In terms of risk management, there is a bit of an age-old conundrum (not quite as mind twisting as the chicken versus the egg): what should be considered first when tackling a qualitative risk assessment; is it the consequence or the likelihood?
While we certainly support, when appropriate, the short-cut version of risk management in an operational context (identifying an issue or risk and jumping straight to controlling it), if an organisation is going to the trouble of undertaking detailed risk assessments then there is a need to complete these assessments correctly.
Risk is a function of its component parts. At a basic level, typically this is Consequence and Likelihood or whatever synonym has been selected to represent these. The level of risk is proportional to each of its components. However, the order in which these components are considered significantly impacts on the subsequent risk score.
The 2009 version of ISO 31000 – Risk management Standard included a definition for the level of risk as “magnitude of a risk … expressed in terms of the combination of consequences and their likelihood.” With the supporting ISO 31010 Risk management – Risk assessment techniques (2009) stating “Risk analysis involves consideration of the causes and sources of risk, their consequences and the probability that those consequences can occur.”
The consequence (or impact) of the risk needs to underpin the assessment, and the likelihood needs to be relative likelihood of that underpinning consequence.
The 2018 version of the ISO 31000 unfortunately does not include this explanation. The Standard’s discussion of the risk analysis simply states that consequences and likelihood are part of a list of things that need to be considered.
However, recent discussion with one of the ISO31000 Committee members highlighted that the adaptation of the definition of risk from ISO 31000 distorts its intention. As written, the definition reads as if the likelihood in question relates to the occurrence of an event. This is not what the Standard intends. “The likelihood in question is the likelihood of experiencing the consequence. While this might seem a minor issue of expression, it has the potential to seriously mislead those undertaking risk assessments and will nearly always lead to the level of risk being assessed as higher than it actually is”.
In terms of illustrating the potential disconnect, and thus the need to have the consequence anchor the relative likelihood, please consider the following:
We are in the midst of cyclone season and want to assess the potential impact of this on property damage and the potential for lives lost. If we consider the likelihood first we are framing the assessment around the likelihood of cyclone, and then we consider the consequence or the extent of the impact should that cyclone occur. In consolidating these two elements, the cyclone will have an inflated level of likelihood.
Now if we consider consequence at the outset, we are prompting the thought process to consider what the ‘most credible’ level of consequence will be, in context of the strength of the current controls which may temper the resulting consequence score. Importantly, in the next step we consider the likelihood of the event (i.e. the cyclone) to prompt that most credible level of consequence.
Assessing the risk in that order therefore delivers a more realistic, and manageable, residual risk rating.
Please contact QRMC for more information.