Risk practitioners who evaluate risk as a single number will miss the shape of uncertainty.
If risk is the effect of uncertainty on objectives, just as ISO 31000 defines it to be, we need to accept that there are many ways to describe this uncertainty. In this short blog posting I am going to demonstrate that risk has shape and being able to dimension this shape will tell us a lot more about the underlying risks we have to manage.
In section 2.19 of the ISO 31000 standard, it states "the word likelihood is used to refer to the chance of something" and in section 2.23 of the same principles and guidelines document, the following is written; "Magnitude of a risk (2.1) or combination of risks, expressed in terms of the combination of consequences (2.18) and their likelihood (2.19)".
This has encouraged many practitioners to evaluate risk in the literal sense by capturing some estimate of likelihood for a specific risk and then multiply that figure in the air evaluation with some other hypothetical loss potential. This way of calculating risk is so far from being coherent, it is misleading to stakeholders and risk managers must stop doing this. All fairing well, the ISO 31000 standard will be reviewed at some point in the future to improve or perhaps extend the guidance around 'the combination of consequences and their likelihood'.
Beyond this oversight, simply stating risk as a number, whether that number is derived in a coherent manner or not, is also quite professionally lacking and needs attention.
This has encouraged many practitioners to evaluate risk in the literal sense by capturing some estimate of likelihood for a specific risk and then multiply that figure in the air evaluation with some other hypothetical loss potential. This way of calculating risk is so far from being coherent, it is misleading to stakeholders and risk managers must stop doing this. All fairing well, the ISO 31000 standard will be reviewed at some point in the future to improve or perhaps extend the guidance around 'the combination of consequences and their likelihood'.
Beyond this oversight, simply stating risk as a number, whether that number is derived in a coherent manner or not, is also quite professionally lacking and needs attention.
Simple example
We can explore the shape of risk with a simple example and to keep it straightforward, we'll only look at the magnitude aspect of two separate risks for the time being. I will post another article that investigates the frequency of a risk horizon in the same demonstrative manner because that is also interesting and worthy of investigative blogging.
For the sake of this example, imagine we have two separate and independent risks; Risk 'A' and Risk 'B' which have been causing management some grief in a company over several months.
If we were to look at the risks without considering the shape of them, one might believe they are the same kind of threat, have similar critical natures and the frequency of each potential event appears to be equal. Certainly the maximum for both risks is in the same $100 trajectory. In fact, Risk A looks to be much more serious than Risk B on a second glance because its losses are generally $43 on average as opposed to $26 for our Risk B situation.
At the mean position, the broken frequency x magnitude thinking would have us believe that the average loss potential for Risk A is around $1031 rather than $634 for Risk B. Basic deduction, a common practice used by too many risk practitioners out there would have us labeling the risks as either the same or Risk A being a much more serious threat.
For the sake of this example, imagine we have two separate and independent risks; Risk 'A' and Risk 'B' which have been causing management some grief in a company over several months.
If we were to look at the risks without considering the shape of them, one might believe they are the same kind of threat, have similar critical natures and the frequency of each potential event appears to be equal. Certainly the maximum for both risks is in the same $100 trajectory. In fact, Risk A looks to be much more serious than Risk B on a second glance because its losses are generally $43 on average as opposed to $26 for our Risk B situation.
At the mean position, the broken frequency x magnitude thinking would have us believe that the average loss potential for Risk A is around $1031 rather than $634 for Risk B. Basic deduction, a common practice used by too many risk practitioners out there would have us labeling the risks as either the same or Risk A being a much more serious threat.
Risk has shape
To save us from these common misconceptions, perhaps we should view the risks in a coherent manner or as distributions. Let's do that for a moment and see whether our opinion that Risk A is a more serious threat still stands.
When we view the losses from each risk through time, both risks appear to be more or less in the same range. Although, Risk A did seem to grow between the event horizon from 7 to 15 months.
A better way to analyze these risks would be as distributions and the density function in R-Project disperses the mass of the empirical distributions through a fast fourier transformation process to display discrete kernels of potential loss. Doing this for both of our risks turns out a very interesting output which I will describe below.
Risk A appears to be quite stable, nearly predicable in some respects and far more certain in the realm of uncertainty than Risk B. Risk B on the other hand, generates quite small losses most of the time but when it occurs, it has the potential to develop massive tail effects which are hard to predict and difficult to estimate. The physical experience of Risk B to a stakeholder would be that of something that is quite unknown, unreliable, difficult to explain and control.
So then, if risk is the effect of uncertainty on objectives, as ISO 31000 has us believe; a boxplot of both risks would demonstrate that while Risk A is generally more expensive, Risk B is far more uncertain!
When we model the moving average of both risks side by side, another interesting phenomenon becomes evident. Risk A is improving but Risk B is becoming much worse through time.
Looking at single point estimates on these risks would not bring this feature of the risks forward but modeling the growth function of both risks demonstrates another problem for stakeholders. Risk A may have given managers a lot of problems in the past but they should not become fixated on this situation as the threat is declining overall. Managers should focus their attention to Risk B which is rapidly growing, highly unstable and potentially could become a much bigger concern than its counterpart.
The R-Project code used in this demonstration can be found above.
When we view the losses from each risk through time, both risks appear to be more or less in the same range. Although, Risk A did seem to grow between the event horizon from 7 to 15 months.
A better way to analyze these risks would be as distributions and the density function in R-Project disperses the mass of the empirical distributions through a fast fourier transformation process to display discrete kernels of potential loss. Doing this for both of our risks turns out a very interesting output which I will describe below.
Risk A appears to be quite stable, nearly predicable in some respects and far more certain in the realm of uncertainty than Risk B. Risk B on the other hand, generates quite small losses most of the time but when it occurs, it has the potential to develop massive tail effects which are hard to predict and difficult to estimate. The physical experience of Risk B to a stakeholder would be that of something that is quite unknown, unreliable, difficult to explain and control.
So then, if risk is the effect of uncertainty on objectives, as ISO 31000 has us believe; a boxplot of both risks would demonstrate that while Risk A is generally more expensive, Risk B is far more uncertain!
When we model the moving average of both risks side by side, another interesting phenomenon becomes evident. Risk A is improving but Risk B is becoming much worse through time.
Looking at single point estimates on these risks would not bring this feature of the risks forward but modeling the growth function of both risks demonstrates another problem for stakeholders. Risk A may have given managers a lot of problems in the past but they should not become fixated on this situation as the threat is declining overall. Managers should focus their attention to Risk B which is rapidly growing, highly unstable and potentially could become a much bigger concern than its counterpart.
What can we learn from this?
There is a lot we can learn from this simple exercise starting with risk analysts should stop comparing risks by their equivalent dollar amounts. Secondly, what is uncertain has nothing to do with the size of these amounts. Most importantly, risk has shape and that shape can change through time.
The R-Project code used in this demonstration can be found above.
Hi mate. Nice one. But make your code text, so I can copy and paste it (a la github)... Cheers, Seanie
ReplyDeleteSean,
ReplyDeleteGood point, in future I will make the code available as text.
In this example, I have done so here.
#Example Code Below
ma <- function(x,n=4){filter(x,rep(1/n,n), sides=2)}
a=c(12,44,2,7,17,33,65,72,29,80,81,95,48,100,94,73,51,49,19,4,5,3,18,30)
b=c(12,8,2,7,17,3,8,19,29,35,17,9,10,100,1,25,28,27,37,27,29,90,76,18)
plot(a)
lines(a)
plot(b)
lines(b)
plot(density(a, from=min(a), to=max(a)))
plot(density(b, from=min(b), to=max(b)))
boxplot(a)
boxplot(b)
plot(ma(a))
plot(ma(b))