The process of undertaking a risk assessment has become central to decision-making in organisations of all shapes and sizes. It is now second nature in many organisations to make a conscious effort to identify possible risks to business objectives, assess those risks, and then act to remove or mitigate the risk.
Critical to this process is that the participants in the risk assessment have a shared understanding of the concepts of consequence and likelihood.
To explore how important this shared understanding is to achieving an accurate and useful outcome from the risk assessment process, first consider the steps of a straightforward semi-quantitative risk assessment:
- Identify and describe in a risk statement the specific risk to be assessed.
- Consider the effectiveness of controls that are already in place, and that will mitigate either the consequence or likelihood of the risk, or both.
- Determine the most credible consequence (or worst case consequence, if the organisation’s risk appetite requires this focus) to the organisation’s business objectives should the risk occur (for example these may range from Insignificant to Catastrophic).
- Then determine the likelihood of the risk occurring at that level of consequence (ranging from Rare to Almost Certain).
- Using the levels of consequence and likelihood in the organisation’s risk matrix, calculate the residual risk level.
- Then move on to developing and implementing additional controls in accordance with the organisation’s risk appetite.
Now, what happens if the participants in the risk assessment process don’t know or agree on the definitions of consequence or likelihood for their organisation?
Firstly, consequence: types of consequence relevant to the organisation’s operations (or its business objectives) should be determined, and then levels defined for these. For example, types of consequence could range from financial, to people (safety), to reputation and more, depending on what the organisation actually does and what its business objectives are; then each type of consequence could range from insignificant to catastrophic. For example, an Insignificant financial consequence could be defined as less than 1% of the organisation’s revenue, through to catastrophic defined as more than 15% of revenue.
If these types and levels of consequence have not been clearly defined and agreed upon by those undertaking the risk assessment, it is not possible to accurately assess the consequence of the risk to the organisation. For example, one participant might decide that a consequence of the risk of “accidental publication of private data” is rated Negligible by assuming that such an event has no operational implications, while another participant might deem it to be a Major consequence due to supposing that such an event would be a breach of contractual obligations with customers and a target of significant adverse media attention. If both participants had access to the organisation’s agreed definitions for Legal and Reputation consequences, for example, they would be better able to come to the same conclusion.
Secondly, likelihood: levels of likelihood or probability must be defined with clear terminology that is relevant to the organisation’s operations and comprehensible to personnel. For example, it is appropriate for some organisations to utilise qualitative descriptions for likelihood such as Rare: Rarely experienced within the Australian industry, while other organisations quantify their likelihood such as Almost certain: 90% or higher chance of occurring. (Also refer to our article on confusion around likelihood terminology in Insight issue 52.)
Again, without a shared understanding of what each level of likelihood actually means for the organisation, those undertaking a risk assessment cannot accurately estimate the probability of a given risk at the proposed level of consequence actually occurring. And critically, those making organisational decisions based on the outcomes of risk assessments will be basing their decisions on faulty information.
As a real life example, in 2015 then Environment Minister Greg Hunt announced that the proposed Shenhua Watermark coal mine on the Liverpool Plains in NSW, located in the heart of the black soil “food bowl” that produces a significant proportion of Australia’s agricultural produce, was unlikely to damage underground water reservoirs. The Minister quoted from an assessment undertaken by an Independent Expert Science Committee (IESC) and indicated that the risk to aquifers was low because it was rated “unlikely”. Unlikely in layman’s terms can easily mean, not worth worrying about, or not realistically going to happen. However, the IESC did not provide a definition of their use of the term Unlikely, and therefore neither the Minister nor the general public were able to evaluate the true risk. Previous members of the IESC stated publically that during previous similar risk assessments, Unlikely had been defined as having a probability of up to 33%. So while the Minister assumed that Unlikely meant there was hardly any risk at all, others consider this to mean 1 in 3 chance. Given the catastrophic nature of the consequence of destroying the aquifers of Australia’s most productive agricultural land, an agreed understanding of the levels applied in the risk assessment becomes critical to an accurate assessment of the risk and good decision-making.
In order to have confidence that the risk assessment process is providing the required robust outcomes to enable an organisation to effectively manage its risks, it is a critical prerequisite that both those undertaking the risk assessment, and those making decisions based on the outcomes, have an agreed and shared understanding of consequence, likelihood and risk levels.
Please contact QRMC for more information.