Your 15.5 risk is of no interest at all! I have a 15.6 risk! Hm, I only have a 13.1
You know you’re doing that. But will you admit it, and learn, and move to something better ..?
There’s a lot wrong in risk management today. I mean, not only can one still rant about the ‘three lines of defense’ (quod non) as I do regularly on this blog, but one can also dive into the details of how risks are managed, if not when, and find a lot of systemic error and particularly, non-thinking all around.
Let’s start with one core element: weigh(t)ing and comparison of risks. With my guesses, based on decades of experience and science/literature:
Do you include all risks, or just the tiny fraction that your mind can get a hold of? My guess is: The latter. So you miss the vast majority of the risk universe and will be grossly incomplete.
Do you include upside potentials (actions unthought of, and uncontrolled/unsmashed by measures) too? My guess is: No, again you’re incomplete, but also you’re so biased I can’t trust you anymore.
Do you use High-Medium-Low for impacts? My guess is: Yes. Or you use 1-5 scales or so, maybe (sic) even with sort-of indicator thresholds or brackets to determine what goes where. But you don’t realise that impacts can vary, very much so and in time, too. Averages will not do in subsequent calculations or other analysis! You must have (continuous!) impact functions of time and chance. If they’re hard to establish (I’d say: Impossible, given the scarcity of data!), that’s your bad.
Do you use High-Medium-Low for probability (frequency expectations)? My guess is: Yes. Or you use 1-5 scales or so, maybe (sic) even with sort-of indicator thresholds or brackets to determine what goes where. But you don’t realise that probabilities can vary, very much so and in time, too. Averages will not do in subsequent calculations or other analysis! You must have (continuous!) probability functions of time and impact. If they’re hard to establish (I’d say: Impossible, given the scarcity of data!), that’s your bad.
Do you know the difference between statistics and chance calculus? I guess not. Hah, and then you still abuse both ..? Do you know the difference between discrete and continuous mathematics (functions)? If not, you’ll make errors all around. How would you arrive at a 15.5 score when all choices are discrete 1-5 …?
And if you notices the duality of impact functions of probability, and probability functions of impacts; you’re welcome. And if you noticed that on top of this all, you should also calculate (sic) for the cost (impact) of pre-emptive, detective, corrective etc. measures, and the chances of their partial or full (in)effectiveness, in a mesh of cause and effect.
Do you use Impact X Chance to establish severity of risks? Guessed so. But unless you take the whole continuous (!) two-dimensional landscape of every risk into account, you’re gonna fail with certainty.
Do you compare relative risks by their combined scores? Yeah, that indeed was the whole purpose of your exercise. But you failed already on so many points, the results are both literally and figuratively ridiculous
And you continue by considering a ‘15.5’ risk to be worse or higher than some ‘15.4’ risk….
And you don’t consider the enormous mesh of causes and effects (just one by one, or per single event only) with all sorts of feedback and feedforward loops, and the mesh of ‘preventative’, detective and corrective mitigating measures in between, all with their distinct cost(impact!)s, mutual reliance, reinforcements or and other influences, all with their inefficiencies and ineffectiveness (sic) levels – in percentages? In number of incident elements caught and missed?
We may continue. But it’ll lead to more of the same; you’re fooling yourself, and fooling decision makers. Didn’t know that that was in your job description. What would you think would happen if the decision makers would find out?
And oh yes they will! You lead them astray so much, that they will find (you) out about plain wrong negative impact times frequency totals in Write-Offs, and when (not if) they’ll dig deeper, find quite a lot of unnecessary, inefficient and ineffective Risk Mitigation Measures Overhead Cost.
Is there another way? Yes of course.
But it’s not easy. It takes the European (vis-à-vis the wrongly dubbed Anglo-Saxon) approach where the focus is not on data but on qualitative scenarios. As with data, these can be had externally, or internally from experience and insight. As with data, external inputs can be of doubtful relevance and fit. As with data, internal input may (in case of data: will!) be (much) too limited to work with. And yes, going through the motions to determine some risk on all four areas (external vs. internal, data vs. scenario) and finding some gross common denominator, one can get a balanced view on things. But it’ll be balanced over four erroneous outcomes; way to go!
If the outcomes will be understood at all. Value At Risk being the case in point, that would better be called Amount of Company Value Not Being Lost At Some Random Probability. Or so, depending on your working definition and working understanding of VaR…
The only solution seems to be to stop using a quantitative approach and switch to a radical qualitative approach. This may be awkward, but quantities are just so much too weak to describe reality that they are a fly in the face fraud.
And indeed, we we don’t know how to do organisation-wide qualitative risk analysis and management let alone how to do it for meso- and macro-levels, let alone how to communicate, understand and argue about one risk to the next. But we have nothing else that can work; we must. And, it may fit better with the way humans, the human brains, work, with all their psychological ‘flaws’ (quod non!) in the management of risks. Kahnemann, remember? Well, maybe to align with what our brains have gotten used to handle over the aeons, from the savannah to our latter-day deserts of cubicle offices may be the best way to go. And why not? Do you really want to argue that today’s offices differ from hunter-gatherer tribes batteling the elements, predators and prey, and other tribes?
So, qualitative management of risk it is. Any takers?