Impact in Risk Assessment


Toni Verbeiren


September 23, 2014

How many times have you seen project charters or business cases where a form of risk assessment has been provided? In many cases, people try to make the risks tangible and actionable by means of a risk matrix. In this approach, every risk gets 2 parameters associated to it: probability of the risk occurring and impact when the risk occurs. In most cases, 3 possibilities are given for both parameters: low, medium, high.

There are two very big advantages to this approach:

  1. It gives people a framework, a way to quantify risks that is easy to understand

  2. The method not only looks at the probability of an event, but also at its impact. The latter has practical consequences.

There are also disadvantages to this approach. Some are mentioned already on the Wikipedia page, but three are missing, in my opinion:

  1. Many events with high impact a) have often not been taught of as a risk or b) are the consequence of a combination of factors.

  2. Usually, events that are rare have a bigger impact. But the probability of rare events is very hard to assess.

  3. Impact appears to be a linear function, but it is not.

Let us give an example of the latter point. One computer failing in the office has small impact because the user may get a replacement lying around in 10 minutes or less. 10 computers failing in the office will require more time, because no 10 people are standby to service them in parallel and spare computers may be lacking. Imagine a fire, a hack, or something we can not think of now (see above)? When hundreds of computers need to be replaced?

This is a situation where the impact of an event increases faster than linear (polynomial? exponential?). It may get worse, when an event causes an impact that is not recoverable anymore: too much electricity can kill a person, too many losses can ruin even a bank or a state, etc.

The first two arguments can be thought of as applications of the Black Swan concept to projects and risk. The last argument is an application of the concept that is elaborated on in a book by the same author: Antifragile. Books could be written just applying concepts from these books!

What does it tell us? When considering mitigation of risks, think about what are possible consequences on a large scale, not on the scale of individual events. Think about consequences like: nobody is able to work anymore, the whole building is destroyed, our competitor has leapfrogged us, etc. Thinking about mitigation of these consequences may tell you more about the underlying risks and events than the other way around.

On a slightly cynical note: While doing so, you may find that more (advanced) technology is not always a solution because it usually makes things more complex and thus prone to more complex risks rather than avoiding them.