In the first article on The Shape of Risk [LINK], we investigated why risk practitioners who simplify risk evaluations to a single point estimate will miss the shape of risk and we demonstrated this problem by comparing two very similar but independent risks side by side.
Our inaugural posting on the Shape of Risk series (I fair there might be a few chapters to come yet) attempted to keep the analysis lucid by only focusing on the comparable magnitude aspect of two risks and while the Shape of Risk part I is a nice bite size read, it leaves the frequency of a potential risk event untreated.
In this blog posting we'll address measurements around the likelihood aspect of risk accordingly and hopefully in the same straightforward manner.
When I peruse a typical risk register, risks are often itemized in a massive list with each risk having an associated likelihood of event tagged next to it. This seems easy to intellectually accommodate but this thinking is very short sighted and if a risk event has some estimated probability of occurrence in the next year, we might want to ask ourselves what the likelihood is for the event over a two year objective horizon?
What is worse is that there may be a chance of a risk event happening more than once over an assessment horizon and it might be that which causes our demise. Our ability to accommodate or tolerate capacity is so often ignored as a threat in risk management and that is quite disappointing.
Showing monstrous lists of risks to managers in a risk register is frustrating for these stakeholders, especially when all we say about a specific risk is that it has some arbitrary average 5% chance of occurrence in the next year. There is of course a 95% chance that risk event won't happen at all and treating such improbable events or provisioning for them starts to make risk management an expensive activity to entertain but also with little return.
If that is how risk registers are working in your company, don't be surprised if general managers and board members see the fraternity of risk management as unpleasant to deal with. Firstly we are telling these people negative things, secondly we ask them to spend money to fix these 'ghost like' risks and thirdly what we all fear rarely happens.
We need to address the way risk registers operate and the way risk information is presented to stakeholders and I might post another blog article recommending best practices for risk registers at some point in the future.
What is worse is that there may be a chance of a risk event happening more than once over an assessment horizon and it might be that which causes our demise. Our ability to accommodate or tolerate capacity is so often ignored as a threat in risk management and that is quite disappointing.
Showing monstrous lists of risks to managers in a risk register is frustrating for these stakeholders, especially when all we say about a specific risk is that it has some arbitrary average 5% chance of occurrence in the next year. There is of course a 95% chance that risk event won't happen at all and treating such improbable events or provisioning for them starts to make risk management an expensive activity to entertain but also with little return.
If that is how risk registers are working in your company, don't be surprised if general managers and board members see the fraternity of risk management as unpleasant to deal with. Firstly we are telling these people negative things, secondly we ask them to spend money to fix these 'ghost like' risks and thirdly what we all fear rarely happens.
We need to address the way risk registers operate and the way risk information is presented to stakeholders and I might post another blog article recommending best practices for risk registers at some point in the future.
The frequency of risk events
A different way of looking at the probability of an event across a time horizon is not just tied to its likelihood alone but as a frequency distribution.
These things are always better explained with an example.
Let's say we have a processing function in a business that receives a job order on average of 2 per day where a single day happens to be our objective horizon. What would the probability be for no orders, two or three orders across this objective horizon and so on?
These things are always better explained with an example.
Let's say we have a processing function in a business that receives a job order on average of 2 per day where a single day happens to be our objective horizon. What would the probability be for no orders, two or three orders across this objective horizon and so on?
What can we learn from this?
Many things but what is most useful is that we are able to explore around our average expected likelihood estimate because of the factorial design of the Poisson equation. We are able to describe the probability of events leading up to a specific threshold or limit, the probability of exceeding that limit and so on. This information is far more useful for risk analysts and stakeholders alike because it allows us to understand the nature of uncertainty rather than simply stating we have a probability of 'x' events in 'y' number of days. It also allows us to express uncertainty within a confidence banding!
In the global risk standard ISO 31000, it recommends the following in respects to the likelihood of risk in section 2.19 of the main practice document: "the chance of something happening described using general terms or mathematically (such as a probability or a frequency over a given time period)" and I recommend risk practitioners sharpen their tools to evaluate the latter ~ "frequency over a given time period".
When things break
Extending on with the idea of measuring the frequency of things we can assess, small things perhaps that are giving us more regular data, we can use this information to ascertain where capacity can be managed, where the system will break and the probability of that system breaking as we move towards the danger zone. Looking at the probability of an event or the likelihood of an event as a frequency of occurrence helps stakeholders understand the shape of risk, the tail probability which they may not have the capacity to tolerate.
In the four chart sets above, we can see the outcomes of an event becoming more increasingly common as we increase the average likelihood of occurrence and in this case, risk is being assessed with different positions for alternate environmental factors, not just as a chance likelihood that was plucked out of thin air.
In the four chart sets above, we can see the outcomes of an event becoming more increasingly common as we increase the average likelihood of occurrence and in this case, risk is being assessed with different positions for alternate environmental factors, not just as a chance likelihood that was plucked out of thin air.
The R-Project code for this example can be found above and has been added to this blog as a comment.
The R-Project code for this article can be found here:
ReplyDeletedpois(0,2)
dpois(3,2)
par(mfrow = c(2,2)) # multiframe for charts
x<-0:10 # look at ten different positions
# look at the outcome of different Poisson posibilities
plot (x, dpois(x, 2), xlab = "Number of Events",
ylab = "P(X = x)", type = "h", main= "Department Events: Poisson(2)")
plot (x, dpois(x, 3), xlab = "Number of Events",
ylab = "P(X = x)", type = "h", main= "Department Events: Poisson(3)")
plot (x, dpois(x, 4), xlab = "Number of Events", ylab = "P(X = x)",
type = "h", main= "Department Events: Poisson(4)")
plot (x, dpois(x, 5), xlab = "Number of Events", ylab = "P(X = x)",
type = "h", main= "Department Events: Poisson(5)")