I love the discipline of risk management. One major reason is the premise of the whole thing:
“Ok, we will be doing some important things that could have undesirable consequences… or might even be flat out dangerous. But instead of running away from or blindly leaping into this task, let’s acknowledge that bad things could happen, let’s try to predict what those things could be, and, if we can, let’s do some things to prevent (or mitigate) those bad things… but only after we see how much the prevention costs.”
Another reason I love it is that it makes complete sense, and individual people do it all the time, whether conscious or not. Risk Management takes one of the most useful human behaviors and allows organizations to systematically apply it to complex situations (if they do it correctly).
One of the common pitfalls with risk management: people make it too complicated. Of course it must all be coherent and logical, and that takes some explaining. But if your risk model is logical, then it should turn out to be pretty simple because you won’t have a lot of stray concepts that are needed. When your model is not simple, people forget the whole reason they are doing risk management, and the process becomes overwhelming.
Risk management is a perfect balance.
To always avoid “danger” is to never make progress. Those I have seen that constantly avoid doing the things that need to be done are often more concerned about something other than the mission of the organization (e.g. promotion prospects, so they don’t want to have a mistake on their record)
But to go haphazardly into a situation without attempting to mitigate bad things – even a task that is important and needs to be done – is lazy and stupid.
- I say “lazy” because those I have seen be haphazard would usually prefer to not take the time and effort to think things through… they would rather call an ambulance afterwards – shifting the burden of danger’s consequences to everyone else on the team.
- I say “stupid” because (assuming they are not malicious) any creature that disregards its well-being and the well-being of the team is not the sharpest tool in the shed .
But risk management is a great balance. Don’t avoid risk, but don’t go rashly into it. That’s nice and simple.
KISS: One picture tells most of the story
How often, and how bad?
At the core of risk management is a simple question:
How often, and how bad?
There are many variations on this fundamental question, but every risk formula I have ever seen can be reduced down (i.e. simplified) to that question. That question can be rephrased to say:
Risk is the combination of how likely a bad thing is to happen, and, if that bad thing were to happen, how badly would it hurt my goal?
And this reveals the classic, simple risk equation:
I consider the above equation to be the most pure, and by that I mean that the words are the most universal and that other forms of the equation – some are more complicated and some use slightly different language – can all be reduced down to that pure variation. And in the spirit of “Keep it Simple, Stupid,” I usually start here or trace back an organization’s equation back to this one when I do risk management.
The terms of that equation are probably self explanatory, but read on for more explanation, or skip to the end to see how I use this KISS equation.
To start, the most important term to understand is the first term, Risk. The entire formula has some important assumptions and premises that many people skip over… and then they are left having performed a risk management process but still don’t actually understand their risk.
Here are some of the hidden (implied) questions that this term presumes you have answered. I argue that answering these questions is the most critical part of risk management:
- “What are you trying to determine the risk to?”
- “What is your mission?” “What is your goal?”
- “What do you want?” “What should the world look like when you are done with your task?”
Part of avoiding the pitfall here is to:
Fill in the blank. “I want to determine the risk to _____________.”
Notice this question says “risk to” and not “risk of“. “What do you want to prevent harm to” – as opposed to, “What do you want to prevent from happening?”
Some risk management processes will build this step in. For example, in the military there are two types of risk that commanders should always evaluate. These two categories cover most of the things you should consider, and can be applied to non-military situations:
- Risk to mission. For a given operation or task, and considering the tactical situation and the strategic situation, what is the risk to achieving your mission? If you were tasked to evacuate a village, what could prevent you from accomplishing that task?
- Risk to forces. (Sometimes phrased, “risk to personnel.”) In order to accomplish your task, you will need to use people, equipment, services, resources, etc (this is roughly translated to “forces” in military terms). What is the risk to these assets? In evacuating the village, is there anything that might threaten to destroy your equipment or harm your personnel?
The good news is that if you use the two categories above when considering risk, then you are considering the majority of what you should probably be. But I would recommend supplementing these two with the following steps:
- Ensure you are keeping your overall goal, desire, or intent in mind. What do you want the world to look like when you are done? Using the example above, if you are tasked to evacuate a village, isn’t your real goal to “prevent harm to the villagers and ensure they can continue productive life after the event?” In such case, you should expand your risk thinking to evaluate if anything would threaten that desired end state.
- Is there anything unique to my situation or task that “risk to mission” and “risk to forces” won’t cover? Risk management is about tailoring risk principles to your specific needs, so ensure you aren’t being robotic about the process. The goal isn’t to complete a process, the goal is to do something dangerous that needs to be done while simultaneously not being stupid.
When you have identified something that could happen, the first step is to try to figure out how often this thing happens. Other commonly used terms here are:
Some other terms include the concept of likelihood, though they may not admit it:
- threat. Describing how much something wants to hurt you.
- vulnerability. Describing how weak you are against a given potentially negative action.
In my opinion, “likelihood” is the superior term because it avoids these problems
- It allows basing this value on history and the future. History can be useful for things like “inches of rainfall in a year” or the behavior of a group, but you also need to consider things like indications or predictive data that helps you know the intent of a person or group.
- The combination of “threat” and “vulnerability” yields likelihood, but these terms can’t be applied to all situations. I prefer to start with the most general term (“likelihood”). But I do consider “threat” and “vulnerability” to be very useful in certain situations.
When it happens, how much will it affect my goal? With limited resources to analyze risk and implement things that can control that risk, you must know which hazard will hurt the most. Something with negligible impact can easily be ignored, allowing you to focus on more important things.
Other terms frequently used here:
- Cost (not money, but the general use of the term)
- In some contexts, the combination of the terms “risk” and “vulnerability” cover the concept of “impact.”
When you get to analyzing the impact, you will rely on the questions you asked earlier when considering the word risk. “Impact to what?” It’s about the impact to what you want. Usually the context is that impact describes something bad that could happen, but it doesn’t have to. This is why I prefer the term impact as compared to the others.
Here are some variations that I have found useful:
“Risk is a function of threat, vulnerability, and consequences” (2013, Defense Science Board). Although a bit complicated, this equation is useful because it explicitly points out that the intent (desire) and capabilities of an adversary is an important part of likelihood:
Risk = Risk(threat, vulnerability, consequences) where:
The following graphic from the Center for Internet Security (CIS) depicts an equation that I like because it approaches risk from a “understand the return on investment of mitigating risk” first, which can be useful in some applications.
In addition to the USNA risk management lesson from SY110 (a course I used to teach), this risk equation from International Charter is a good balance of specificity and wide-applicability, especially in the cybersecurity field where “threat” and “vulnerability” are well established terms:
Risk = Threat × Vulnerability × Cost
Making a decision
The whole point is to be able to make decisions to either avoid, transfer, reduce, or accept risks. So how do you make a decision? Let’s end this rant where we started: by keeping it simple with one of my favorite pictures.
This gets to my final reason for favoring the likelihood and impact risk equation: when you calculate risk using two terms or factors (as opposed to more than two), you can plot your analysis on a simple chart that explains the two most important aspects of a given hazard. The fact is, humans can only process about a handful of pieces of information… anything else and the data is useless. So I love simple diagrams to help me make complex decisions.
The following chart has two dimensions (with a bonus third dimension, color, which helps me make some emotional calculations!) with only three values for impact and likelihood. So much of risk assessment is not exactly mathematical, so usually there isn’t much use in analyzing risk to ten decimal places… usually a rough estimate is all you need.
Throw all of the hazards you found on to this chart, and you will naturally guide yourself through the risk management process. You might find yourself asking these questions, among others:
- “How can I move that one down and to the left?”
- “Why is that one higher than that other one?”
- “Can I accept where this hazard is now, or do I need to do something about it?”
- “Is completing my task worth this risk?”
- “Is the cost of mitigating these risks worth the resources?”