Better Risk Matrix ... kind of
Download as PPTX, PDF4 likes1,487 views
This document describes how to create a more effective risk matrix by defining your own probability and impact ranges rather than using pre-defined categories. It recommends using triangular and PERT distributions to model the most likely probability and impact values within each range. Running a Monte Carlo analysis on these user-defined distributions provides quantitative risk exposure metrics like minimum, average, and maximum annual losses. This allows comparing risks and assessing if risk mitigation spending is appropriately reducing exposure to the organization's risk appetite.
Better Risk Matrix ... kind of
- 1. How to create a better Risk Matrix (kind of…) Or How to avoid the dreaded “Q” word…. By Osama Salah
- 2. This is a typical Risk Matrix Negligible Minor Moderate Significant Severe Very Likely Low Med Medium Med Hi High High Likely Low Low Med Medium Med Hi High Possible Low Low Med Medium Med Hi Med Hi Unlikely Low Low Med Low Med Medium Med Hi Very Unlikely Low Low Low Med Medium Medium Impact Likelihood
- 3. With the good intention to make it easier some add labels to provide guidance…. Negligible Minor Moderate Significant Severe 0 - $100K $101K - $1M $1M - $50M $50M - 100M > $100M Very Likely 10 times per year or more Low Med Medium Med Hi High High Likely 9 - 5 times per year Low Low Med Medium Med Hi High Possible 4-2 times per year Low Low Med Medium Med Hi Med Hi Unlikely Once per year Low Low Med Low Med Medium Med Hi Very Unlikely Once every 3 years or less Low Low Low Med Medium Medium Impact Likelihood
- 4. But you can’t help but wonder…. Negligible Minor Moderate Significant Severe 0 - $100K $101K - $1M $1M - $50M $50M - 100M > $100M Very Likely 10 times per year or more Low Med Medium Med Hi High High Likely 9 - 5 times per year Low Low Med Medium Med Hi High Possible 4-2 times per year Low Low Med Medium Med Hi Med Hi Unlikely Once per year Low Low Med Low Med Medium Med Hi Very Unlikely Once every 3 years or less Low Low Low Med Medium Medium Impact Likelihood Am I really going to deal with a $1M loss the same as a $50M? Am I really going to treat something that happens 11 times per year the same as 100 times? Who came up with these seemingly arbitrary buckets? (I did for this presentation, but in real life there isn’t much more of a rationale behind it either.)
- 5. What if I could define my own buckets?Likelihood Impact Let’s imagine that and start with a blank slate…
- 6. Let’s say you are pretty sure:Likelihood Impact$70K Impact is somewhere between $70K and $200K Likelihood (frequency of loss) is somewhere between once and 3 times per year These will be your self-defined buckets $200K 3/year 1/year
- 7. We designed our own buckets, but what now? We can actually do some cool math with these ranges. But to make it more useful we will add one more point in each bucket (and will start calling them “ranges”). If loss is between $70K and $200K, what do we believe is most likely? Are we more likely (more often) going to see losses close to $70K or more likely (more often) closer to $200K? Or somewhere in the middle? To represent how we feel about that we express our range as a distribution and add a “most likely” point. $70K $200K Most Likely?
- 8. Let’s Assume our analysis concludes that most likely Loss is at $100K This means that if we observe multiple occurrences of losses over time we will find most around $100K. In a plot it would look like a triangular, but that’s not “natural”. We can ”smoothen” it out using a “PERT” distribution. Triangular Distribution Smooth PERT Distribution Min Max ML (Most Likely)
- 9. Let’s Assume our analysis concludes that Most likely Frequency is Twice per year This means that if we observe losses over several years we find that in most years there we 2 occurrences. Triangular Distribution Smooth PERT Distribution
- 10. We take both distributions and throw them into a computational engine…. (Monte Carlo Analysis)Likelihood Impact
- 11. And the output will be…
- 12. Where did all my colors go!!!??!
- 14. This is the most likely loss exposure. Somewhere around $200K / year. The average annualized loss exposure is about $223K. (not deductible from chart, from calculated statistics) This is the max loss exposure. About $505K / year. This is the min loss exposure. About $95K / year. Min 96.04K Avg 223K Max 506.4K
- 15. Same data but cumulative 90% of annualized losses will be below $310K. If 90% expresses your risk appetite then don’t spend more than that to treat the risk.
- 16. Mitigating the Risk • If I spend $X on a particular treatment plan I can reduce the loss exposure and the loss frequency. Let’s say: • Throw that back into the computational engine… Frequency Loss Min 1 $50K ML 1 $80K Max 2 $140K
- 17. Result after risk mitigation 90% of losses were below $310K. After treatment 90% of losses are below $130K. If this residual risk is acceptable than risk mitigation implementation costs should not exceed $180K ($310K-$130K). Or go look for a more effective treatment plan to reduce risks further.
- 18. • And that’s how you end up doing quantitative risk management without noticing. • Although we just made assumptions we really haven’t used any data that we wouldn’t have used to process the risk matrix. • The risk matrix would not have helped figuring out if you invested enough or too much.
- 19. Resources Risk Analysis (O-RA) Risk Taxonomy (O-RT) This was a very simplified introduction to quantitative risk management. You can improve on making better estimates (calibration). Better understand the relationship and building blocks of Risk (FAIR Ontology). Have a look at the below resources blog
- 20. A computational engine Download the free version of Analytica. Download my simple FAIR model.