What's Hot

"Risk Dashboards should serve the stakeholder" | Advanced Risk Dashboards

Thursday, December 5, 2013

The why in Inherent Risk

About a year ago I wrote an article on inherent risk versus residual risk and what the differences actually are. That preamble of a posting can be found here [LINK] but in this update we are going to look at why it is important to understand and then dimension inherent risk.

The Importance
When it comes to ideas around inherent risk, I seem to come across three types of enterprise risk managers. The first group don't understand the definition of the English term [LINK] to begin with and tragically that is where it kind of ends. Then there are those that have the lexicon gumption to comprehend the definition of 'Inherent' but they are unable to interpret its meaning in the context of their specific risk work. There can be many reasons for this type of epistemic gaps in knowledge and sometimes fault should not be tagged against the competency of the individual. The final bunch, the smallest of the three might I add, accept the definition, can interpret its meaning and go about developing a method for identifying specific implications that might exist from this pure source of risk knowledge.

Fascinatingly, it is possible to filter out ERM people from the general madding crowd based on how they answer the following question:
Do you understand and accept inherent risk as it is defined in the English language and if so, what does that mean for you?
A typical but deeply concerning response goes along the following lines "I don't assess the underlying circumstances for a threat or it is too hard to imagine a world without any control". Stakeholders faced with this kind of retort should be deeply concerned because they are inevitably dependent on their risk manager for implementing sound risk management practices. 
In short, if you don't have any anchor on the inherent threats you face, you won't know why you are controlling your potential risks at the outset. You may know how to control a risk because a control happens to be accidentally present in your risk framework, you may even know what type of threats you face but at the same time true understanding on threats from your environment will be opaque to you.

Gaining an understanding on the inherent precondition is a starting point for explaining why we manage risk and it will lead a risk analyst to the 'what' and the 'how' to control risk as an outcome. In this posting, we are going to fill in the 'why we should understand inherent risk' with four very simple examples from the real world. We could of course conjure up a lot more important cases where inherent risk needs consideration but three or four examples should hopefully explain our 'why' here.


Inherently Live
Perhaps one place where inherent threats are considered in everyday life would be in the use of electricity. The reason why a fuse is between the live electrical source and the remainder of the electrical circuit is to remove the inherent threat. A fuse on the neutral pin would work as an effective control but only in some cases as it wouldn't capture the threat from power as the electricity travels from the wall socket to your device. This live position is the entire inherent source of the threat and the best place to locate a fuse.

The British Electrical Standard

While the design of this electrical circuit is taken for granted or in most cases probably entirely unknown by many of its users, its implication is worthy of making mention to here because the fuse design evidences that a control position between inherent threats and outcomes will impact the functional strength of the overall control network.

The earth wire in a plug is also a control but a different kind of control. The earth wire takes 'some' of the residual electrical charge away from the user when there is a failure but the fuse on the other hand limits the amount of electrical charge or inherent threat that theoretically can be presented to the user at source.

A sound understanding of inherent risk in this case has actually improved the field of engineering for electrical and mechanical products for decades and risk managers could do well by learning more from the design tinkering that has gone on in these adjacent fields of study.
Inherent Risk Lesson: Control position between inherent threats and outcomes will impact the functional strength of the overall control network.
Let's look at a different form of inherent risk ...


Symptomatic Failure
Risk managers that focus on outcomes rather than driving factors will often end up treating the symptom of a problem rather than its cause.

In the table below, the sample mean temperature of patients suffering from different aliments shows similar outcomes for each patient's immune response to different infections. However, the cause of the inherent disease is vastly different, has hugely alternate survival rates and may require very divergent management solutions to reduce fatalities.

Different temperatures from alternate illnesses

There is much that can be learned from this very simple but real example as well but perhaps most importantly, we need to accept that inherent threats may have similar outcomes with aligned causes and risk indicators such as temperature readings may not be able to differentiate the cause-effect relationship unless inherent preconditions are fully understood. What's worse in this case is that without the inherent disposition of a patient being know, the wrong treatment might not be effective at all.
Inherent Risk Lesson: You can't always diagnose the ailment of a patient from simply reading residual indicators such as temperature alone.

Understanding Capacity
If the electrical and medical examples aren't good enough arguments for justifying the importance around understanding inherent risk, let's expand on this idea of pre-existing inherent dispositions further to show how inherent risk can be dimensioned.

The idea of inherent risk is often seen by some as the risk before treatment, in the purest sense it can be depicted as the total raw threat without any control but inherent risk isn't really this empty control position alone. Another way of conceptualizing inherent risk is by considering the prevailing conditions of the environment in which an asset or an objective at risk operates in line with the preconditions of the asset.

For argument sake let's imagine there are two types of model operating facilities (our assets or objectives or product as it is) and it has been identified that through time the ability of these services to function without error diminishes. This risk feature now becomes a precondition of the asset and it isn't an uncommon phenomena if you think about it more broadly; things do become ancient, redundant or misaligned to change, people do age overtime and eventually enter the Zimmer Frame world of existence.

In our example we have two facilities and an inherent precondition of burnout through time. The risk in this case can be interpolated by considering the disposition of the environment on the objective rather than estimating existing risks without control. When risk analysts say to me that they can't estimate inherent risk because they can't imagine a world without control, they are missing the subtle point under inherent risk in my opinion. Inherent risk can be understood by interpolating information around a pre-existing disposition, not assessing an imaginary world without control.

Inherent risk as measure for capacity planning

In our example above, the two systems or products are of different ages (new:2 and old:1) and there are eight failures across time. The inherent risk in this case is the application of failure, age and time together across the two independent systems and our three dimensional sum product matrix shows us in a deterministic manner the relationship each asset has given its age, model and failure rate.  This is a straightforward calculation that was executed in R-Project in a few lines of code but the resulting outcome of 4,5,8,19 (see the circle) forms a curve that will tell us where we sit with or without control. It tells us what the underlying pre-existing condition is taking in all inherent factors and that can be used as a benchmark for inherent risk. So then and back to our example; given system model II moves from 5 to 19 when it ages, you might want to introduce a control to reduce the outcomes of the inherent risk through time before you reach that point in time.
Inherent Risk Lesson: Understanding the relationship of prevailing trends on preconditioning will allow us to plan for capacity in line with uncertainty.

Cost Benefit Analysis
Perhaps the most important application of inherent risk is Cost Benefit Analysis because it tells us whether we should expend financial resources to control a risk or simply accept a risk as a prevailing cost of being in business.  Again, I have listed two separate and independent types of risks below along with their inherent risk positions, the residual risk positions or the after control response, and the control effectiveness across various positions of control strength.

The beginnings on Cost Benefit Analysis

We have to accept that inherent risk and control effectiveness are unlikely to be stationary and consequently the residual exposure will vary as an outcome of this net pre-condition. Let's be real here, residual exposure doesn't originate from emptiness unless it is an outcome of iatrogenesis or the introduction of risk by inappropriate treatment and/or process.

In our example the first risk has huge variance or massive amounts of uncertainty but sadly it also has a high fixed operating cost. These type of controls tend to offer us negative control benefits when inherent volatility is low and control effectiveness is high. On the hand, turning off the control would leave the stakeholder massively exposed to loss during periods of dysfunctional control use and high inherent uncertainty, a worst case nightmare is when such conundrums occur simultaneously.

The pre-disposition or nature of the first risk is a great example of threats that annoy management most of the time, are expensive to control but if we let go of that control, we are left with a business unit that is massively endangered to outcomes of inherent risk.

So what do we do with such hazards?

Many risk managers would consider transferring these threats away using insurance like contracts or derivatives and that would require us to price the premium before going forwards with this specific type of treatment. Given all of this then, perhaps the most important aspect of utilizing the knowledge of inherent risk isn't to improve control positions at all. Our first example case study is important, no doubt about that but being able to price risk is at the heart of decision making and stakeholders need to know what a treatment will cost before they can buy into it.
Inherent Risk Lesson: The difference or spread between inherent and residual risk allows us to understand the effectiveness of a control and that will lead us to being able to derive the benefit of cost for operating that control. If we follow this thinking through to the end, we will eventually be able to price risk.
So there we have it, four lessons on why it is important to understand inherent risk.

No comments:

Post a Comment