Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

If you’re cooking, you need a way to tell how hot the oven is.  You won’t be able to tell the difference between 275F and 325F just by sticking your hand inside – both are going to feel hot to you – but this is the difference between a perfect, crunchy yet chewy meringue and something that’s dry and explodes into a pile of dust. So we use a thermometer to give us the information we need.

Similarly, we need a way to be able to differentiate between risks, to separate those that are ‘hotter’ and might burn us and the others that are simply ‘warm’.  Unfortunately, we can’t buy a risk thermometer so we conduct a risk assessment to help us make that differentiation.

A risk assessment allows us to rate or ascribe a value to our risks and place these on a comparative scale so we can then rank and prioritize these for action.  This lets us identify those that could have the greatest effect on our objectives and those that are less likely to interfere with what we are trying to do. It’s our way of working out whether a risk is too hot, too cold, or just right.

However, the assessment doesn’t tell you what to do with the risk, it just puts everything into context so you can then make informed decisions. What you do about those risks comes down to your organization and your objectives.

For example, if you specialize in drilling test wells in remote, dangerous areas, you are going to engage with a series of risks that are considered ‘hotter’. Your business depends on your acceptance and management of risks that others don’t want to take.  Meanwhile, a small accountancy firm will likely be the opposite and may promote its stability and low-risk approach as a way to attract customers. Each firm will make a different decision if faced with the same risk.

Similar to a thermometer, the assessment just gives you a result.  It’s up to you to decide if the temperature’s right.

And don’t forget that an assessment like this isn’t a predictive or forecasting tool. It isn’t giving you a percentage chance of success or failure. It’s giving you a comparative rating on a scale.

There are tools for technical scenarios that use enormous data sets and complex mathematics to develop predictive outcomes and forecasts. These have specific, technical uses but have their own flaws and limitations and these still aren’t crystal balls: there are numerous examples of where these systems have failed.

So these technical, predictive tools are outside of our scope here. Instead, we’re talking about assessments that rate and prioritize risks to support decision-making, not predictive algorithms.

Above all, like everything else, keep it simple.  There can be lots of moving parts in a risk assessment and the analysis part – the actual calculations – can get complicated. Depending on what you’re trying to do, you might not need a detailed process, something simple might work. You might not even have sufficient data to power a complex model.

To help work out what’s best for you, ask yourself two questions:

• What kind of output do we need?
• Do I have the type and quantity of information I need power the model?

So when you are starting your risk assessment, keep these points in mind. That’s going to help make sure you have the right tool for the job and avoid any misconceptions of what the risk assessment can do. Remember, your risk assessment’s like a thermometer, not a crystal ball.

That’s going to help you work out which approach is best for you.  The key thing is to make sure you have the right tool for the job and you don’t try to use something that’s too complicated which might prevent you from getting the decision-makers the information they need.  Stay lean and KISS. (To give you an idea of just how simple a model could be, you can see The World’s Simplest Risk Model here shortly.)

Andrew Sheves Bio

Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.