Calculating enterprise risk in multidomain organisations
Calculating or quantifying risk, as opposed to qualifying risk, is essential if you want to accurately prioritise the risks your organisation faces, and ultimately control them down to acceptable or tolerable levels.
Calculating risk values or risk scores gives you an actual measure of risk instead of simply recognising a risk is present.
With two key numerical pieces of information; probability and impact, you can quantify any risk event (sometimes called top event).
This is fine if for example your company consists of a single or couple of departments, but what if, like many organisations, you have complex command structures, multiple departments, numerous domains and various locations? How do risks in one downstream department manifest in upstream departments?
This article attempts to show you how you can calculate risk in multi domain organisations which in turn will help you foster an all round more efficient enterprise risk management system.
Quantifying a single risk event
In your risk assessments, whether it be in operations, strategic, opportunity, compliance or financial risk, you can add a risk value to any risk event by guaging the probability and impact of any potential scenario coming into fruition. Probabilities are between 0 and 1, and impacts are from 1 to infinity.
RISK = PROBABILITY x IMPACT
Probability, sometimes called frequency or likelihood is a value of how likely or how often a defined risk event could occur. E.g. The probability of me tripping up a set of stairs at some point could be 1 in 1000 attempts of walking up them which gives me a probability of 0.001, in the same way the probability of giving birth to a boy is 0.5 and the probability of winning the UK lottery is 1 in 14000000, or 7E-8.
Choosing the right probability
It's important to be as accurate as you can when selecting the right probability value for your risk calculation, but at least be consistent in your assessment. For safety critical equipment, or infrastructure in general you can use historical data for component parts that can give you accurate failure rates. However for general risk assessments it can be useful to predefine several probability levels and use your experience to select the most relevant one. E.g. many organisations will use very low, low, medium, high, very high probability definitions with for example values of 0.000001, 0.00001, 0.0001, 0.001, 0.01 and 0.1 respectively. As long as you are consistent in your approach to risk assessment, the risk values will be valid, however as said before, being as accurate as possible is key to effective risk calculation.
Impact, often termed severity is a guage on how significant the effect of the risk event happening could be on your organisation or specific operation.
Impact values range from 1 to infinity and they are all relative to eachother. E.g. a low impact risk event such as a battery going low could be 2 and an injury could have an impact factor of 1000.
Choosing the right impact factor
Guaging the impact that any particular risk event could have on your organisation is vital. Only you can know, through experience of how your company works and sits in the market place, how each risk event could impact your organisation. Common impact considerations are productivity, security, output, finances, reputation and staff well being. As with probability, the key to impact or severity determination is accuracy, consistency and uniformity in the way you assess the potential effect of any risk event happening. As with probability, a lot of organisations have preselected impacts or severities such as very low, low, medium, high, very high with respective impact values such as 1, 2, 3, 4, 5.
Calculating risk across multi domains
After working out all your risk factors, you end up with a prioritisable list of risk events from which you can action risk controls upon.
This is straighforward in linear organisations, however, where you have a hierarchy or departmental distribution within your organisation you also need to consider how risks in different levels influence other levels or domains in your company.
A simple example is Risksoft: we have our headquarters in Warrington, UK but we also have departments in Manchester, UK and London, UK. In terms of collective output, they both feed directly into Risksoft HQ.
What it comes down to is dependency and independency; when planning your enterprise risk management system, or indeed corporate structure, these are two key factors.