The better alternative to “inherent” and “residual” risk concepts RISK-ACADEMY Blog

0
198

Наши популярные онлайн курсы

+ Подробнее

Риск-ориентированное управление. Самостоятельно

Курс направлен на развитие навыков риск-ориентированного мышления, которое позволяет выявлять, приоритезировать и моделировать влияние рисков на ключевые цели или решения организации.

25000 руб
+ Подробнее

Риск-ориентированное управление. С преподавателем.

Крупнейшая в России программа онлайн-подготовки к двум сертификациям: национальной и международной G31000

45000 руб
+ Подробнее

Количественная оценка рисков

Единственный в России и СНГ онлайн-курс по количественной оценке рисков и принятию решений.

33000 руб

Few things are certain in life: death, taxes and someone in the risk community asking about inherent and residual risks. In fact the question is so frequent that I even did a short video response:

To most organisations inherent vs residual comparison is a way to measure potential risk mitigation effectiveness and the reduction in risk. That’s sounds pretty noble and sensible to measure the trade-off between the cost of mitigation and the reduction in risk exposure.

But, as is often the case in RM1, execution of the idea is the problem. Qualitatively assessing inherent risk in terms of probability and impact scales before controls (or with current controls, it doesn’t matter) and then again qualitatively assessing residual risk level is beyond stupid. By the way, if the last paragraph surprised you, you probably shouldn’t be working in risk ? In this article Finally! An alternative to risk matrices I provide more information on the reasons why doing qualitative risk assessments is not risk management.

That being said, in RM2, we have always compared risk exposure with and without mitigations, but we do it completely differently. Drum roll please. We look at probability of achieving objectives and how the mitigations affect that probability. Norman Marks calls it the probability of success.

In RM2 we don’t need to talk about risk levels, we always represent uncertainty as a product of objectives.

Here is what it looks like when it comes to financials objectives:

NPV 3 v13a.png

Current risk exposure, without mitigations. Probability of success 77.5%. Not bad, but management wanted better certainty.

Updated risk exposure with mitigations. Probability of success moved to 86%. (all numbers are for illustration purposes only, the actual difference is usually much greater).

Here is an example of what it may look like for a project schedule: 

The probability of finishing on or before the deadline is 16%. Not acceptable, need to implement mitigations.

Updated probability of success is 68%. This was withing management appetite.

Conclusion

Qualitative inherent and residual risk discussions are a waste of time. Probably even worse than useless due to cognitive biases and inherent methodological errors in qualitative assessments. On the other hand we can and should calculate the probability of success before and after proposed mitigations. Even safety and compliance risks will be better represented as impact on an objective or decision instead of standalone risk level.

Check out other decision making books

RISK-ACADEMY offers online courses

+ Buy now

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


19,999,99



+ Buy now

ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


199,999,99



+ Buy now

Управление рисками

В этом коротком и очень увлекательном курсе, Алексей Сидоренко расскажет о причинах внедрения риск менеджмента, об особенностях принятия управленческих решений в ситуации неопределенности и изменениях в новом стандарте ИСО 31000:2018.


19,999,99