One of the problems with ‘traditional’ risk management, which relies heavily on the periodic review of a list of risks (a risk register or what COSO calls a risk profile), is that it considers one risk at a time.
But there will usually be more than one risk that might affect the achievement of any objective. (I find it difficult to think of any objective where there is a single source of risk.)
So how do you consider the aggregate effect of these risks?
How do you know whether the level of risk to your objective is acceptable?
The level of risk for each individual source of risk may be within what you call acceptable (based on risk appetite or criteria).
But the level of risk to an objective could be unacceptable when you consider all the sources of risk.
For example, if you have the objective of opening a new office and delivering additional revenue, many things might happen to affect its achievement, such as:
- Delays in the ability to open the office such as obtaining electrical supply, final inspection approvals, and so on
- Issues hiring local personnel to staff key functions
- Challenges connecting the new office to enterprise systems, such as security issues, a new language, and additional privacy regulations
- Changes in the local economy
- Adverse coverage in the local press
- Problems with labeling your products in the local language and complying with local labeling regulations
- Supply and logistics issues
- New products or changes in price from a local competitor or a global competitor that wants to challenge you in the local market
- Turnover among key contacts at the companies you have targeted for sales
- …and so on
How do you aggregate these different sources of risk?
Some organizations and consultants are wedded to the idea that the level of risk can be quantified and calculated as the magnitude of a potential effect (or consequence) multiplied by its likelihood. There are several problems with that, including:
- There is almost always a range of possible consequences, each with its own likelihood, not a single point.
- That range could include both positive and negative consequences. For example, the risk of a change in the value of a foreign currency (compared to your own) can be positive or negative.
- It is difficult, if not impossible, to put a value on some sources of risk – such as employee safety.
But, let’s assume we can get past those and we have five sources of risk. For each, the potential (adverse in each case) effect is assessed at $100,000 and the likelihood is 10%. So, the simple calculation gives us $10,000 for each.
Do we simply calculate the aggregate level of risk at $50,000?
No. Let me explain with a hypothetical.
You are standing on the side of the street.
There is a 10% chance of rain; a 10% chance of being mugged (it’s a bad area); a 10% chance of meeting your mother-in-law; a 10% chance of being hit by water thrown up by a passing car; and a 10% chance of a bird using you for target practice.
Is there a 10% chance of every single one of them happening? Even if there is a 10% chance of each happening within a year, will they all hit on the same day?
Unless there is a single event or situation – a common point of failure (something that triggers more than one effect) – the likelihood of them all occurring is the product of their likelihoods:
10% * 10% * 10% * 10% * 10% = 0.001%
Coming back to the five sources of risk, each of which is assessed at a 10% likelihood of $100,000, unless there is a single and common triggering event or situation, the likelihood of a $500,000 effect is inconsequential: 0.001%.
But can we ignore the fact that there are multiple potential sources of risk to a single objective?
Not at all.
Would you live in an area prone to earthquakes? I do.
Would you live in an area where there is a relatively high level of burglary? I do.
Would you live in an area that is likely to flood?
Would you live in an area where the level of noise is high?
You might choose to live where just one of these applies. But would you live where all of them apply, and probably others as well?
Common (and business) sense tells us that when there are more sources of risk, even if each one individually is acceptable, you are less willing to take a risk.
In the example, while there is a 10% chance of a specific one hitting, there is a 50% chance that at least one of the five (we don’t know which) will hit and a 10% chance that two or more (we don’t know which two) will hit.
(Maybe some of you more mathematically included readers will correct the above and/or explain how to aggregate sources of risk that don’t even get measured the same way (such as compliance risk, employee safety risk, reputation risk, and so on)).
I have faith in the human power of common sense.
The keys are:
- Understand that a single objective, project, or plan has multiple sources of risk.
- Understand the level of each and whether it is acceptable – and why.
- Consider whether there is a common point of failure.
- Carefully consider whether, with all the information about what might happen, it makes business sense to take the risk.
I welcome your thoughts and perspectives.
 The likelihood of A or B is the addition of their individual likelihoods. There are 5 pairs, so 5 * 10%.
 The likelihood of A and B or A and C and so on: 10 pairs, each with a likelihood of 10% * 10%.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021