Understand the probability of loss, adjusted for the severity of its impact, and you have a sure-fire method for measuring risk.
Sounds familiar and seems on point; but is it? This actuarial construct is useful and adds to our understanding of many types of risk. But if we had these estimates down pat, then how do we explain the financial crisis and its devastating results? The consequences of this failure have been overwhelming. Enter "risk velocity," or how quickly risks create loss events. Another way to think about the concept is in terms of "time to impact" a military phrase, a perspective that implies proactively assessing when the objective will be achieved.
Impact - What is the maximum business damage this risk could cause?
Probability - How likely is this risk to materialize?
Speed - At what speed will this risk impact the organization?
RISK A—High Severity and Likelihood but Low Speed of Onset
Increased employee attrition will have a significant impact on the organization and is very likely to happen.
RISK B—High Severity and Likelihood and High Speed of Onset
A new competitor will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize within the next two months when the new competitor begins trading.
Here’s an Example:
Use a group of managers who have some accountability for strategy and tactics and spend time interviewing them and getting their inputs on where they're going and what factors are driving their plans.
Collectively, these efforts can give you a few of the many data points you can leverage to piece together a picture of emerging risks and some context around the speed with which they could develop and cause loss.
The more of these elements you can assess, the more opportunity you'll have to develop and implement loss prevention plans that could allow you to avoid the loss altogether. Between your efforts at prevention and control you may be able to avoid or mitigate your next crisis, an experience you can live without.
Ultimately, risk-management effectiveness depends upon both agility and resiliency. To understand why, risk management agility can be expressed as a simple formula:
Agility = Speed of Response/Risk Velocity Similarly, the formula for resiliency can be expressed as:
Resiliency = Resources Appropriately Deployed/Potential Risk Impact If we accept those formulas, then risk management effectiveness is the product of both agility and capability:
Risk-Management Effectiveness = Agility x Resiliency That means effectiveness is determined by both agility and resiliency. Massive resources aren't much good if they arrive at the wrong time; agile responses don't help if the resources you have aren't enough for the threat at hand.
Someone once told me that - "impact increases proportionally with time" and I disagreed with that statement for the following reasons:
As we know "variables" have independent impact on risk factors and to say "risk impact" is a "constant" progression over time is not realistic in any project.
Definition of proportional: pro·por·tion·al (pr-pôrsh-nl, -pr-) adj. 1.Forming a relationship with other parts or quantities; being in proportion. 2.Properly related in size, degree, or other measurable characteristics; corresponding: Punishment ought to be proportional to the crime. 3.Mathematics having the same or a constant ratio.
As long as humans are involved in the physical process of a life cycle there's no way a risk can increase proportionally in any scenario. Risks are not "mathematical functions but mathematics is used to assist us in evaluating the "probability factors" of risk impact.
None the less, it's still an educated guess based on known facts by plotting the "probability and impact" factors over a given range; 1,2,3,4 or Low, Medium, High determining the "potential" maximum risk impact score.