Assessing Risk and Risk Detectability...
Information | Understanding | Best Practices.In risk assessment, the widely applied practice is for a determination of the “probability” of the risk arising to be estimated, then an additional estimate is made of the potential impact or “severity” associated with the risk. These two estimates of “probability” and “severity” are given numbers or ratings, based on pre-determined scales. The numbers (or ratings) are then multiplied together to arrive at the overall risks posed to the business (product, consumer, etc.). The risk team or risk manager will end up with a range of risks, from which a prioritization list of potential risks can be documented, allowing risk investigation and risk minimization.
The above process while effective has one major shortcoming. This shortcoming is associated with the speed of detection associated with the risk, which can significantly influence the final impact on the business.
Before considering a example, it may be appropriate to ensure a clear understanding of “probability” and “severity”.
“Probability” relates to how often the risk may arise. Is also referred to as the likelihood, occurrence or frequency of the risk arising. A probability estimate can be quantitative, in which case the probability will be based on data and statistics or can be qualitative, where the estimate will be based on experience and judgement. With all potential risks identified, there will be associated harms, or hazards.
“Severity” is a measure of the possible consequence of a hazard. Severity associated with a risk is normally assigned a score, level or rating. This may be a rating of say #1 – #10. The #1 relating to a low consequence, a #10 being a catastrophic consequence (or visa versa).
Consider the following:
i) Within a manufacturing facility there are computer controlled processes. A breakdown within the process due to equipment failure is a potential risk, with possible significant financial impacts in terms of lost production time, unproductive labor, requirement for added shift-work to catch up on production orders, etc.. The consequence of the breakdown may be some hours or days of lost production. In this instance, the failure will be immediately identified, which facilitates the creation of work-arounds, catch-up plans, etc.. This immediate nature of the failure feedback, significantly reduces the overall impact on the business.
ii) Now consider the same manufacturing facility, where again there are computer controlled processes. In this second example, again there is an equipment malfunction, however, it is related to the performance of an automated test sequence, where a chemical compound is subject to automated testing, with no subsequent process verification steps. In this instance, the equipment malfunction may not be identified until the product is in the market place in customer use. In this instance, the impact on the organization will be significantly magnified versus the prior example.
Consider now the widely applied practice within risk management of measuring probability and severity only.
For the examples previous provided, the “probability” of failure could likely be estimated as being equal in both examples. The “severity” of the process failure, will be significantly higher in the second example, however, there is no guarantee that this higher potential impact will be adequately captured during the risk assessment process by the risk team (or those charged with assessing risk). If however, the “detectability” measure is mandated within the risk management program, then specific consideration will need to be given by the risk team to the speed of detection of a potential risk. This will help ensure a more accurate assessment of risk to the business.
A risk management process that includes “detectability” will take the form:
Probability of the risk arising * Estimated severity associated with the risk * Speed of detection by the business = Overall Risk Number or Risk Prioritization Number (RPN)
The addition of the “detectability” estimate also aides the risk reduction process. Where a risk is identified as being unacceptable, then those charged with reducing the risk impact will automatically ask three questions:
a) Can we eliminate the risk?
b) How can we reduce the potential impact, if the risk were to arise?
c) Can we implement changes to ensure the risk is speedily identified were it to arise?
This latter question, facilitates an alternative avenue to risk reduction which may not immediately come to mind where only “probability” and “detectability” are inputs into the risk assessment process.
When assessing risk within a risk program, there is a strong argument for including “detectability”, in addition to “probability” and “severity” in the determination of risk ratings.
- Risk Identification. Assessing Risk. Risk Mitigation. Risk Control. Etc..
- Risk Processes. Risk Planning. Risk Reporting.
- Requirements. Standards. Current best practices.
- Information | Understanding | Best Practices >>>