Traditional approaches to risk identification, analysis and management often fail to account for the realities of causal relationships and the ripple effect of risk impact. In this article, Sanjay Paul CITP MBCS outlines the benefits of adopting a network based risk analysis method, advocating radical transformation of risk management practice.

Conceptually, safety and risk are like conjoined twins: they are not easily separable. Since the mid 1990s, strategic risk management practice has expanded significantly across industries and business sectors. The rising trend of the Enterprise Risk Management (ERM) function within businesses indicates this, and reflects higher appreciation of the benefits to be gained from running a well-structured risk management program. Irrespective of the differences in ERM frameworks being adapted, risk assessment is the cornerstone of effective enterprise wide risk management.

Concepts of risk

All the way back in 430 BC, Athenian strategist and historian Thucydides recounts 'risk' in his History of the Peloponnesian War; here, the context of risk was the danger from decision making in war, a force majeure, natural hazards, or any act of God.

But from this we can extrapolate the general idea of risk — the exposure of someone, or something valuable, to harm or loss leading to the possibility of unwelcome circumstance.

Common misconceptions

Uncertainty

Uncertainty is often used as a synonym of risk. This is wrong because risk is measurable while uncertainty is not.

Similarly, people often equate risk with gambling, which again is wrong in terms of business. The concept of risk in gambling depends on perceived gain or ‘profit’, whereas in business it centres on alleviating anticipated damage or ‘loss’.

Risk and time

Risk changes over time very much like weather. It is a subject of anticipation (from the assessor’s perception) and prediction (derived by empirical methods). Time is a key element of risk, but this is often ignored.

Risk from network of events

The 'Cause-Risk-Effect’ pattern to define and describe risk is widely practised. It works on a simplistic assumption that one ‘cause’ leads to one ‘risk’ effect. However, ‘cause and effect’ generally bear a ‘one-to-many’ relationship. One cause can trigger multiple events of different magnitudes at different time delays — and any one of those effects can become the ‘cause’ of a set of further effects with varying probabilities. Hence, there is a possibility that several sub-pairs of ‘cause and effect’ are nested within a seemingly overarching one. Hence, it forms a mesh of ‘event-risk’ which, when mathematically modelled, is commonly known as ‘Bayesian Network’.

Basics of risk analysis

The first step of the risk management process is risk identification. It is a deliberate and systematic effort to single out, document and create a repository of strategic risks of the business. ISO 31000 suggests risk identification in three steps: find, recognise and record. If an event impacts any of the key strategic elements, it would be considered a risk.

Five key strategic elements to consider are:

  1. Objective: business targets and goals
  2. Resource: facilities like plant, machinery and stock of material
  3. Capability: engineering/technology that makes product/service sellable
  4. Interest: where organisation intends to operate for its future revenue
  5. Wellbeing: employees’ health and safety

Should the risk event occur, one or more of these elements bear the impact. However, the extent of that impact depends on the effectiveness of the existing controls, or mitigants, and a few other factors such as the degree of relevance, proximity to risk source and length of exposure. It is evident now that describing strategic risk is a complex task. Apart from likelihood and impact, to build a holistic understanding of the characteristics of the risk, including its time dimension is equally important.

Limitations of traditional risk analysis

A Risk Matrix, also known as a Probability Impact diagram, is a widely adopted and simple technique of risk management. It provides a framework for systematic depiction of risks, individually in 'Cause-Risk-Effect’ format. Both of its axes bear an arbitrary Likert-type scale of choice on which to place the risk in question. Also, this method can accommodate one or two additional dimensional elements of risk, typically priority rating, either using traffic light style indication RAG (red-amber-green) or numerals.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

The long lived popularity of the Risk Matrix is due to its sheer simplicity and its having a wide latitude to absorb imprecision. It has, however, a few intrinsic and significant limitations.

First, risk priority rating is an oversimplified way of reducing dimensionality, which is a paradox because, as we have covered, risk has many elements.

Second, this method does not apply where probability and consequences are negatively correlated. For example, higher probability of rolling out surveillance systems to cover wider areas would reduce (negative correlation) the potential consequence of losses from burglary.

Third and most importantly, this method treats each risk in isolation, which is rarely true in reality. Therefore standalone, unconnected risk descriptions make no comprehensive contribution to the risk owner’s ability to make informed decisions.

Alternative approach

Contrary to Risk Matrix, this author evangelises a network based approach adopting ‘Graph Theory’, which adds more dimensions to portray a wholesale risk landscape. It places risks as ‘nodes’ and conjoins them with causal relationships representing ‘edges’. As the cause is directional and consequences become causes for subsequent events, this network diagram becomes a ‘Directed Acyclic Graph’ (DAG).

Advantages of network model

This new approach would offer the following benefits:

  1. The nodes and edges remain extendable. It is possible to add new risk attributes and causal dimensions at any time for better explainability and interpretability
  2. Change in values of node and edge would have a ripple effect over the entire risk network which would be quickly visible
  3. The conditional probability of inbound causes can be scientifically calculated when they converge into one risk

Over the passage of time, introduction and removal of risks to and from the landscape is a common practice. This network model offers a provision to add or delete nodes as needed. Therefore it would alter the landscape and project a total view.

Conclusion

There are many benefits to adopting new risk analysis using the Bayesian network method, including that the approach is business domain agnostic because the method fundamentally relies on the decomposition of causal relationships and building chain of events. Finally, the method forces risk analysts to estimate both cause and consequence conforming to risk expressions of ISO 31000 standards.

About the author

Sanjay Paul CITP MBCS is a practising Enterprise Architect in civil service and an active BCS volunteer. While pursuing his MBA at Warwick Business School, he researched ‘risk assessment’ and behaviour of ‘risk assessors’.