Наши популярные онлайн курсы
Risk management is often framed as a separate discipline focused on managing risks through risk registers, heat maps, risk frameworks and qualitative risk reports. This is like confusing astronomy and astrology. Risk registers, heat maps, risk frameworks and qualitative risk reports have nothing to do with risk management, let alone risk based decision making.
This article summarizes key insights from a 1.5h workshop at RISK-IN conference in Zurich demonstrating how to rethink risk management using quantitative methods grounded in decision science and probability theory.
Rethinking risk as a distribution
Risk is not a word (high, medium, low), risk is not a single number (5X5=25) or a single amount (10%X1000=100), risk is ALWAYS a range. A range from nothing happened to a catastrophic loss. In fact, it is best modelled as a probability distribution spanning potential scenarios from trivial losses to catastrophic events. There is higher probability of low to moderate consequences, lower probability of high losses and a very low chance of a catastrophic or full loss.
Sometimes we use point metrics like Value at Risk (VaR) to summarize relevant percentile, but the full distribution always exists behind such measures. To some of the readers this is new and ground-breaking and I genially feel sorry for you, because this is risk management 101.
But wait, this is not it. That’s just one of the two ways to think about risk – as a loss distribution or loss exceedance curve, but not the only one. In this video I talked about what Taleb calls F(X), a much better and more practical way to represent risks.
Focusing on the effect of risks on objective or decision
A much better way to shift thinking from losses themselves to the effect of risks on strategic goal or decision like cash flows, budgets, timelines, or profits. For example, instead of stating “there is a 5% annual chance of a $10 million loss from this risk,” we can say “this risk causes a 10% chance of a 20% budget overrun, and a 1% chance of the project timeline doubling.”
Watch me explain this in the video because this alone will change your risk management approach forever. In my work I represent, rank and mitigate risks in terms of their effect on the decision or objective. This is something most risk managers in project management get (the ones who do quant cost and schedule risk analysis) and almost no one in cyber risk understands.
Case study: what good risk management looks like
To demonstrate these concepts, let’s walk through a case study of an airline engine manufacturer going through a business transformation.
Imagine a situation, where management presented to the Board an optimistic forecast projecting high growth and solid profits. The independent directors, probably DCRO certified, scrutinised the assumptions only to realise that many are uncertain or biased. The Board have asked you to stress test original management assumptions and forecasts and present a risk-adjusted business plan next week.
Where would you start this task? By the way, this is not a hypothetical, this is something I get asked all the time at work.
Go step by step with me in excel to see how I used free SIPmath standard 3.0 to turn a management business plan into a risk model that allowed to quantify the chances for success for this company. Uncover the truth about the company and allow the Board to make a better decision about the future of the company.
RISK-ACADEMY offers online courses
+
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
$149,99$49,99
+
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
$795
