- LATEST BLOG POST
- echo $post_date ?>
- A decade of physical risks generated by industrial systems hacking is featuring a remarkable and worrisome acceleration. Indeed, it all…
- Read More
We wrote a paper with 10 rules to enhance risk assessments and today we will focus on three ways to enhancing your risk registers, namely rules #3, 5, 6.
We have selected three rules out of ten of the original paper based on issues various delegates focused on at a recent conference. Of course we invite you to read the full paper and review your risk registers.
Your projects/operation/company will greatly benefit from this action once the dust settles.
At the conference, but this was not the first time, we heard some delegates stating that “hazards” do not work. We heard some pleading for the “hazard step removal” as hazards are events and some risks arise without an event.
Let’s look at a case where “hazard” allegedly does not work: corruption. The delegates say that corruption is not amenable to a hazard, i.e. an “event” and then, of course it is not amenable in a quantitative risk register because it is “complex”.
Here is the way to overcome this difficulty, based on rule #3. The hazards to your project/operation/company are, for example:
One does not need to get bogged down naming them one by one: they are either threats-to to or threats-from. It is enough to develop “families of corruption agents”. Each family has a probability (quantifiable in each country, based on experience, with a range) of corrupting the system or being corrupted by the system, and the corruption has a potential consequence (legal, image, business interruption, HR, etc.) that can also be quantified with a range (look at Rule #7 in the original paper. Thus the “complexity” can be deconvoluted and uncertainty transparently stated. Note we use here the term uncertainty in decision making as a situation where:
NB: The texts in parenthesis in the list above are comments we made to “link back to the subject at hand”.
At this point it is possible to combine the various “elements of risk” and get to the aggregated corruption risk for your case.
One could write an entire book on this subject. Think about oil and gas or mining prospection: a dry well/borehole is a costly “failure” that many would claim has no hazardous event.
What are the threats-to the well/borehole? Many stem out of human error, omissions, geology, capitalization of the campaign. It is possible to prepare a list of those threats-to which constitute the hazard families list potentially hitting the well/borehole. You can certainly also build the threat-from list.
Now go back to the prior example (corruption)… define ranges of experience based probabilities, consequences, combine the individual threats and you will have the risks.
It is an enlightening exercise. Contact us for support!
Thinking about giving one precise value for the probability is a dangerous illusion. For instance, even if you have available large amounts of data from the past, you can never consider the past equal to the future. At best it can be used as a point estimate.
The reality is that uncertainties will always exist. So, consider the limits of our human capability to estimate events. Give one pessimistic probability, possibly Common Cause Failure based (i.e. in the case all redundancies fail because of a common flaw), and one optimistic probability with the foreseen mitigation active. If probabilities are transparently considered uncertain, then it is possible to implement a Bayesian update mechanism when new data become available.
Giving one precise value for the consequences or selecting “the worst” among types of possible consequences (in the corruption case above, selecting the worst among, for example legal, image, business interruption, HR, etc.) are blatant mistakes.
The human brain is generally good at imagining the best and the worst scenario. However we see many times that people censor the range considered. In modern society, he who hides risks dies, sooner or later.
Uncertainties will always exist. Don’t censor!
At Riskope we work very hard to develop innovative and proven methodologies for supporting decision-making surrounded by uncertainties. We also recognize that many risk registers developed over time present some “aging ailments”.
In the last couple years we have performed many Risk registers third party reviews. These have lead to streamlining, focusing, more transparency. At the end they have allowed clients to focus on what really matters to succeed and thus to reach economic benefits.
This blogpost gives you some pointers. The referenced paper more details.
Contact us if you want us to support your business.