How to determine a risk profile and calculate a level of risk?

Introduction

This is a significant rewrite and a first time write-up in English of an article I published in Dutch in May of 2009. I'm revisiting it because I had an interesting exchange with my ERM class at Solvay Brussels School last week, where we discussed the issues related to risk calculations.

As is always the case in this area of risk management, there will be both proponents of the approach and people contesting it. For me, a large part of the value of these posts is in the discussion that follows. For that, I refer to the ERM group on Linked-In, where I will post a link to this post.

Finally, I understand that the number of readers of a post halves with each formula you put into an article. This may actually mean I will be the only one reading this one to the end.

The controversy

Risk analysis tasks you with "measuring" risks. To date, we most often use qualitative information. There are a couple of reasons for that.

First, quantitative information is most often not readily available in sectors other than banking or insurance. Even if it were available, it can cloud rather than clarify the issue. Look for example at risk management failures in the banking sector over the past years.

So, we start with qualitative information. My implicit assumption here is that definitions of scales are agreed upon with all evaluators and are consistently applied in the evaluations. Everyone evaluating should be very clear about what "high", "medium" or "low" risk actually means.

In some cases, simple scoring along the axes of probability of occurrence and impact on objectives is not enough. Some analysis requires a roll-up from these "traditional" scores for impact and probability of occurrence to a single dimension, which we will refer to here as the "risk level".

Now, most of us, risk management nerds, agree that the risk level is a function of impact and probability. However, the controversy starts right after. Traditional risk management usually uses a product formula to calculate the level of risk:

Level of risk = I(mpact) x P(robability) = I x P

The problem with this approach becomes apparent pretty quickly. Risk related events with a high impact and low probability are scored in a similar manner to risk related events with a low impact and a high probability. The assumption these events are comparable in "risk level weight" is an unfounded assumption. Let me give you a concrete example:

The likely low impact even of a fly hitting your vehicle has an overall lesser level of risk than the luckily unlikely high impact event of a deer hitting your vehicle.

However, traditional risk management will yield a same risk level for a event with P=6/6 and I=1/6 as for an event with P=1/6 and I=6/6. Both are valued at 6.

See the problem? Right. Now, what can we do about it?

Alternatives to the product formula

Using a sum formula rather than a product formula allows us to attach a numeric weight to the dimensions impact on objectives (which we'll call impact or I) and probability of occurrence within a certain time frame (which I will refer to as probability or P). This weight is a function of the relative importance of impact and probability to the organisation where we are performing the risk analysis.

How does that work? Well, depending on your risk appetite as an organisation, you can give more weight to one dimension over another, which allows you to tweak the risk analysis to the risk profile of your organisation. This is where product formulas fall short. They cannot be used to integrate this aspect:

W x (I x P) = (W x I) x P. However, W x (I+P) does NOT equal (W x I) + P

You could rightly remark that weighting in the product formula can be realised when applying exponential values to the dimensions. However, it's exactly that exponential nature that will quickly reduce the relevance and weight of the not-weighted dimension to virtually nothing as compared to the weighted dimension. Hence, it makes little sense to take the non-weighted parameter in account. But as it is valued, we do need to take in account the scores that have been attributed to that dimension for the different risks evaluated.

In short, applying a sum formula to calculate the risk level ensures a more transparent calculation which allows the management to better reflect their risk appetite … provided the dimensions are weighted in a manner that reflects the risk appetite of the organisation.

But what do these weights mean?

Weights are applied to a dimension to give that dimension more importance in the calculation of the risk level of the specific risk. If the risk appetite calls for the avoidance of high impact events, impact will be weighted heavier than probability. If we want to reduce the probability of event occurrence, we will put more weight on probability.

There is some, but not a perfect, correlation between impact preferences and organisations with a preference for proactively managing the consequences of risks and probability preferences and organisations with a preference for proactively managing the sources of risks. That however is the subject of another blog post.

If we let W be the weight factor, we can distinguish three different profiles, which depending on the value of X can be more or less extreme.

impact oriented profile

This profile weighs impact as more important than probability of occurrence. This organisation will prefer to work on high impact risks with less attention given to the probability factor. Coverage of frequently occurring, low impact risks, such as clerical errors, is less important.

The risk level calculation is RL = (W x I) + P) / (W + 1)

probability oriented profile

This profile weighs probability of occurrence as more important than impact. The organisation wants to avoid the frequently occurring risks, but sacrifices coverage of high impact, lower probability risks.

The risk level calculation is RL = (I + (W x P)) / (W + 1)

indifferent profile

This profile does not weight probability or impact. Risks with high impact and low probability are treated in the same manner as risks with low impact and high probability.

The risk level calculation is RL = (I + P) / 2

Who gets to determine these weights?

Well, management does. It's there responsibility to determine weights as these represent the risk profile of the organisation. They need to translate the mission and vision into a strategy which is supported by a risk profile. That decision is theirs and theirs alone.

An example

Let's assume we have two situations for which the impact and probability of occurrence have been established. Let's further assume that the impact score for the first situation equals the probability score for the second, and the probability score for the first situation equals the impact score for the second. The traditional calculations using the product formulas will of course show these risks to be at an equal risk level to one another.

Let's further assume that the weighting factor applied will be W = 2. In essence, the parameter it will be applied to will be considered to be twice as important than the other parameter. In this case, we chose for an environment which values impacts more than probability of occurrence, as stated with a factor of 2.

Let's finally assume that the evaluation of each dimension is done on a five point scale and that the final risk level score needs to be normalised to a five point scale.

• Situation 1 is a collusion between a responsible and a supplier to perpetrate a fraud damaging the organisation.
• Situation 2 is a clerical error in the administrative registration of a demand for a service of that same organisation.

We first perform the calculations to get a non-normalised result, which then needs to be brought back to a score on an axis from 1 to 5. We then normalise to a five point scale.

Evaluation of situation 1

the weighted product formula yields: (2 x I) x P = (2 x 5) x 1 = 10

the non weighted product formula yields: I x P = 5 x 1 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 5) + 1 = 11

the non weighted sum formula yields: I + P = 5 + 1 = 6

Evaluation of situation 2

the weighted product formula yields: (2 x I) x P = (2 x 1) x 5 = 10

the non weighted product formula yields: I x P = 1 x 5 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 1) + 5 = 7

the non weighted sum formula yields: I + P = 1 + 5 = 6

Normalisation

As all risk scores need to be brought back to a five point scale, we need to perform a "normalisation", which is just a fancy way of saying we are bringing the score back to a reference scale. Depending on the formula used, the normalization calculation is different.

For the product formula, we divide by the maximum possible score (normalisation to 1) which we then multiply by the maximum value on the scale, in this case 5. This leads to:

2 x Imax x Pmax / 5 = 2 x 5 x 5 / 5 = 50 / 5 = 10

In other words, the normalized risk level for situation 1 becomes:

• for the weighted calculation: 10 / 10 = 1
• for the non-weighted calculation: 5 / 10 = 0,5

The normalized risk level for situation 2 becomes:

• for the weighted calculation: 10 / 10 = 1
• for the non-weighted calculation: 5 / 10 = 0,5

For the sum formula, we divide by (W + 1), where W is the weight given to the dominant dimension. This yields the following normalized results for situation 1:

• for the weighted calculation: 11 / 3 = 3,66
• for the non-weighted calculation: 6 / 3 = 2

For situation 2, this becomes:

• for the weighted calculation: 7 / 3 = 2,33
• for the non-weighted calculation: 6 / 3 = 2

In other words, where the product formula fails to distinguish the two very different risk events, the sum formula distinguishes the risk events and considers the risk with the higher impact as of a higher priority.

The example demonstrates the sum formula better answers the needs of management to reflect its risk appetite in the calculated risk level of individual risks.