Balancing Risk Probability and Vulnerability
May 2007
Credit worthiness and life expectancy are
examples of well-understood risks whose probabilities can be quantified and
whose ability to create loss can be modeled. On the other hand, "acts of God"
and the machinations of business competitors will, in many instances, defy probability
analysis and standard forms of risk assessment because they are often atypical
events whose causes are the function of circumstances beyond both the awareness
and control of those responsible for an organization's risk management.
by Mark
Layton and Steven Ross
Deloitte & Touche
The ability to address routine and predictable risk based on an evaluation
of a hazard's frequency falters in the face of improbable and unpredictable
risk. Be it the die-off of pollinating North American honey bees or the meltdown
of a nuclear power plant, standard risk management theory fails to adequately
encompass such extraordinary events.
Nonetheless, conventional risk management policy assumes risk managers in
any industry can identify relevant risks and prioritize an organization's risk
response in relation to the probability of the perceived risk. In this idealized
management scenario, those risks that may create the greatest loss and have
the greatest probability of occurring are immediately dealt with, while risks
capable of only limited loss and whose probability is lower can safely receive
much less attention and concern.
Dealing with the Increase in Rare Risks
Despite such tidy notions, an increase in "improbable" events characterizes
risk in the 21st century global business environment. This new level of uncertainty
is testament to the failure of probability analysis alone to adequately inform
and support optimal risk management. According to a recent Deloitte research
study, Disarming the Value Killers,
"Some of the greatest value losses were caused by exceptional events such as
the Asian financial crisis, the bursting of the technology bubble, and the September
11, 2001, terrorist attacks. Yet many firms apparently fail to plan for these
rare but high-impact risks."
What conventional probability modeling ignores is vulnerability, a measure
of susceptibility to human, financial, competitive, or numerous other measurements
of loss. Knowledge of what makes an organization vulnerable to risks determines
the steps that can be taken to reduce that risk. For too long, vulnerability
assessment has been ignored and unappreciated in the Parthenon of risk management
values.
Risk managers can no longer dismiss an organization's vulnerability simply
because a relevant and high impact risk is considered to be highly improbable.
As has become painfully clear in recent years, yesterday's improbable science
fiction all too often becomes today's improbable realities that define the business
environment.
The Risk Intelligent Enterprise understands the need to balance reliance
on probability modeling with a renewed appreciation of vulnerability analysis
in order to address high-impact events no matter how improbable they may be.
What kind of low probability/high impact events are we talking about? News
reports provide plenty of examples of seemingly unthinkable occurrences:
- A charitable organization is victimized by wide-scale fraud.
- An information technology company suffers a major computer security
breach.
- A food manufacturer distributes contaminated products.
Each of these cases runs counter to expectations:
- Who would expect a charity to have corrupt employees?
- Likewise, who would anticipate an IT company having lax computer controls?
- Who would think a foods company that built its reputation on purity
would distribute an impure product?
A risk intelligent executive—that's who! Risk intelligent executives realize
that sometimes improbable events do occur with devastating effect, while other
times probable events fail to materialize. They understand the possible, not
just the probable, and respond accordingly.
Nonetheless, do not make the mistake of assuming that understanding and addressing
high-impact but improbable risks is equivalent to putting in place a program
to mitigate those risks. No organization can allocate its limited resources
to managing and mitigating a high-impact but low likelihood risk such as a meteor
impact while discounting higher probability/lower impact threats such as a weather-related
disruption in the supply chain.
Instead, risk intelligent managers should consider vulnerability alongside
probability as determined by a reasonable assessment of the particular circumstances
they face to initiate informed and strategic risk management options. The actual
steps to address vulnerability might entail extensive preparation, or may involve
nothing more than closely monitoring particular risks, tracking changes in relevance
and severity without initiating further action. Availability of resources and
other internal bandwidth should be considered in determining the best course
forward.
When severe disruptions occur—be they power outages, natural disasters, industrial
accidents, financial crises, or other events—companies that are prepared to
rapidly recover—and help others to do so—will yield positive results for their
organization and the community. The Risk Intelligent Enterprise is characterized
by a well-developed sense of social responsibility as well as finely honed business
savvy.
Next Installment
See the next installment in our series on risk
scenarios that help manage the interaction of multiple risk events.
Steve Ross is the national and global leader for business continuity management services
at Deloitte & Touche LLP. He can be reached at or at (212) 436-2236.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.