In this week's bulletin, Charlie discusses whether you should consider likelihood when conducting a risk assessment.
I thought this week I would talk about risk assessment. I did consider writing something on Brexit, but I thought it would probably end up being out of date, before I had finished writing!
For a while, business continuity has always had a slightly uneasy relationship with risk management. In the 2010 and 2013 GPGs we looked at threat assessments, whereas in the more recent 2018 GPG, we cover a threat and risk assessment. This issue of conducting a threat assessment instead of a risk assessment was driven by a certain character in business continuity circles who was very anti-risk assessment, and hence pushed the idea of threat assessment in the two earlier GPGs. Nowadays, risk assessment is coming of age and it seems to be everywhere. You need a risk assessment for climbing up a ladder and you also need one for running a massive multinational organisation.
This bulletin was inspired by a talk given by Tony Thornton, ARM Manager for ADNOC Refining, which I heard at The BCI UAE Forum in February. During his talk on risk assessment, he focused on there being no point in looking at likelihood when you are doing a business continuity risk assessment. He said that having a 3x3 or even a 5x5 scale was meaningless in terms of likelihood. The point he was making was that if there was a possibility it could happen, then that was good enough and how likely it was to happen didn’t really matter. He was more enamoured with impact, which he said was worth looking at, as well as differentiating between high, medium and low impacts.
I agree that looking at likelihood in business continuity is difficult because it is hard to calculate, without looking at a massive amount of data and doing an actuarial calculation. Even if you can do this kind of calculation, it looks at an average building’s chance of burning down because of a fire, rather than your particular building. Your building could be state of the art, brand new and with lots of features in place to prevent a fire, or it could be old, rickety, with poor wiring and a fire hazard just waiting to happen. The likelihood of each of these two buildings setting on fire is significantly different if neither one has had a fire to date.
So, should we go with Tony’s idea and say if there is a possibility of an incident occurring, then we should consider mitigation measures, and not spend any more time evaluating how likely it is to actually happen, or do we need more and at least three likelihood differentiators?
I slightly go round in circles on this one and sometimes I think if the incident can happen then that’s all we need to know. Other times I think we need to go for a 3x3 matrix, and some different likelihood scales. Perhaps, it is really up to you.
One thing to take into account when you are deciding this, is the issue of regulation. If you are working in a highly regulated industry, perhaps you need to go for a more conventional 3x3 matrix as an auditor may comment on only having one likelihood scale. You will not find too many 3x1 matrices in risk management handbooks. If you are unregulated and have more freedom to decide on your own way of doing things, keep things simple and consider the likelihood that the incident could happen at all.
If you are going for a 3x3 matrix I would consider something like this:
- Low - there is a possibility of it happening
- Medium - it is likely to happen
- High - it is more likely than not to happen
In terms of impact I like to use the following scale. It is slightly different to the norm, but I think it lets us focus on the key assets or activities of the organisation:
- Low – minor impact on activity or asset
- Medium - will stop the activity or asset in the long term, but not in the short term
- High - immediately stops the activity or asset, and they will not resume until restored
With these two scales you are going to get some granularity in your risks, and then you can start to look at those in the high / high areas. I suppose in the end, my advice to you is not to follow the crowd and go for a meaningless risk assessment. Think about what you want out of it and chose a methodology which provides you with something useful, so that you can go ahead and choose an appropriate solution to combat the risk.
Well done to all those who attended the March CBCI Certification Course (GPG) in Glasgow. All delegates passed and 66% achieved pass with merit!!