identified the risk of ‘Inaccurate data stored in our customer files.’ You’re starting to assess its likelihood and impact and the following incongruity pops up. It’s very reasonable for both of these statements to be true:
- It’s very unlikely that we’ll have wide-spread data errors.
- It’s very likely that we’ll have isolated data errors.
Said another way, there’s a low likelihood of a high impact, but there’s also a high likelihood of a low impact. Your answer to one question depends upon which view you’ve taken of the other. Which is the right answer to capture in the risk assessment process? If both are true then you are almost assured of getting some combination of both responses from different evaluators or even the same evaluator across different risks. My experience has been that this problem pops up almost every time. You can’t avoid it because the underlying assumption that you can make independent unqualified evaluations of likelihood and impact is FALSE.
Fixing the Problem
The problem results from the interdependence of the two concepts. So, let’s work to eliminate this interdependence by coming up with a less ambiguous and more practical approach to evaluate risks.
What are we actually trying to accomplish with this risk assessment process? Which of these two questions is your executive
- Which risks require our vigilance because they will occur on a regular basis?
- Which risks require our vigilance because they could cause us some real hardships?
Both questions are valid but I think that in most organizations question #2 has more practical value, especially at the executive level. So, let’s move forward by first focusing on ‘impact’.
To avoid the problem we just identified, is there a way to identify the level of potential ‘impact’ while initially ignoring the concept of ‘likelihood’? An easy way to accomplish this is to examine the specific objective(s) that this risk relates to. For instance, if management has indicated that an email
Next, we look at likelihood. Let’s address this at a very practical level. We will ignore the possibility that the risk could occur at some minimal level. The very fact that we have identified the risk in the first place tells us that. Instead, ask the evaluators to consider the likelihood that this risk will actually prevent the success of this goal. This lets us look at the likelihood of the risk using a very clear point of reference. Provide your evaluator(s) with instructions like “Given everything that you know about our
To recap – we typically experience a very real problem when we evaluate each risk as a stand-alone exercise. The problem is that the two typical “independent” risk assessment questions are not, in fact, independent. The key to eliminating this problem is to focus on the goal, not the risk. Impact gets a better definition by focusing on the significance of the associated goal (as determined by management separate from any risk assessment activity). Likelihood gets redefined to focus on the real-world potential that this risk will prevent the organization from achieving the goal.
Using this approach, risk assessment activities are less theoretical and far less ambiguous. Because the risk assessment process is now based on the importance of the related goal(s), it operates within the boundaries of what’s important to your organization.