Ok, the title is obviously a joke, because the alternatives (multiple) have been available to anyone willing to learn for over 50 years. But since you clicked, this article will probably change your life for the better.
Thank you Damir Ramazanov, Group Project Risk Manager, ERG for helping with the article and providing quality review.
Wait, do we even need an alternative?
To me, using risk matrices is a question of ethics and professional skills and is totally up to the individual risk manager. In that sense risk matrices (or most other qualitative techniques) are like horoscopes (more in Douglas Hubbard‘s book). They are fun, easy to understand, everywhere but you probably wouldn’t use them for any meaningful day to day life decision or if you did you would have the decency to realise it’s no better than a coin toss and definitely not talk about it at the conferences calling it best practice.
The flaws are fundamental to risk matrices design and there nothing a risk manager / business analyst can do to make them reliable. All these flaws have been discussed here https://www.researchgate.net/publication/266666768_The_Risk_of_Using_Risk_Matrices and in this video by Osama Salah https://www.youtube.com/watch?v=7IcRtz7qo2w and in this post by David Vose https://www.linkedin.com/pulse/defence-risk-heat-maps-david-vose/ and in dozens of posts I have been making over the years. Additionally research by Tony Cox and Douglas Hubbard have showed that risk matrices consistently perform worse at measuring and communicating risks than proper quantitative tools. Add to it the flaw of averages (covered in Sam Savage book) and the 50+ years of research into risk perception, making decision under uncertainty and risk psychology as well as empirical testing by NASA, CIA and others and the move away from traditional qualitative risk analysis techniques become self-evident.
So what are the alternatives? There are plenty, but for the tool to be any better the following criteria have to be fulfilled:
- risk analysis has to be performed at the time of decision making, not once a quarter
- the results of risk analysis should not be expressed as arbitrary risk levels, rather be expressed as volatility or range or scenarios of the decision / objective itself (with some exceptions in HSE for example)
- the output of risk analysis should have a direct and immediate impact on the decision at hand.
It is also very important to distinguish between 2 types of risk analysis techniques:
- techniques to better understand the nature of risk to make a decision how to manage it. Usually used when a specific risk is know and is significant and management needs to deal with it in a cost effective manner:
- bow-tie diagrams
- FMEA / FMECA
- HAZID, HAZMAT, HAZAN
- 5 whys
- influence diagrams
- ICAM, etc.
- techniques to better understand how uncertainty affects the decision or objective. Used when making a decision, preparing or approving a strategy, budget, forecast, long term pricing, etc. and the risks are not obvious:
- scoring
- decision trees
- sensitivity analysis
- scenario analysis
- stress testing
- various simulation techniques (agent-based, system dynamics or discrete event).
The application of the techniques above will also depend on the decision complexity, materiality, level of uncertainty and the time and resources available to risk manager:
For simple decisions
By far the easiest and the most common way to assign risk to an entity, project, supplier, business unit or a piece of equipment is by using a scoring methodology. In fact it is so common, hundreds of companies have been using it without calling risk management forever:
- S&P, Moodys, Fitch rating agencies to assign ratings to companies
- procurement departments to rank existing suppliers (gold, silver, bronze or blacklisting them)
- classifying spare parts or pieces of equipment based on criticality, etc.
- banks and corporations to allocate debtors to risk buckets / categories or to classify bad debtors
- firefighters classifying buildings into fire risk categories, etc.
Basically, any type of methodology that allows to grade / categorise items based on their predetermined characteristics is a better way to communicate risks and to use that information for decision making. Sometimes it could look like a very simple checklist. It’s kind of obvious but if you still want me to write a separate piece on the scoring methodology comment on this article using the word “scoring”.
For decisions on how to mitigate a particular risk
If you are in the situation where you need to determine best ways to mitigate a specific kind of risk, then a bow-tie diagram or an influence diagram will be very helpful. There are a bunch of techniques that help to visualise the risk by breaking it into components, for example causes and consequences as is the case with bow-ties.
This is very helpful to switch on system 2 thinking and to overcome at least some of the cognitive biases. The bow-ties are pretty basic and should be in every risk managers arsenal. FMEA, FMECA, fault trees, 5 whys and ICAM investigation techniques are very similar in principle. Their main objective is to write down possible components of a risk reminding us not to forget important sources or consequences, even though they may not be obvious at first.
I used bow-ties a lot, once I was even childish enough to present it to the CEO (ex-deputy Prime Minister of the country). That obviously didn’t go down well. So it’s probably best to use them as internal analysis tools rather than a communication tool. My personal secret with bow-ties is to always have at least 7 causes and 7 consequences and at least 3 second level causes and consequences on each branch. And then use distributions to turn a bow-tie into a quantitative risk model and a loss exceedance curve. Archer Insight did probably the best automation of quant risk analysis with bow-ties. That way we definitely switch from S1 to S2 and improve our chances of finding a solution.
For any decision involving numbers (wait, that’s most of them)
For the rest of the cases it is actually more important for us not to understand how significant each individual risk but rather how uncertainty in general affects our decision, KPI or objective. Nassim Taleb calls it f(x). They also call it f(x) in operations research. That means that we should be more interested in the effect of risk on something rather than the level of risk itself.
To my surprise the message above is actually very difficult, almost impossible, for the risk managers to digest. See if you can help me better explain it in the comments.
This is what I call risk management 2 – using risk analysis as a decision making tool. Since the idea to use risk management as decision making tool is much older than the idea to use risk management as an element of corporate governance, all we need to do is to open any good book on decision science or probability theory to find the tools.
Let’s repeat. Here are just some of the common techniques, some are older than 50 years old, ranked from simple to difficult:
- decision trees or influence diagrams
- scenario analysis
- stress testing
- simulation modelling techniques
The irony is that while many risk management departments have been using heatmaps to rank risks, other business units have been using proper risk analysis techniques forever without calling it risk management. Doctors have been using decision trees, any investment professional using sensitivity analysis, finance using scenarios, pharma companies, geologists, weather forecasters using simulation modelling forever.
If you want me to expand on any of the tools, please write in the comments.
For big and important decisions
This one is simple, if the decision is complex and the stakes are high, use simulation modelling or better. What is even better? Write in the comments.
If you found this article useful please like and share.
RISK-ACADEMY guides and templates:
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
Hi Alex, to the point as always. Yes please further develop the various technical/ tool.
SCORING!
Cheers, Julien
Great post. I’m a disciple of the new.
Expand on all the techniques and tools please. 🙂
Excelente Artículo
Cannot figure out the difference between heat map and scoring. To put a certain risk to a particular square of the map, one needs to score it. Please, write about proper scoring. Thanks in advance.
Most scoring methodologies that rely on people to rate things are just as flawed as heatmaps. Some scoring methodologies that rely on factual observations and statistical relationships could be useful. See parametric models
Makes me wonder, why organizations need risk managers then? Except when it’s required by a regulator.
Would be true if most of the people in the organisation were competent in applying the tools and techniques in the article. They are not.
I am a beginning risk manager at a card processing center. I am in the process of developing risk register. I use PL based cash flow, brainstorming techniques to identify and root cause analysis methods together with bow-tie to analyze risks. What other methods can improve the work? What is your opinion about Theory of Constraints as an operational risks and process assessment methodology? Thank you.
What is the purpose of risk register? Because collecting and analysing risks for the sake of risk register is not useful. The must be a bigger goal and that goal will determine the technique best to use
The purpose of the register is to cover as much high-level risks (risk owners are top managers) as possible. Regarding your answer, not the specific of the industry, but the purpose of the register defines the methods to use. Do I correctly understand you?
Wrong purpose to do risk analysis, so no matter the tool, it will add very limited value to the business.
So ask yourself what is the real purpose to do risk analysis? Then you will release you should have never attempted to a risk register in the first place
Alex, thank you very much for straightforward and honest reply. Although, it was not so pleasant, but I will be careful in looking for a proper training on the subject-matter next time. Good luck.
Google Free risk management book ))
Alex, I have three of your books on build-up and evaluation of RM system. BTW, the methods I apply are taken either from these books or learnt at your distance learning course. But thank you anyway.
I think that falls into the category of doing risk analysis for the purpose of risk analysis. But what if his objective would be to increase margins as much as possible. With that in mind it would be reasonable to keep a risk register , in the sense that it captures loss events and if you want to increase profit you should reduce losses. Since he is in the card processing business, i assume that his loss events are related to card transactions. For example, if his clients keep reporting issues with card usage in certain types of businesses, or there are reports of fraudulent card usage, i find useful to track those issues, analyze them and find what caused them. Furthermore, if they are preparing the budget for next year, that information could be useful to calculate how much they expect to loose .
If the objective is to increase margins, wouldn’t we use assumptions check and scenarios or sensitivity or simulations instead. Risk register is not a tool, it’s just a table to store information.
Also doing risk analysis for the sake of risk analysis is evil ))
Mr. Ramirez, thank you for your reply. Actually, my questions were about application of specific methods at card payment processing industry (if there ate any) and if Theory of Constraints can be applied to identifying and analyzing risksin that industry. Unfortunately, I did not get any answer. With regard to the purpose of my application of risk register, I did not get into details because PL based cash flow method, which Mr. Sidorenko knows very well, is a qualitative method applied to budget in order to identify risks which might affect on financial health of the company. Needless to say, that it should be changed to a quantitative one, such as Monte Carlo simulation, or at least sensitivity analysis. Unfortunately, I do not have training in this and maturity of my company is not ready to comprehend something more complicated than risk register or heat map. But I am here not to speak about my deficiencies or those of my company”s management or BoD. I just asked questions relating to the first group, mentioned in the article: methods to understand the nature of the risks. I did not about risk register, or about methods undentifying how uncertainty affects on financial health of the company. Thank you for your attention.
No problem. Just an unsolicited advice, don’t focus too much on the method itself but rather focus on understanding the model, how the business works and how the variables behave. Top managers won’t care much if you used X or Y method, they will care more for precise and short solution.
That is true. I actually stoped talking too much about the technique, noone cares and people actually lose focus from the important issues
Most risk analysis seems to start with throwing darts at a dartboard. Or, as we say today, a ‘workshop’. I think it needs to start with one thing you already have, and one thing you need to develop. The think you have, at least in your head, is a ‘work/activity breakdown structure’. The thing you need is a ‘risk breakdown structure’ not for the activity, per se, but for what it is intended to do. You can then work back from the result sought to the actions to produce that result.
The lowest level of the WBS and the RBS that you have decided to prepare are then the headings for columns across the top and rows down the side of a chart (I avoid the word matrix, as it conjures up the wrong implication). At each crossing of RBS and WBS element decide if there is an interaction. If there is an interaction, what is the threat, danger, risk and its response.
Thus the appraisal of risks comes out of the work that needs to be done, the results to be achieved and the activities that will achieve them.
From here follows good risk analysis: causal pathways, bowtie diagrams (effect-consequence analysis, or ECA for the board room), failure mode analysis, decision branching studies, etc.
Out of this should come cost ranges of a failure event, compared to the project/activity value and the appetite for risk (i.e. how much you are prepared to loose) you make a plan: change the project, change the delivery, insure, hold breath, etc.
Here we are developing a plan based on risk salience; use a MonteCarlo, or probability ranges to develop the final cost range.
Hello! Did you ever write an article about scoring? If so, what was the title? Would love to read it!
Not yet, too busy, will eventually
Understood, thank you very much!! I look forward to it. 🙂