Tolerability and Decision Making Discussion
Upcoming SlideShare
Loading in...5
×
 

Tolerability and Decision Making Discussion

on

  • 1,552 views

Traditional Risk Assessments use "heat maps", or risk matrices, to develop rankings, leading to decision making on projects, operations. Risks are ranked from larger to lower, sometimes splitting them ...

Traditional Risk Assessments use "heat maps", or risk matrices, to develop rankings, leading to decision making on projects, operations. Risks are ranked from larger to lower, sometimes splitting them into three or more classes of criticality.
Those approaches may be complaint with ISO31000, ONR49000, COSO, but they are not the best you can do!
As we will show in this paper, they actually lack in focus and transparency. Ingenious methods allow to reuse those data, however, and make far better decisions based on rational and sustainable rankings.

Statistics

Views

Total Views
1,552
Views on SlideShare
1,552
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Tolerability and Decision Making Discussion Tolerability and Decision Making Discussion Document Transcript

    • Oboni Riskope Associates Inc. www.riskope.com 500-1045 Howe Street Vancouver, B.C., V6Z 2A9On time, on budget, in control, showing your leadership with sustainablecapital expenditure, even during recessions and economic, financialcrises.Riskope can also help you solve insurance denial situations adding value to youexisting risk assessments, risk registers, ERM in an ingenious way.By Franco & Cesar Oboni, Oboni Riskope Associates Inc. Vancouver, www.riskope.comWe will use for this discussion Operation Ten (OT) belonging to our client AAA Inc. (AAA)(names, locations and risk names have been altered to respect clients confidentiality), lets say alarge production facility which of course uses external transportation networks, commercialwharves, and receives energy, supplies and chemical from the “world” to work in its processingplant. What this industry actually produces, its geographic location etc. does not matter, for thisdiscussion. Whether OT is a project (Project Risk Assessment), possibly at Pre-feasibility orFeasibility stage, or a thriving Operation (Operational Risk Assessment), the approach will beconceptually the same.OT/AAA Management formulated an explicit request to Riskopes (www.riskope.com) to deliver arisk based decision making (RBDM) support study: “The assessment will consider the particularenvironment, specific location and activities of OTs facilities to mitigate risks to the environment toa tolerable level and to establish a conceptual framework to support decisions regarding theremediation of ***** sites. In particular, the Action Plans will be mainly targeted to OTs decisionmakers and should answer practical questions... ”Riskope started by studying the Status Quo, including the level of awareness, understanding andsophistication of OT/AAA and concluded that they were at par with the international consensus andstandard operating practices (SOPs) in the area of risk assessment and prioritization. It washowever, obvious that those SOPs were not giving Management the guidance they were seeking.A stepped approach, tested and proven over the years by Riskope, was deployed. The result ofRiskopes study brought the following befits and results: • The prevalent critical risks were brought forward in a clear, rational and defensible way. • The number of critical issues was shown to be smaller than originally evaluated at Status Quo. • The insurance portfolio was shown to be poorly balanced and adjustments were proposed. • The new priority list let Management make better decisions in mitigative investments(c)Oboni Riskope Associates Inc. Page 1 of 8
    • allotment and freed moneys that could be better allocated elsewhere. • The methodology allows rational updating of the probabilities when new data are gathered.In the following sections we will go point by point through the stepped approach.Status Quo Analysis: Risk Assessment/Management Approach beforeRiskopes DeploymentIn accordance to widespread, common practices, Operation Ten (OT) uses an indexed matrixapproach (some people call this a “heat map”, others “risk landscape”/”Paysage risque”) toprioritize risks compiled in a risk register (prepared with a commercial software) in view of theirmanagement. As there are no standardized versions (ISO 31000, COSO (ERM), ONR 490000 1guidelines do not enforce a method) of this empirical approach, and indexes are often evaluatedusing verbal approximations, qualitative concepts, it is necessary to briefly summarize AAAs own“rules” before going into any further discussion.AAAs system uses a 5x5 classes (frequency x severity) matrix defined as follows. Classification Level Characterization Frequency 1 1 failure in over 100 years 2 1 failure in 10 to 100 years 3 1 failure in 5 to 10 years 4 1 failure in 1 to 5 years 5 more than 1 failure per year Severity 1 $0 to $1,000,000 in costs 2 $1,000,000 to $5,000,000 in costs 3 $5,000,000 to $15,000,000 in costs 4 $15,000,000 to $50,000,000 in costs 5 more than $50,000,000 in costsAs a side note, the idea of using frequencies instead of probabilities (or annual probabilities) canlead to some confusion and misleading results. For example, a risk might not have any frequency(typically isolated terrorist attack, change in legislation), yet a non negligible probability to hit inthe next future. A severe rainfall might have a low frequency, but a high probability of occurrencewith the current climate change.As it can be seen below, stepped thresholds have been selected by AAA to define four levels ofattention (criticality) of risks in the matrix: Severe, High, Medium, Low. Frequency 1 2 3 4 5 1 L L L M M 2 L M M M H Severity 3 L M M H H 4 M M H H S 5 M H H S S1)http://foboni.wordpress.com/2010/02/17/a-discussion-of-the-latest-coso-paper-on-the-development-of-organizations-resiliency-to-risk/ , http://foboni.wordpress.com/2010/11/10/new-iso-31000-risk-management-principles-and-guidelines/(c)Oboni Riskope Associates Inc. Page 2 of 8
    • A rule based on the value of the multiplication between the frequency and the severity indexes hasindeed been established by AAA as displayed in the following scheme. min max Risk Rating Freq * Sev Severe S 20 25 S = Severe > 19 High H 10 19 H = High 10 TO 19 Medium M 4 9 M = Medium 4 TO 9 Low L 0 3 L = Low <4Interestingly, OTs Risk registers delivered to Riskope (www.riskope.com) had risk ratings of theH,M,L categories, but none in the Severe class. For example: • Quake has severity x frequency (2 x 2)=4 which give Medium, ranked in the same class as Traffic Accidents (5 x 1), Acid or Diesel Oil spills (3 x 3). • Suppliers acid delivery is rated as High (3 x 4=12), together with fire at Powerhouse (2 x 5), Explosion at Boiler (2x 5), HLP leak (2 x 5).AAAs original rating of OTs 50 risks scenario split them into 0 Severe, 14 High, 25 Medium and11 Low risks. Do you remember the old saying about “crying for wolf”? Well, with 14 High, 25Medium, the usual reaction of Management is to say: “too many to cope, lets wait”, or any one ofthe sixteen excuses we have discussed elsewhere2.The indexed matrix approach usually gives useful snapshots of the operation “risk panorama”, but itdoesnt have the ability to deliver clear guidance in the selection of risks priorities, to define ifmitigation plans are sufficient or not3. As a matter of fact, the problem of expenditure on safetymeasures is indeed one of allocation of resources and cost-effectiveness which has to be based onthe whole spectrum of possible events, instead of the Maximum Credible Event, ALE (Annual LossExpected) or some other deterministic parameter only. (Lees loss prevention in the processindustries: hazard identification, assessment, and control, Volume 1, Frank P. Lees).Riskopes Approach. STEP 1: Defining Risk TolerabilityAs it has been discussed and demonstrated in various occasions 4, the Management objectives canonly be reached if a clear definition of the tolerability thresholds of an organization is carried out.A series of four proprietary questions designed to allow the definition of tolerability was used in afacilitated workshop with key personnel, including the CFO. Riskope also undertook the task ofmatching the replies to those questions with AAAs empirical stepped matrix thresholds, so as todefine a tolerability threshold that could be used for rational and transparent prioritization.2)http://foboni.wordpress.com/2009/11/12/one-world-16-common-human-traits-2/3)http://foboni.wordpress.com/2010/06/08/bp-crisis-rational-analysis-what-bp-did-not-perform/4)http://www.slideshare.net/Foboni/generalized-tolerability-and-risk-based-decision-making-examples-19-oct-5554686(c)Oboni Riskope Associates Inc. Page 3 of 8
    • Riskopes Approach. STEP 2: Converting Risk Register Data into UsableDataIn order to move forward Riskope had to convert OTs matrix frequencies into probabilities, andeliminated the useless and confusing indexes. Once the indexes were eliminated it became possibleto evaluate “real” risks, as the product of probability and consequences, expressed in monetaryterms, and plot them in a probability-Consequences (Losses) diagram.That diagram (Probability (vertical axis, a number between nil and one)- Consequences (horizontalaxis, dollars)) is displayed in Figure 1, with all OTs Risk Register scenarios, the newly definedtolerability curve plugged in. As it can be noted, the curve follows the steps of the matrix threshold(yellow-red limit) classes displayed here in log-log scale (reason for which the width and thicknessof the boxes decreases from bottom left to top right).Figure 1. The original matrix cells are shown on a log-log probability-consequences plot, togetherwith the newly developed OTs tolerability curve.The “total” risk for each scenario can be calculated, and when applicable, it is possible to evaluatewhich portion of that risk lies above the tolerability as depicted in Figure 2.Figure 2. When probability and consequences of a scenario are evaluated, the total risk is equal (p*C)to the surface of the rectangle (sum of orange and blue areas). The blue area is the tolerable part ofthat scenario, the orange part is the intolerable portion. NB: the log-log scale requires some attentionwhen interpreting the relative size of surfaces, as shown in the bar diagram at the right, in decimalscale.(c)Oboni Riskope Associates Inc. Page 4 of 8
    • The bar graph below, in Figure 3 shows, as an example, a small portion of the risks from OTsoriginal Risk Register, with in blue the tolerable part, the intolerable part in orange, and the totalrisk equal to the sum of the blue and orange bar.Figure 3. A small part of OTs original Risk Register, with, for each scenario, tolerable and intolerablerisk partition.If we plot risks from highest down to the lowest, the chart in the next page represents the first 20risks (Figure 4).We can easily see from Figure 4 that even though some risks scenarios are overall higher (blue andorange bar), the size of the intolerable part (orange bar) may lead to a completely differentprioritization and respective allocation of mitigative resources.(c)Oboni Riskope Associates Inc. Page 5 of 8
    • Figure 4. OTs largest total risks, in decreasing order from left to right.Riskopes Approach. STEP 3: Rational Prioritization of RisksRational and transparent prioritization is indeed achieved when risks (above tolerability) are rankedin decreasing order of intolerable portion (only the orange bars), even if the overall risk is higher,leading to the graph displayed in Figure 5, next page. (c)Oboni Riskope Associates Inc. Page 6 of 8
    • Figure 5. OTs Risk Register risks are now ranked in decreasing order (from left to right) of theirintolerable part.At this point it becomes interesting to compare the relative value of the risks intolerable part for theallocation of resources regarding mitigations measures.Figure 6. Relative values of the intolerable part of OTs risks. (c)Oboni Riskope Associates Inc. Page 7 of 8
    • We can see from Figure 6 that five OTs scenarios count for 83% of the total intolerable risks.We could therefore state, at first sight, that for every dollar spend for mitigation measure around 80cents should be spent equally (or in relative proportions) for the 5 “first” risks, then the remaining20 cents should be split equally amongst the next 16 risks. 30 scenarios should not even beconsidered at this time.In other words, among the 50 risks scenario present in OTs Risk Register, 5 should be allotted 80 %of the resources and 15 others should employ 20% while the remaining 30 should not even beconsidered before the first 20 are not brought below the tolerability curve.When the implementation of mitigative measures will change the risks panorama, the prioritizationwill change and it will be very easy to update the rankings with the new rational allotments.ConclusionsBy using a newly developed OTs tolerability curve, which complies with AAA matrix classesthresholds, and using the intolerable part of risks as a rating parameter, we determined a new ratingwhich allows for more rational capital and efforts allotment.Following the new rating it can be seen that among those 50 risks, 5 should be allotted 80 % of theresources and 15 others should employ 20% while the remaining 30 should not even be consideredbefore the first 20 are not brought below the tolerability curve. This is way more focused andrational than OT/AAAs original rating of the same 50 risks which split into 0 Severe, 14 High, 25Medium and 11 Low risks,If we look at a comparison, thats 5 risks sharing 80% of the available resources, against 14 riskssharing an unspecified percentage of the available resources. Or 15 risks sharing 20% of theavailable resources, instead than 25 risks sharing an unspecified percentage of the same. One otherway of seeing it? Well, if OTs Management have to mitigate 5 risks instead of 14, they will bekeener to do so, and it will be done faster, as they do not feel overwhelmed.In this paper, we have shown how your “standard” risk approach (risk assessments, riskregister, ERM) that your peers and superiors already understand and “own” can be turned into acutting edge competitive advantage, freeing capitals for business and production development,leading to more easily defensible, justifiable decisions. In other words, the mantra is: stopwasting moneys and efforts in security measures that do not pay off, over-investing in somemitigations and, may be, under invest in others, with, in both cases, potentially devastatingunjustified consequences. Our metric is consistent, unambiguous, and provides context for betterunderstanding your organizations risks.Here you have a summary of the benefits yielded by the approach : • The prevalent critical risks were brought forward in a clear, rational and defensible way. • The number of critical issues was shown to be smaller than originally evaluated at Status Quo. • The insurance portfolio was shown to be poorly balanced and adjustments were proposed. • The new priority list let Management make better decisions in mitigative investments allotment and freed moneys that could be better allocated elsewhere. • The methodology allows rational updating of the probabilities when new data are gathered.(c)Oboni Riskope Associates Inc. Page 8 of 8