Traditional Risk Assessments use "heat maps", or risk matrices, to develop rankings, leading to decision making on projects, operations. Risks are ranked from larger to lower, sometimes splitting them into three or more classes of criticality.
Those approaches may be complaint with ISO31000, ONR49000, COSO, but they are not the best you can do!
As we will show in this paper, they actually lack in focus and transparency. Ingenious methods allow to reuse those data, however, and make far better decisions based on rational and sustainable rankings.
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Tolerability and Decision Making Discussion
1. Oboni Riskope Associates Inc.
www.riskope.com
500-1045 Howe Street
Vancouver, B.C., V6Z 2A9
On time, on budget, in control, showing your leadership with sustainable
capital expenditure, even during recessions and economic, financial
crises.
Riskope can also help you solve insurance denial situations adding value to you
existing risk assessments, risk registers, ERM in an ingenious way.
By Franco & Cesar Oboni, Oboni Riskope Associates Inc. Vancouver, www.riskope.com
We will use for this discussion Operation Ten (OT) belonging to our client AAA Inc. (AAA)
(names, locations and risk names have been altered to respect client's confidentiality), let's say a
large production facility which of course uses external transportation networks, commercial
wharves, and receives energy, supplies and chemical from the “world” to work in its processing
plant. What this industry actually produces, its geographic location etc. does not matter, for this
discussion. Whether OT is a project (Project Risk Assessment), possibly at Pre-feasibility or
Feasibility stage, or a thriving Operation (Operational Risk Assessment), the approach will be
conceptually the same.
OT/AAA Management formulated an explicit request to Riskope's (www.riskope.com) to deliver a
risk based decision making (RBDM) support study: “The assessment will consider the particular
environment, specific location and activities of OT's facilities to mitigate risks to the environment to
a tolerable level and to establish a conceptual framework to support decisions regarding the
remediation of ***** sites. In particular, the Action Plans will be mainly targeted to OT's decision
makers and should answer practical questions... ”
Riskope started by studying the Status Quo, including the level of awareness, understanding and
sophistication of OT/AAA and concluded that they were at par with the international consensus and
standard operating practices (SOPs) in the area of risk assessment and prioritization. It was
however, obvious that those SOPs were not giving Management the guidance they were seeking.
A stepped approach, tested and proven over the years by Riskope, was deployed. The result of
Riskope's study brought the following befits and results:
• The prevalent critical risks were brought forward in a clear, rational and defensible way.
• The number of critical issues was shown to be smaller than originally evaluated at Status
Quo.
• The insurance portfolio was shown to be poorly balanced and adjustments were proposed.
• The new priority list let Management make better decisions in mitigative investments
(c)Oboni Riskope Associates Inc. Page 1 of 8
2. allotment and freed moneys that could be better allocated elsewhere.
• The methodology allows rational updating of the probabilities when new data are gathered.
In the following sections we will go point by point through the stepped approach.
Status Quo Analysis: Risk Assessment/Management Approach before
Riskope's Deployment
In accordance to widespread, common practices, Operation Ten (OT) uses an indexed matrix
approach (some people call this a “heat map”, others “risk landscape”/”Paysage risque”) to
prioritize risks compiled in a risk register (prepared with a commercial software) in view of their
management. As there are no standardized versions (ISO 31000, COSO (ERM), ONR 490000 1
guidelines do not enforce a method) of this empirical approach, and indexes are often evaluated
using verbal approximations, qualitative concepts, it is necessary to briefly summarize AAA's own
“rules” before going into any further discussion.
AAA's system uses a 5x5 classes (frequency x severity) matrix defined as follows.
Classification Level Characterization
Frequency 1 1 failure in over 100 years
2 1 failure in 10 to 100 years
3 1 failure in 5 to 10 years
4 1 failure in 1 to 5 years
5 more than 1 failure per year
Severity 1 $0 to $1,000,000 in costs
2 $1,000,000 to $5,000,000 in costs
3 $5,000,000 to $15,000,000 in costs
4 $15,000,000 to $50,000,000 in costs
5 more than $50,000,000 in costs
As a side note, the idea of using frequencies instead of probabilities (or annual probabilities) can
lead to some confusion and misleading results. For example, a risk might not have any frequency
(typically isolated terrorist attack, change in legislation), yet a non negligible probability to hit in
the next future. A severe rainfall might have a low frequency, but a high probability of occurrence
with the current climate change.
As it can be seen below, stepped thresholds have been selected by AAA to define four levels of
attention (criticality) of risks in the matrix: Severe, High, Medium, Low.
Frequency
1 2 3 4 5
1 L L L M M
2 L M M M H
Severity 3 L M M H H
4 M M H H S
5 M H H S S
1)http://foboni.wordpress.com/2010/02/17/a-discussion-of-the-latest-coso-paper-on-the-
development-of-organizations-resiliency-to-risk/ , http://foboni.wordpress.com/2010/11/10/new-iso-
31000-risk-management-principles-and-guidelines/
(c)Oboni Riskope Associates Inc. Page 2 of 8
3. A rule based on the value of the multiplication between the frequency and the severity indexes has
indeed been established by AAA as displayed in the following scheme.
min max Risk Rating Freq * Sev
Severe S 20 25 S = Severe > 19
High H 10 19 H = High 10 TO 19
Medium M 4 9 M = Medium 4 TO 9
Low L 0 3 L = Low <4
Interestingly, OT's Risk registers delivered to Riskope (www.riskope.com) had risk ratings of the
H,M,L categories, but none in the Severe class. For example:
• Quake has severity x frequency (2 x 2)=4 which give Medium, ranked in the same class as
Traffic Accidents (5 x 1), Acid or Diesel Oil spills (3 x 3).
• Supplier's acid delivery is rated as High (3 x 4=12), together with fire at Powerhouse (2 x 5),
Explosion at Boiler (2x 5), HLP leak (2 x 5).
AAA's original rating of OT's 50 risks scenario split them into 0 Severe, 14 High, 25 Medium and
11 Low risks. Do you remember the old saying about “crying for wolf”? Well, with 14 High, 25
Medium, the usual reaction of Management is to say: “too many to cope, let's wait”, or any one of
the sixteen excuses we have discussed elsewhere2.
The indexed matrix approach usually gives useful snapshots of the operation “risk panorama”, but it
doesn't have the ability to deliver clear guidance in the selection of risks priorities, to define if
mitigation plans are sufficient or not3. As a matter of fact, the problem of expenditure on safety
measures is indeed one of allocation of resources and cost-effectiveness which has to be based on
the whole spectrum of possible events, instead of the Maximum Credible Event, ALE (Annual Loss
Expected) or some other deterministic parameter only. (Lee's loss prevention in the process
industries: hazard identification, assessment, and control, Volume 1, Frank P. Lees).
Riskope's Approach. STEP 1: Defining Risk Tolerability
As it has been discussed and demonstrated in various occasions 4, the Management objectives can
only be reached if a clear definition of the tolerability thresholds of an organization is carried out.
A series of four proprietary questions designed to allow the definition of tolerability was used in a
facilitated workshop with key personnel, including the CFO. Riskope also undertook the task of
matching the replies to those questions with AAA's empirical stepped matrix thresholds, so as to
define a tolerability threshold that could be used for rational and transparent prioritization.
2)http://foboni.wordpress.com/2009/11/12/one-world-16-common-human-traits-2/
3)http://foboni.wordpress.com/2010/06/08/bp-crisis-rational-analysis-what-bp-did-not-perform/
4)http://www.slideshare.net/Foboni/generalized-tolerability-and-risk-based-decision-making-
examples-19-oct-5554686
(c)Oboni Riskope Associates Inc. Page 3 of 8
4. Riskope's Approach. STEP 2: Converting Risk Register Data into Usable
Data
In order to move forward Riskope had to convert OT's matrix frequencies into probabilities, and
eliminated the useless and confusing indexes. Once the indexes were eliminated it became possible
to evaluate “real” risks, as the product of probability and consequences, expressed in monetary
terms, and plot them in a probability-Consequences (Losses) diagram.
That diagram (Probability (vertical axis, a number between nil and one)- Consequences (horizontal
axis, dollars)) is displayed in Figure 1, with all OT's Risk Register scenarios, the newly defined
tolerability curve plugged in. As it can be noted, the curve follows the steps of the matrix threshold
(yellow-red limit) classes displayed here in log-log scale (reason for which the width and thickness
of the boxes decreases from bottom left to top right).
Figure 1. The original matrix cells are shown on a log-log probability-consequences plot, together
with the newly developed OT's tolerability curve.
The “total” risk for each scenario can be calculated, and when applicable, it is possible to evaluate
which portion of that risk lies above the tolerability as depicted in Figure 2.
Figure 2. When probability and consequences of a scenario are evaluated, the total risk is equal (p*C)
to the surface of the rectangle (sum of orange and blue areas). The blue area is the tolerable part of
that scenario, the orange part is the intolerable portion. NB: the log-log scale requires some attention
when interpreting the relative size of surfaces, as shown in the bar diagram at the right, in decimal
scale.
(c)Oboni Riskope Associates Inc. Page 4 of 8
5. The bar graph below, in Figure 3 shows, as an example, a small portion of the risks from OT's
original Risk Register, with in blue the tolerable part, the intolerable part in orange, and the total
risk equal to the sum of the blue and orange bar.
Figure 3. A small part of OT's original Risk Register, with, for each scenario, tolerable and intolerable
risk partition.
If we plot risks from highest down to the lowest, the chart in the next page represents the first 20
risks (Figure 4).
We can easily see from Figure 4 that even though some risks scenarios are overall higher (blue and
orange bar), the size of the intolerable part (orange bar) may lead to a completely different
prioritization and respective allocation of mitigative resources.
(c)Oboni Riskope Associates Inc. Page 5 of 8
6. Figure 4. OT's largest total risks, in decreasing order from left to right.
Riskope's Approach. STEP 3: Rational Prioritization of Risks
Rational and transparent prioritization is indeed achieved when risks (above tolerability) are ranked
in decreasing order of intolerable portion (only the orange bars), even if the overall risk is higher,
leading to the graph displayed in Figure 5, next page.
(c)Oboni Riskope Associates Inc. Page 6 of 8
7. Figure 5. OT's Risk Register risks are now ranked in decreasing order (from left to right) of their
intolerable part.
At this point it becomes interesting to compare the relative value of the risks' intolerable part for the
allocation of resources regarding mitigations measures.
Figure 6. Relative values of the intolerable part of OT's risks.
(c)Oboni Riskope Associates Inc. Page 7 of 8
8. We can see from Figure 6 that five OT's scenarios count for 83% of the total intolerable risks.
We could therefore state, at first sight, that for every dollar spend for mitigation measure around 80
cents should be spent equally (or in relative proportions) for the 5 “first” risks, then the remaining
20 cents should be split equally amongst the next 16 risks. 30 scenarios should not even be
considered at this time.
In other words, among the 50 risks scenario present in OT's Risk Register, 5 should be allotted 80 %
of the resources and 15 others should employ 20% while the remaining 30 should not even be
considered before the first 20 are not brought below the tolerability curve.
When the implementation of mitigative measures will change the risks panorama, the prioritization
will change and it will be very easy to update the rankings with the new rational allotments.
Conclusions
By using a newly developed OT's tolerability curve, which complies with AAA matrix classes
thresholds, and using the intolerable part of risks as a rating parameter, we determined a new rating
which allows for more rational capital and efforts allotment.
Following the new rating it can be seen that among those 50 risks, 5 should be allotted 80 % of the
resources and 15 others should employ 20% while the remaining 30 should not even be considered
before the first 20 are not brought below the tolerability curve. This is way more focused and
rational than OT/AAA's original rating of the same 50 risks which split into 0 Severe, 14 High, 25
Medium and 11 Low risks,
If we look at a comparison, that's 5 risks sharing 80% of the available resources, against 14 risks
sharing an unspecified percentage of the available resources. Or 15 risks sharing 20% of the
available resources, instead than 25 risks sharing an unspecified percentage of the same. One other
way of seeing it? Well, if OT's Management have to mitigate 5 risks instead of 14, they will be
keener to do so, and it will be done faster, as they do not feel overwhelmed.
In this paper, we have shown how your “standard” risk approach (risk assessments, risk
register, ERM) that your peers and superiors already understand and “own” can be turned into a
cutting edge competitive advantage, freeing capitals for business and production development,
leading to more easily defensible, justifiable decisions. In other words, the mantra is: stop
wasting moneys and efforts in security measures that do not pay off, over-investing in some
mitigations and, may be, under invest in others, with, in both cases, potentially devastating
unjustified consequences. Our metric is consistent, unambiguous, and provides context for better
understanding your organization's risks.
Here you have a summary of the benefits yielded by the approach :
• The prevalent critical risks were brought forward in a clear, rational and defensible way.
• The number of critical issues was shown to be smaller than originally evaluated at Status
Quo.
• The insurance portfolio was shown to be poorly balanced and adjustments were proposed.
• The new priority list let Management make better decisions in mitigative investments'
allotment and freed moneys that could be better allocated elsewhere.
• The methodology allows rational updating of the probabilities when new data are gathered.
(c)Oboni Riskope Associates Inc. Page 8 of 8