The ultimate goal of risk management 2 is to integrate risk analysis into decision-making processes and the overall management of the organization. Mature organizations ensure that appropriate risk assessment and decision-making techniques/tools are used, for example:
- The effect of uncertainty on cash flows, budgets, business plans and production forecasts may be analyzed by running Monte-Carlo simulations, performing sensitivity analysis or recalculating various scenarios.
- Risks associated with vendors/contractors/suppliers may be measured using a multifactor risk scoring methodology or a more basic qualitative technique.
- The effect of uncertainty associated with investment projects may be measured using scenario analysis or Monte-Carlo simulations on the project budget, net present value or project schedule.
- The effect of uncertainty on product pricing or product mix may be measured using scenario analysis or Monte-Carlo simulations.
The selection of the risk assessment technique will first and foremost depend upon the availability of resources:
- Time constraints, available expertise, human, financial and other resources.
- Quality, quantity, integrity, timeliness, currency, accuracy, reliability, consistency of data and capacity to collect it.
- The complexity of risks, interdependencies and complexity of the management decisions. The more complex the environment or decision and the more critical it is, the more sophisticated has to be the tool. It is safe to say most investment, budgeting, forecasting all strategic decisions require sophisticated risk analysis tools because their complexity is beyond traditional likelihood x consequences type methodologies.
Some methods and the degree of detail for the analysis may be prescribed by legislation (typical in clinical safety, fire safety and some industries).
Regardless of the risk assessment technique used, risk managers must provide full transparency on the tool selection and key assumptions made during the risk assessments. Constraints, uncertainties and assumptions having an impact on the risk assessment should be explicitly considered at each step in the risk assessment and documented in a transparent manner. Decision makers may use information sources such as historical data, market data, experience, stakeholder feedback, observation, forecasts and expert judgment, however, they should always capture appropriate explanations to support their and other stakeholders assumptions. This may cover:
- Factors they may have included or excluded from their risk assessment.
- Assumptions that were made during the risk assessment.
- The ranges and distributions used in risk assessment.
- Divergence on opinions among participants when performing risk assessment.
- How inputs from multiple participants were combined or aggregated.
- Limitations of techniques used and how these were addressed (or not).
- Limitations on reliability or the quality of data used.
Additional caution should be displayed when using and relying on qualitative risk assessment techniques due to the effect of cognitive biases and the fundamental design flaws in the qualitative risk assessments as described by Thomas, Philip & Bratvold, Reidar & Bickel, J. (2013). The Risk of Using Risk Matrices. SPE Economics & Management. 6. 10.2118/166269-MS. Limitations of qualitative risk assessment techniques should be disclosed by the risk managers.
When assessing risk management maturity, reviewers should select a sample of past risk assessments to verify that information about the assumptions and limitations of selected risk assessment techniques have been recorded and disclosed to all stakeholders. Reviewers should check whether risk assessment techniques are appropriate and suitable for the various types of decisions, the internal and external context of the organization. Hint, using qualitative risk assessment techniques for significant business decisions is not appropriate!
– – – – – – – – – – – – – – – – – – – – – – – – –
This is an extract from a comprehensive G31000 risk management maturity model.
Interested in buying the full G31000 risk management maturity model? Click here or contact me directly if you want me to perform a quick gap assessment at your organization or you need help to integrate risk management into a particular business process or decision.