In Riskope’s (www.riskope.com ) day to day review jobs we notice a number of pitfalls in Risk (Management) approaches:
Feb 10th, 2011
In Riskope’s day to day review jobs we notice a number of Pitfalls in Risk (Management) approaches.
- Deficiencies and sometimes, to a lesser extent, excess in defining scenarios included in the analysis.
- The apparently “desperate need to use precise numbers” when dealing to quantitative analyses. That plays in favor of excessively fuzzy and confusing qualitative or indexed approaches. Users use them with the excuse that anyways “numbers will be wrong”.
- The irresistible need to delve into exceedingly complex event trees. This is particularly acute when dealing with conditional probabilities. Sometimes users end-up with event trees with thousands of branches.
Pitfalls in Risk (Management) approaches
These pitfalls have lead some very reputable global companies to opt for a technologists’ binary (yes/no) view of security. In their eyes, systems are either secure and safe, in which case they have no vulnerabilities, or are insecure. In tis last case they have vulnerabilities that require remedial action. Often users forget the definition of risk as unclear glossary is not used, further complicating matters.
Based on the excuse that a model is only as good as the information one puts in (point 2 above), convinced that only “very precise numbers” would fit the needs of analyses, neglecting the fact that ranges are the safest option, even large corporation make astounding decision mistakes!
Large amounts of money are wasted as a result of a choice that is often made because of a refuse to forward thinking.
Some approaches look exclusively at assets values (at risk) and ignore to put on the balance safeguards/mitigative costs (meaning they do not use risk as a discriminant). The results are erratic at best, and may lead to:
- over or under-mitigate,
- economic inefficiencies,
- lack of competitiveness.Without the capacity to perform cost-benefit analysis or the requirement of basic data collection for future statistics, these methods provide no mechanism to motivate refinement of their recommendations. Although convenient in the short term these are not viable long-term solutions.
Some other approaches like scenario-analyses, involve the construction of different hazard/risk/crises scenarios. Scenario analysis is customarily employed to dramatically illustrate how vulnerable an organization is.
The primary drawback of a scenario based risk approach
The primary drawback of an exclusively scenario-analysis based approach is the generally limited scope and consistency. For example an expert will build a very detailed risk scenario in his domain but will forget the most basic scenarios in other areas.
In a recent case we even saw a company censoring reality to credible scenarios, thus cutting away any low probability high consequence scenarios!
Assessing only a few scenarios leaves the possibility to miss important paths, leaving serious risks unaddressed. By narrowing the focus in this way, the analysis becomes tractable, but incomplete.
In the meantime, ignorance is a self-reinforcing problem since organizations are reluctant to act on security/risk concerns unless they see a real problem.
Riskope’s ORAPR offers the opportunity to quickly assess an Operation Risk Awareness and Preparedness. The benefits for the evaluated entity are considerable: the Operation Risk Awareness and Preparedness Rating (ORAPR) constitutes a very fast, easy, repeatable and inexpensive approach revealing global management and leadership strengths and weaknesses and delivering a metric of the Operation/ Corporation/ Project Survivability Readiness and Awareness in case of hardship, extreme events, crises and mishaps.
Tagged with: assessment, Comparative, decision, economic, holistic, management, mining, operational, projects, risk, success, support, sustainability, transportation
Category: Consequences, Hazard, Probabilities, Risk analysis, Risk management