Maximise Gain Minimise Loss Increase Value Promote Efficiency Identify Weaknesses Improve Processes Strengthen your Business

Calculating enterprise risk in multidomain organisations

Calculating or quantifying risk, as opposed to qualifying risk, is essential if you want to accurately prioritise the risks your organisation faces, and ultimately control them down to acceptable or tolerable levels.


Calculating risk values or risk scores gives you an actual measure of risk instead of simply recognising a risk is present.


With two key numerical pieces of information; probability and impact, you can quantify any risk event (sometimes called top event).


This is fine if for example your company consists of a single or couple of departments, but what if, like many organisations, you have complex command structures, multiple departments, numerous domains and various locations? How do risks in one downstream department manifest in upstream departments?


This article attempts to show you how you can calculate risk in multi domain organisations which in turn will help you foster an all round more efficient enterprise risk management system.

Quantifying a single risk event

In your risk assessments, whether it be in operations, strategic, opportunity, compliance or financial risk, you can add a risk value to any risk event by guaging the probability and impact of any potential scenario coming into fruition. Probabilities are between 0 and 1, and impacts are from 1 to infinity.

RISK = PROBABILITY x IMPACT

Probability

Probability, sometimes called frequency or likelihood is a value of how likely or how often a defined risk event could occur. E.g. The probability of me tripping up a set of stairs at some point could be 1 in 1000 attempts of walking up them which gives me a probability of 0.001, in the same way the probability of giving birth to a boy is 0.5 and the probability of winning the UK lottery is 1 in 14000000, or 7E-8.

Choosing the right probability

It's important to be as accurate as you can when selecting the right probability value for your risk calculation, but at least be consistent in your assessment. For safety critical equipment, or infrastructure in general you can use historical data for component parts that can give you accurate failure rates. However for general risk assessments it can be useful to predefine several probability levels and use your experience to select the most relevant one. E.g. many organisations will use very low, low, medium, high, very high probability definitions with for example values of 0.000001, 0.00001, 0.0001, 0.001, 0.01 and 0.1 respectively. As long as you are consistent in your approach to risk assessment, the risk values will be valid, however as said before, being as accurate as possible is key to effective risk calculation.

Impact

Impact, often termed severity is a guage on how significant the effect of the risk event happening could be on your organisation or specific operation.

Impact values range from 1 to infinity and they are all relative to eachother. E.g. a low impact risk event such as a battery going low could be 2 and an injury could have an impact factor of 1000.

Choosing the right impact factor

Guaging the impact that any particular risk event could have on your organisation is vital. Only you can know, through experience of how your company works and sits in the market place, how each risk event could impact your organisation. Common impact considerations are productivity, security, output, finances, reputation and staff well being. As with probability, the key to impact or severity determination is accuracy, consistency and uniformity in the way you assess the potential effect of any risk event happening. As with probability, a lot of organisations have preselected impacts or severities such as very low, low, medium, high, very high with respective impact values such as 1, 2, 3, 4, 5.

Calculating risk across multi domains

After working out all your risk factors, you end up with a prioritisable list of risk events from which you can action risk controls upon.

This is straighforward in linear organisations, however, where you have a hierarchy or departmental distribution within your organisation you also need to consider how risks in different levels influence other levels or domains in your company.

A simple example is Risksoft: we have our headquarters in Warrington, UK but we also have departments in Manchester, UK and London, UK. In terms of collective output, they both feed directly into Risksoft HQ.

What it comes down to is dependency and independency; when planning your enterprise risk management system, or indeed corporate structure, these are two key factors.


Comments


Leave a comment


Share Risksoft

Risksoft

We create interactive multi-platform browser based enterprise class risk management, safety management and process management software.

With expertise in risk management and software development, we work closely with our clients in numerous industries to provide off-the-shelf and bespoke risk management solutions using the latest PHP5 and HTML5 Canvas technology to international standards.

Photo Stream

BowTie Risk Management Methodology
A rare glimpse of security risk management of the UK Prime Minister by Protection Command
When is it time to start thinking how the EU Referendum could affect your business?
Could a focus on reputation risk promote all-round more effective enterprise risk management?
Human factors risk in software and web application development
Why is the multibillion dollar SaaS software market suddenly booming?
What exactly is Risk Management?

Blog Tags

All Aviation BowTie Brexit Budget 2015 Business Risk Clinical Research Compliance Risk Cyber Security Defence Enterprise Risk Management EU Referendum Financial Risk Fire Risk Fracking Health and Medicine HSE Bulletins Human Factors Miscellaneous Oil and Gas Opportunity Risk Process Management Reputation Risk Risk Assessment Law Risk Management Risk Management Software Risksoft News SaaS Safety Management Science Security Social Media Software Development Strategic Risk What Could Possibly Go Wrong?

 

Maximise Gain Minimise Loss Increase Value Promote Efficiency Identify Weaknesses Improve Processes Strengthen your Business