Quantifying risks, i.e. making a tangible, quantified statement about the expected severity and likelihood is difficult. I raved about the topic previously.
Organisations often resort to a combination of the following approaches:
- qualitative statements, such as “severe” or “negligible” or “possible”
- risk matrixes plotting each risk to a specific spot on a heat map, implying precise knowledge
- experience-based approaches
- experience/exposure-based approaches
- complicated and complex, sometimes “black-boxy” type of very input-sensitive models that predict pretty much everything and anything
- and many others… (just to make the list complete)
QUALITATIVE JUST DOESN’T …
In this blogpost, a sequel to a previous post, I focus on the qualitative approach of risk assessment.
Only if hard-pressed, arm-twisted, threatened and black-mailed for a substantial ransom, I endorse the qualitative approach; and only for an organization that is at the earliest stage of its risk maturity journey. Better not even start using it at all. If you are using a qualitative approach, I strongly suggest discontinuing usage as early as possible. Stay with me as I outline some reasons, why qualitative statements, despite their apparent simplicity, just don’t cut the mustard for good ERM.
Sidenote: stay-tuned for upcoming episode elaborating on the concept of Risk Maturity.
and yet, STILL POPULAR!
Qualitative statements are easy to grasp and intuitive in their meaning. Everybody has a subjectively objective and clear view what the term “severe” means for their organization. Secondly, it also is quite easy to categorize a risk into a “severe” category, because as the word implies, this must be something “serious”. And lastly, in any group or team, it is much easier to classify a risk as “severe” than agreeing whether the expected severity is SGD 850’000 or SGD 1’200’000.
Having said all that and admitting that the qualitative approach has its advantages, I still vehemently advocate you abandon qualitative risk assessment sooner than later or best, not even start using it.
Qualitative Risk Assessment Statements ….
- mean different things to different people. What is “negligible” in my perception might be “serious” from your point of view
- are hard to compare
- are vague by default
- don’t mingle well with quantitative risk mitigation measures (such as the contractually defined pay-out of an insurance policy)
- don’t interact well with strategy and business plans; in other words one of the key benefits of good ERM cannot be harvested.
quant rules qual
Quantification of risks is hard, yet it is a key ingredient to efficient and effective ERM. I strongly encourage all risk practitioners: go out and quantify; make sure your key stakeholders understand, embrace and buy into the results of your efforts. Then the outcome of your ERM-efforts will integrate neatly with strategy and the business plan of your organsiation.
Remember the mantra: quant rules qual !
We at Megrow have worked with numerous clients on their ERM-journey. Contact us via the links below, we very much look forward to accompanying your quantification journey with our experience, foresight and input.