Alternatives to risk matrices have been around for decades, the question is why aren’t risk managers using more effective methods? Alex Sidorenko, chief executive of Risk Academy, outlines the steps to enhancing the use of matrices
Ok, the title is obviously a joke because, crucially, the alternatives (plural) have been available for more than 50 years to anyone willing to listen.
Do we even need an alternative?
To me, using risk matrices is a question of ethics and professional skills and is totally up to the individual risk manager. In one sense, risk matrices are like horoscopes (more in Douglas Hubbard’s book). They are fun, easy to understand, but you probably wouldn’t use them for any meaningful day to day life decision. And if you did, you would probably realise it’s no better than a coin toss and will definitely not talk about it at the conferences or call it best practice.
There are fundamental flaws in risk matrices design and there is nothing a risk manager or business analyst can do to make them reliable. All these flaws have been discussed here and in this video by Osama Salah and in this post by David Vose and in dozens of posts I have been making over the years.
Additionally research by Tony Cox and Douglas Hubbard have shown that risk matrices consistently perform worse at measuring and communicating risks than proper quantitative tools.
So what are the alternatives? There are plenty, but for the tool to be any better the following criteria have to be fulfilled:
- risk analysis has to be performed at the time of decision making, not once a quarter
- the results of risk analysis should not be expressed as arbitrary risk levels, rather be expressed as volatility or range or scenarios of the decision/objective itself (with some exceptions in HSE for example)
- the output of risk analysis should have a direct and immediate impact on the decision at hand.
It is also very important to distinguish between 2 types of risk analysis techniques:
1. Techniques to better understand the nature of risk and to make a decisions as how to manage them. Usually used when a specific risk is known and is significant; and management needs to deal with it in a cost effective manner:
- bow-tie diagrams
- FMEA / FMECA
- HAZID, HAZMAT, HAZAN
- five whys
- influence diagrams
- ICAM, etc
2. Techniques to better understand how uncertainty affects the decision or objective. Used when making a decision, preparing or approving a strategy, budget, forecast, long term pricing, etc. and the risks are not obvious:
- decision trees
- sensitivity analysis
- scenario analysis
- stress testing
- various simulation techniques (agent-based, system dynamics or discrete event).
The application of the techniques above will also depend on the decision complexity, materiality, level of uncertainty and the time and resources available to risk manager:
For simple decisions
By far the easiest and the most common way to assign risk to an entity, project, supplier, business unit or a piece of equipment is by using a scoring methodology. In fact, it is so common, hundreds of companies have been using it without calling it risk management:
- S&P, Moodys, Fitch rating agencies to assign ratings to companies
- procurement departments to rank existing suppliers (gold, silver, bronze or blacklisting them)
- classifying spare parts or pieces of equipment based on criticality, etc.
- banks and corporations to allocate debtors to risk buckets / categories or to classify bad debtors
- firefighters classifying buildings into fire risk categories, etc.
Basically, any type of methodology that enables you to grade and categorise items based on their predetermined characteristics is a better way to communicate risks and to use that information for decision making. Sometimes it could look like a very simple checklist. It’s kind of obvious but if you still want me to write a separate piece on the scoring methodology comment on this article using the word “scoring”.
For decisions on how to mitigate a particular risk
If you are in the situation where you need to determine best ways to mitigate a specific kind of risk, then a bow-tie diagram or an influence diagram will be very helpful. There are a bunch of techniques that help to visualise the risk by breaking it into components, for example causes and consequences as is the case with bow-ties.
This is very helpful to switch to system 2 thinking and to overcome at least some of the cognitive biases. The bow-ties are pretty basic and should be in every risk managers arsenal. FMEA, FMECA, fault trees, 5 whys and ICAM investigation techniques are very similar in principle. Their main objective is to write down possible components of a risk reminding us not to forget important sources or consequences, even though they may not be obvious at first.
I used bow-ties a lot, once I was even naive enough to present it to the CEO (ex-deputy Prime Minister of the country). That obviously didn’t go down well. So, it’s probably best to use them as internal analysis tools rather than a communication tool. My personal secret with bow-ties is to always have at least seven causes and seven consequences and at least three second level causes and consequences on each branch. That way we definitely switch from system 1 to system 2 and improve our chances of finding a solution.
For any decision involving numbers (wait, that’s most of them)
For the rest of the cases it is actually more important for us not to understand how significant each individual risk but rather how uncertainty in general affects our decision, KPI or objective. Nassim Taleb calls it f(x). They also call it f(x) in operations research. That means that we should be more interested in the effect of risk on something rather than the level of risk itself.
To my surprise the message above is actually very difficult, almost impossible, for the risk managers to digest.
This is what I call risk management 2 – using risk analysis as a decision making tool. Since the idea to use risk management as decision making tool is much older than the idea to use risk management as an element of corporate governance, all we need to do is to open any good book on decision science or probability theory to find the tools.
Let’s repeat. Here are just some of the common techniques, some are older than 50 years old, ranked from simple to difficult:
- decision trees or influence diagrams
- scenario analysis
- stress testing
- simulation modelling techniques
The irony is that while many risk management departments have been using heatmaps to rank risks, other business units have been using proper risk analysis techniques forever without calling it risk management. Doctors have been using decision trees, any investment professional using sensitivity analysis, finance using scenarios, pharma companies, geologists, weather forecasters using simulation modelling forever.
For big and important decisions
This one is simple, if the decision is complex and the stakes are high, use simulation modelling or better. What is even better? Write in the comments.
Thank you Damir Ramazanov, group project Risk Manager, ERG for helping with the article and providing quality review