## One objective but multiple risks

One of the problems with ‘traditional’ risk management, which relies heavily on the periodic review of a list of risks (a risk register or what COSO calls a risk profile), is that it considers one risk at a time.

But there will usually be more than one risk that might affect the achievement of any objective. (I find it difficult to think of any objective where there is a single source of risk.)

So how do you consider the aggregate effect of these risks?

How do you know whether the level of risk to your objective is acceptable?

The level of risk for each individual source of risk may be within what you call acceptable (based on risk appetite or criteria).

But the level of risk to an objective could be unacceptable when you consider all the sources of risk.

For example, if you have the objective of opening a new office and delivering additional revenue, many things might happen to affect its achievement, such as:

- Delays in the ability to open the office such as obtaining electrical supply, final inspection approvals, and so on
- Issues hiring local personnel to staff key functions
- Challenges connecting the new office to enterprise systems, such as security issues, a new language, and additional privacy regulations
- Changes in the local economy
- Adverse coverage in the local press
- Problems with labeling your products in the local language and complying with local labeling regulations
- Supply and logistics issues
- New products or changes in price from a local competitor or a global competitor that wants to challenge you in the local market
- Turnover among key contacts at the companies you have targeted for sales
- …and so on

How do you aggregate these different sources of risk?

Some organizations and consultants are wedded to the idea that the level of risk can be quantified and calculated as the magnitude of a potential effect (or consequence) multiplied by its likelihood. There are several problems with that, including:

- There is almost always a range of possible consequences, each with its own likelihood, not a single point.
- That range could include both positive and negative consequences. For example, the risk of a change in the value of a foreign currency (compared to your own) can be positive or negative.
- It is difficult, if not impossible, to put a value on some sources of risk – such as employee safety.

But, let’s assume we can get past those and we have five sources of risk. For each, the potential (adverse in each case) effect is assessed at $100,000 and the likelihood is 10%. So, the simple calculation gives us $10,000 for each.

Do we simply calculate the aggregate level of risk at $50,000?

No. Let me explain with a hypothetical.

You are standing on the side of the street.

There is a 10% chance of rain; a 10% chance of being mugged (it’s a bad area); a 10% chance of meeting your mother-in-law; a 10% chance of being hit by water thrown up by a passing car; and a 10% chance of a bird using you for target practice.

Is there a 10% chance of every single one of them happening? Even if there is a 10% chance of each happening within a year, will they all hit on the same day?

No.

Unless there is a single event or situation – a common point of failure (something that triggers more than one effect) – the likelihood of them all occurring is the product of their likelihoods:

10% * 10% * 10% * 10% * 10% = 0.001%

Coming back to the five sources of risk, each of which is assessed at a 10% likelihood of $100,000, unless there is a single and common triggering event or situation, the likelihood of a $500,000 effect is inconsequential: 0.001%.

But can we ignore the fact that there are multiple potential sources of risk to a single objective?

Not at all.

Would you live in an area prone to earthquakes? I do.

Would you live in an area where there is a relatively high level of burglary? I do.

Would you live in an area that is likely to flood?

Would you live in an area where the level of noise is high?

You might choose to live where just one of these applies. But would you live where all of them apply, and probably others as well?

Common (and business) sense tells us that when there are more sources of risk, even if each one individually is acceptable, you are less willing to take a risk.

In the example, while there is a 10% chance of a specific one hitting, there is a 50% chance[1] that at least one of the five (we don’t know which) will hit and a 10% chance[2] that two or more (we don’t know which two) will hit.

(Maybe some of you more mathematically included readers will correct the above and/or explain how to aggregate sources of risk that don’t even get measured the same way (such as compliance risk, employee safety risk, reputation risk, and so on)).

I have faith in the human power of common sense.

The keys are:

- Understand that a single objective, project, or plan has multiple sources of risk.
- Understand the level of each and whether it is acceptable – and why.
- Consider whether there is a common point of failure.
- Carefully consider whether, with all the information about what might happen, it makes business sense to take the risk.

I welcome your thoughts and perspectives.

[1] The likelihood of A __or__ B is the addition of their individual likelihoods. There are 5 pairs, so 5 * 10%.

[2] The likelihood of A __and__ B or A __and__ C and so on: 10 pairs, each with a likelihood of 10% * 10%.

Very well articulated the challenges of dealing with risk management and the complexities thereof. It’s an art not a science….

Yes, Norm, we use ratio-based scalar measurement to be able to measure risks more accurately. This measurement approach allows us to calculate the mean whereas most other risk assessment approaches are ordinal-based and can only calculate the median and the mode. More importantly, when we use ratio-based measures we can then leverage additional calculations requiring the use of addition, subtraction, multiplication and division. Ordinal-based measures do not support any additional calculations at all.

Yes, Norm. I have your e-mail and will forward several slides that provide the base educational content.

HAGW-E!

Phil Wilson

Hmmm. Quantitative approaches might be better than qualitative ones if the calculations are correct!

The chance of exactly one of the five events arising is 0.32805 (5 * 0.1 * 0.9 ^ 4, i.e. the chance of the only first event arising but not the other 4, over each of the five possible initial events).

A simple check: if [1] were correct, then the chance of exactly one of 11 events would be 1.1 (actually, the chance is just over 0.38).

The chance of at least one of the five events arising is 0.40951, which puts an upper bound on all the calculations mentioned.

I changed the text to say “at least one” and “two or more”.

An excellent point, and well made. Risk is absolutely about objectives, and there are many risks to each objective.

It is silly to accept individual risks, or to reject them, without looking at the bigger picture of the objectives.

Acceptance of ‘risk’ is always acceptance of a total package of expectations. Those expectations follow from taking a particular course. The usual expectation is for success on the objective. That success has an assessed value and likelihood. The total package of expectations also acknowledges the non-zero likelihoods of non-success outcomes, such as failure in varying degrees.

The conversation on combining numerical likelihoods has begun to drift away from the important matter of making real-world decisions. There was a mathematical error, and Dale Cooper corrected it. In the original argument, Norman Marks returned abruptly from numbers back to common sense. That abrupt return to common sense is the most important of all risk management techniques.

I have a response to Norman’s question about ‘how to aggregate sources of risk that don’t get measured the same way’. My response involves framing the question differently.

The total we need is the total likelihood of a particular outcome on an objective. Usually we focus on the non-success outcomes. The total likelihood of an outcome is equal to the total of the likelihoods of each of the pathways from risk sources to that single outcome. There is no need to measure each ‘source of risk’ in comparable units. All that needs aggregating is the likelihood of each source leading to the defined outcome. In this way of working through ‘risk’, the measurement differences are simply bypassed.

I used ‘outcome’ rather than ‘objective’. The original post was headed ‘One objective but multiple risks’. There’s nothing wrong with that, but when adding likelihoods together, I use ‘One outcome but multiple risks’. There are a range of possible outcomes for each objective. Each of those outcomes is better or worse than ‘meeting’ the objective, to a different degree. Degrees of ‘better’ and ‘worse’ can remain subjective, and need never be expressed in common units.

I have sketched the complete model on LinkedIn. That series explains the argument and methods more fully. I am also working on a how-to guide for middle managers, based on the same objectives and outcomes approach to understanding ‘risk’.

Well said, thanks

Norman, your arguments at times are confusing to new comers to the field. Nevertheless, i do enjoy reading them. To me it is simple, manage these multiple sources of risks in order to enhance the chances of achieving the single objective set. The success of achieving this single objective really dependent on how effective one manages these multiple sources of risks. In the end, common sense must prevail in the business world.

Risk is not just about objectives, it is also about the constraints on objective delivery. So for example there may be a low probability of an event but if that event occurs when another another adverse event has occurred then rectification may lie outside our resources to recover (cash or human capacity). Risk has to be considered beyond the numbers. Another case from history is where a risk impacted at a low level in the business and the rectification actions taken at that level ultimately exposed the business in both financial and reputational terms …… a situation unrecognised by the business till post high level impact!

Roger: I would be interested to leaarn more about your approach as it follows qualitative approaches I have used in the past.

Hi Richard, thanks for asking. This link covers the general outcomes-based approach, which encompasses a fresh interpretation of risk tolerance and acceptability:

https://www.linkedin.com/pulse/risk-consequences-final-effect-objectives-roger-lines/

This link leads to a specific application of the model to work unit annual ‘business’ planning (for middle managers) – a work in progress:

http://clearlinesaudit.com.au

All: I modified the post to help with the math. It now says “at least one” and “two or more”.

Currently, there is one way to consolidate a risk portfolio, and that is using Monte Carlo simulation. The technique is almost 50 years old, and yet still ignored by most risk managers (albeit used systematically in the financial services – including insurance companies.

You “simply” model your risk portfolio. There are plenty of software packages, which allow you to do this rather easily, so get going.

Thanks Hans Læssøe, a very interesting and challenging thought. I’m not sure exactly how well it fits with Norman Marks’ question – I may yet work through that – but your response is very different to mine, and it blows me my out of my comfortable thought bubble.

Remember every risk is measured by what exposes the risk; the risk exposure itself; and every exposure the risk exposes. So the premise of Norm’s article is academic in nature and not something that is experienced in the real world.

In any ongoing organization every objective is exposed to and measured by the aggregation of multiple risks. Thus, Hans’ Monte Carlo simulation is the correct answer in a real world application.

Sorry, but what I have described is the real world and its challenges – admittedly in a simplified manner.

Risk is measured by the effect on objectives, not by what “exposes” the risk (whatever that means).

I do agree that every objective should be (but is not always) measured by the aggregation of multiple risks – what might happen, both positive and negative. The challenge is how to do that. I agree that Monte Carlo simulations are an effective and useful tool, although there are limitations. For example, I am not persuaded that you can use it effectively to aggregate totally disparate sources of risk.

Common sense is too rarely used as a technique.

My post is aimed at dispelling the notions that (a) you can assess one risk at a time and ignore the fact that there are multiple risks, and (b) you can simply add the effects up, or add the P * I to get the aggregate effect.

Roger’s comments are excellent, especially “Acceptance of ‘risk’ is always acceptance of a total package of expectations”.

In the example we must accept that the 5 items are each pertinent, but we are not considering the items which are pertinent which have not been considered either by their being tacit or unseen. To accurately address aggregated risk there needs to be measure of these tacit and unseen factors

There is also a matter that the example considers (tacitly ?) that each of the 5 factors mentioned is truly independent as a probability AND that the effects of each do not have a consequential effect on probability or severity of other impacts. Addressing this is soooo rarely done ….