In any risk management framework, risk analysis is a very delicate part of the process. Indeed, risk analysis is often the brainchild of one single person: the risk owner, who will carry his or her views, all the way up to the reporting layer sometimes.
Just to make sure that we’re all aligned here: by risk analysis, I am referring to the process of providing an assessment on a potential threat (the risks) or benefit (the opportunity) in terms of probability and outcome to get a view on the exposure. It can of course sometimes include more criteria (velocity, sensitivity, etc.) but you get the idea: the intent is to answer the question “what’s the risk level?” so that there can be a decision on what to do about it.
To get this information, the risk owner – who is often the business process owner or area expert, is asked to provide an assessment. Unfortunately, as during trials when expert witnesses are called, the pendulum can swing one way of the other depending on the evaluation made by the expert – here the risk owner. A risk can be escalated as critical or many mitigation efforts can be thrown at it if deemed too high and, at the very other end of the spectrum, a risk can fly under the radar if deemed very low. Often, this is based on the subjective assessment of an individual. A risk-averse person might be inclined to paint a dark picture whereas a risk-seeker might be more optimistic. In both cases, there is a personal bias that might play against the organization and divert attention.
And, since the risk assessment is going to roll-up in the risk reporting, or require resource investment from the organization, it’s quite critical to get it right.
So the question then becomes: how do we continue to seek expert views – which are of utmost importance in the process – but mitigate the human bias. And this doesn’t necessarily mean fully eliminating this bias!
Collaborative Risk Assessment
The very first option that I would suggest is to carry a collaborative risk assessment.
In this approach, two or more stakeholders are asked to assess the risk independently. The results are then consolidated, reviewed and can then be used to update the risk assessment.
One thing that I like about this approach is that you can have people from different functions (Legal, HR, Manufacturing, etc.) assessing the same risk and this creates a complete view of all potential impacts which makes the assessment all the more thorough.
Usually, the risk owner can then decide to exclude some extreme views so that these don’t skew the assessment. Once again, with the idea to mitigate the human bias!
Simulations and Modelling
I’ve already mentioned simulations and modelling in a few of these GRC Tuesdays blogs. Risk simulation and modelling is the mathematical representation of the consequences of an event. Personally, I don’t believe that the calculated result should systematically be used to populate a risk assessment directly without human review first, but I do firmly believe that they are very useful for decision making. For instance, to get an idea of what the best case, worst case and average case scenario could be in terms of impact. The risk owner can then compare a risk assessment against these value points to understand how the current risk valuation would “fit” within these outputs.
Internal and External Benchmarks
Another option that I would suggest exploring is comparing risk assessments with internal and external data points. For instance, comparing with similar risks but in different business units or locations. These could be risks assigned to the same risk category or having the same drivers.
For external benchmarks, why not apply something that the banking and insurance industry – but also the aerospace and defence and others, have been using for a long time: external incidents/losses databases? By comparing a risk assessment against past occurrences from similar organizations, the risk owner will be able to understand whether the currently documented exposure is aligned with what other companies from the same sector have experience and reported.
Getting Additional Views
Sometimes, when you have just taken over a new risk, you may need to get inputs from others as well to understand the context.
One could leverage the collaborative assessment approach mentioned earlier of course, but this might be too restrictive in that it answers a precise question: what is the risk exposure? But this won’t provide the new risk owner with an understanding of what could trigger the risk or other contextual information that would help in accurately assessing the situation.
Here is where I think simple surveys make wonders. Yes, you could simply phone people or send emails and it would achieve the same result. But think about risk handover: how is the next risk owner going to get this information?
Instead, if you formalize it sort of say and have the surveys and the risk together – including the previous answers to the same questions – this could help in getting a clearer picture.
If you combine this with a collaborative risk assessment, I think you will have a winning association to get expert inputs without relying on a unique individual’s perception.
What about you, how is the risk analysis performed in your organization? Is it the result of someone’s views or from a collaboration? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard