Tuesday, May 14, 2013

Hidden in a risk register

Risk registries are useful reports for looking at the entire hazard horizon across an enterprise but they have some issues which many risk analysts overlook.

In this blog posting, we take a look at a fundamental flaw found in nearly all risk registers.


The Risk Register
A typical registry will list all risks in one report, where each risk is shown on a single line with various descriptors about it. Traffic light colours are often used to highlight how critical each risk may be and in good risk registers the traffic light scale is based on the consideration of all data points across the risk data set for establishing this scale.

An example of a leading risk registry is shown below, simply click on the image to enlarge it so that it is readable. Actually, this blog can be appreciated far more by clicking on each image you come across while reading.

The typical risk register | Martin Davies  [ click image to enlarge ]

While the practice of risk reporting through registries should probably stay, there are some drawbacks with the technique which analysts need to be aware of. Let's take a look at one of the greatest flaws in risk registries.
 
Scaling
When an analyst observes a single risk or data point alone, the significance of it will nearly always be lost in the noise of the data. Additionally, risk registries have a tendency to summarise a threat into a single number but we must not forget that each risk has originally been 'casted' from many data points. Risks aren't single points in time but a curve of positions overtime and this will inevitably be dropped when risks are viewed in a risk registry list.

Focusing on one data point | Martin Davies  [ click image to enlarge ]

This framing also leads to human oversights and prioritised lists nearly always encourage management to "cherry pick" across this list. Executives are likely to attend to the big ticket items first and for no other reason than these items stand out. However, these single risks alone may not be the most serious concern for a firm and many businesses are resilient to a very large single event as long as the condition can be contained.

Looking at the bigger picture | Martin Davies  [ click image to enlarge ]

An alternative way of looking at risk is by grouping risk cases so that interrelationships can be identified but your typical risk register is unlikely to show these types of important associations between data points.

An integrated picture of reality | Martin Davies  [ click image to enlarge ]

Correlations between risks or the combination of diversified threats may create outcomes that are far more serious than the fallout experienced from a single threat alone. In the case of the Global Financial Crisis, such secondary knock-on effects were one of the driving factors that fueled the crisis and these effects drew out the crisis by making it difficult for governments to resolve.
 
Another Consideration
So then, if we are to look beyond the typical constraints of a risk register, much can be yielded. A bigger picture of risk will become visible to us with 'correlation on' and the good news here is that this type of modelling does not have to be complex.

Different Pictures of Risk | Martin Davies  [ click image to enlarge ]

In the facile statistical model above, all the Frequency and Magnitude data points from a hypothetical risk registry have been inserted onto a 3D scatter chart. The data points have also been correlated against a third factor labelled 'management control' which will identify the risks that are most serious to treat either alone or as a combination of threats.

This model is far from complete but then it is only a five minute tamper with a risk registry. Nonetheless, what it does do is paint a more complete picture of our threat horizon than simply focusing on a single point in a list of risks.

1 comment: