Risk Assessment Model – Watch Out for Biases!


By Anya Faingersh

In my post on Risk Awareness I promised to offer a comprehensive model for managing your risks, so here I am, fulfilling my promise.

Successful management of risks is based on their proper assessment, because the main decisions you’ll be making here would mostly be about dedicating resources for dealing with the risks. Knowing to assess the risks correctly will help you prioritize the investment of resources for each and every one of them. The model will help you to cover all required aspects in the process of Risk Assessment, and it’s applicable for any size organisation or project.

It’s important to remember that there is no assessment without numbers and their calculation, but there is nothing to be afraid of – it’s all pretty intuitive.

Let’s go.

First of all, you need to create several artifacts you’ll be using during the assessment process. There are five of them: two lists and three scales. They are:

  • (List) Glossary of generic risks: to give you an overview of all possible risks for your organisation.
  • (List) Organisational domains threatened by the risks: Financial, Operational, Legal, Customer Satisfaction, etc.
  • (Scale) Possible levels of impact in each domain: strict numeric boundaries should define how the risk will affect the domain and be given relative weight (2-5% of churn=4; 30 days of delay in schedule=3, etc.).
  • (Scale) Levels of perceived likelihood for each scenario: scaled from low to the most likely: (such as, one point for every 20% per cent of likelihood: 1=0-20% … 5=>80%).

And last, but not the least (the one that many tend to forget) –

  • (Scale) Levels of influence the organisation can have on the risk: its ability to control it with existing tools and procedures; also scalable from 1 to 5, with 5 being the highest level of control.

There are several important concerns to consider here.

First of all, when populating both lists, it is important to do an extensive sweep of the field without exclusively concentrating on the obvious. It’s not that the obvious risks are less dangerous than the unobvious, but the unobvious risks could be just as dangerous as the obvious. For example, the risk to exceed the budget is naturally connected to financial domain and is obvious enough to initially enter the risk glossary. However, can you be sure that this would be the only domain threatened by the risk? How will this risk interact with other obvious risks, such as exceeding the time schedule or with less obvious ones, such as sudden withdrawal of a crucial partner from the project? You have to fight the urge to concentrate on what you know because risks by their nature live in the future, which you don’t know.

Secondly, when building the scales, it’s important to make a transition from scanning the field with your gut feeling, as you did for the lists, to creating clear numerical boundaries and quantitative data analysis. One can go as far as to say that the successful marriage of guts with data analysis is the essence of dealing with risks.

Third, you have to remember that at any stage of the analysis you could be misled by biases. Your choice of risks and domains could be skewed by the Cultural Bias; poor understanding of categorization rules (Statistical Bias) can cause you to mess up the numbers; your fear of the risk coming true (Emotional Bias) may drive you to making hasty decisions and so on. You are advised to assume that Bias is actually one of the risks to account for.

After defining the artifacts mentioned above, its time to do several simple operations with numbers in regard to any specific risk you expect to encounter ( e.g. a serious delay), also in five steps:

  1. Identify the expected level of impact in each affected domain, such as: finance-wise the delay will bump up the budget by 20% = 2.
  2. Identify likelihood: for example – 4.
  3. Identify the level of influence you have on the risk: for example – 3.
  4. Weight of this risk for this domain will be: (IMPACT)x(LIKELIHOOD)/(CONTROL) = (2×4)/ 3 = 2.66.
  5. Repeat this calculation for each domain affected and then sum up:

(2×4/ 3) + (I2xL2/ C2)…+ (IxxLx/ Cx) = OVERALL WEIGHT OF THE RISK.

After you have calculated the overall weight for every expected risk, you can easily rank their possible severity based on this number. The ranking will help you decide where your intervention is most crucial and how many resources could be dedicated for dealing with each risk.

The secret here is in bringing everyone involved in the process to the middle ground by establishing the strict boundaries and rules of interpretation of guts feeling into tangible and comparable numbers. No technical tool by itself can guarantee you success. Only by using your personal mind and the organisation’s collective mind as the TOOL ABOVE OTHER TOOLS, you’ll be able to secure your future from the multiple risks threatening it.

 About Anya:  Anya Faingersh’s goal is to help people and organisations improve their productivity and, in the case of not for profits, make greater social impact by, of all things, making our lives easier. You can read more of Anya’s enlightening thoughts at her AnyaWorkSmart blog and follow her on Twittter.


About B-Cause

B-Cause is published by Cause and Effective. We help good causes find and attract effective leaders.

Thats our take on things. Over to you, please add to the discussion.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s