Marion Houghton, independent risk management consultant asks “Do risk mitigation controls affect only the impact of an event not the likelihood of it happening?”

I’ve spent my career dealing with risk concepts, but I suspect that sometimes we overcomplicate things and it can be worth going back to the basics. The likelihood element of the ‘likelihood/impact/control’ risk equation is a case in point.

On the Institute of Risk Management’s LinkedIn discussion group, I risked ridicule by asking the simple, almost naïve question of whether, in fact, risk mitigation controls could affect only the impact of an event not the likelihood of it happening. The answers fell into 3 categories; ‘Yes’, ‘No’ and ‘It Depends’.

Yes: Where risks are internal to an organisation – that is largely within its influence – then controls will reduce likelihood. For some business risks that are external to the organisation, like security or macroeconomic events, the likelihood of damaging effects can be reduced through systems, strategy and policies.

No: Severe natural events are beyond human control. We can only hope to control the impact/consequence.

And, predictably, the most popular viewpoint was that it depended on either how you define the risk event or which type of control is used.

Defining the risk accurately is crucial to applying controls effectively to the cause of the risk and its effects. The definition has two main aspects, subjectivity and uncertainty. In terms of defining a risk event, we are only interested in its effects on us or our enterprise. Take for example premises in the path of a storm, with the roof in danger of being damaged. The storm itself is not actually the risk, and securing the roof does not reduce the likelihood of a storm occurring. The risk is that business objectives are impacted by the storm or, to put it succinctly, the risk is ‘our roof blowing off’. In that scenario, securing the roof lowers the likelihood of that specifically defined event damaging the enterprise’s objectives.

When crossing a road, the external aspects of traffic speed, road conditions and visibility are outside my control; I am only interested in my risk of being hit by a vehicle. For the subjective purposes of risk definition, I don’t care about anyone else! I can control the likelihood of injury to me by taking the precaution of looking carefully before crossing or by picking a safe place to cross. A pedestrian crossing some distance away might help others, but it is not an effective control to my risk.

Not only should the risk definition be subjective, but, if you think about it, it’s the uncertainty that is the true risk. If severe and damaging storms were inevitable and predictable you would either build elsewhere, or it would be worthwhile spending huge amounts in weatherproofing the roof. If the weather was always good you wouldn’t bother. Likewise with the street crossing. If I was certain to be hit by a vehicle, I simply wouldn’t take the risk.

There are myriad ways of categorising risk mitigation controls; the most popular seem to be ‘preventive’, ‘detective’, or ‘corrective’. By definition, a control that is preventive in nature will reduce likelihood. A preventive control would be building out of a storm zone or simply avoiding crossing the road. In a business context it might be avoiding political risk by not having any trade with a particular country or sector. 

My simple question provoked a wide range of opinions from many very experienced people. The consensus, if there was one, was that if you can define your risk accurately at the outset, you on the way to deciding which controls are likely to be most effective.

Marion Houghton is an independent risk management consultant based in the UK.

Right of reply

“As in all things, risks matters are often neither black nor white and fall into variations of grey. One key paradigm shift is to stop seeing risk and controls as one-way cause-effect notions and to embrace the holistic view that mitigations can, and often do, affect likelihood and impact in a myriad ways.” Eric Lee, risk manager, Protiviti, has more than 11 years of experience in risk management, controls assurance and mitigation activities.

“The answer without a doubt is ‘it all depends’. Risk can be looked at both from negative and opportunity aspects. Likewise, controls can be either preventive or reactive in nature, just like a risk event can be certain or uncertain, man-made or natural; for example, an act of god.” Jeffrey Yeo is a risk practitioner with eight years of enterprise risk management experience in the healthcare and education industries.

 “The question is the validity of ‘likelihood’ management – even if a control potentially reduces the likelihood today, how valid will it be? Much of our previous experience with risk is of no use when looking into the future. It really only assists us in understanding how the risk is viewed rather than how well it is managed.” Craig Paterson, regional director of risk consulting, JLT Asia, is based in Singapore and has extensive experience working with a broad range of clients to assist them to manage their risks.

 “Risk controls absolutely can make a difference to the likelihood of a risk occurring. Good risk management requires a clear risk definition, an understanding of the root causes and assessment of the potential impacts. This enables a range of risk controls to be considered, taking into account the cost versus benefit derived from the control and how the control will influence and change the outcome of the risk.” Douglas Ure, practice leader, Marsh Risk Consulting Asia, leads the firm’s strategic risk solutions and consulting team across Asia, including enterprise risk, resilience, supply chain, business continuity and insurance advisory.

Do you agree? Leave your feedback in our comments box below.