As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process. In this article, Bonnie addresses techniques that might simplify the process of prioritizing risks.
The vast majority of companies assess risks by evaluating both the likelihood that a risk event will occur and the impact of the risk event if it does occur. The actual ranking of risks is then determined by either calculating the product of likelihood x impact scores, or in some cases the sum of a risk’s likelihood and impact scores. When using this methodology, the organization must develop rating scales for both likelihood and impact (and any other dimensions to be assessed, such as velocity or preparedness) as well as definitions for each point on the scales.
Individuals within the organization who provide input on the ranking then must separately score each risk on a list of often 30-50+ risks on both likelihood and impact. As I’ve observed this assessment process over time, it seems to frequently result in risk scores that are “bunched” together at the middle of the scales. And while such an assessment process may give the perception of some level of precision, the end result is just an average of a number of individual person’s opinions or judgments regarding likelihood and impact of each risk.
Let me illustrate. The typical process involves a number of individuals rating the likelihood that each risk event will occur on a scale of 1 to 5, and then they rate the impact of each of those risks using another 1 to 5 point scale. An average is then calculated for all likelihood scores and then all impact scores. Two things seem to occur with some frequency when this process is used. First, when an individual doesn’t have a strong opinion about or direct knowledge of a particular risk, the default rating tends to be a 3, on the 1 to 5 point scale. Further, the process of averaging tends to “smooth” out any differences in views, so that many risks will have scores that are close to 9 (product of average likelihood rating of 3 and average impact rating of 3). While you can still arrive at your top ten risks in this manner, there may be a relatively small difference in total risk scores (LxI) between risk # 5 and risk #15, for example.
An Alternative Approach: Force Risk Rankings
As a result, I have recently begun advocating for the use of “forced ranking” of risks in order to better separate the more significant risks and to simplify the risk ranking process. There are several benefits to the forced rankings process. First, no assessment scales are needed when organizations use this kind of forced rankings process. Second, the risk assessment process can be faster to complete as compared to requiring individuals to assess a number of risks across multiple dimensions (e.g., likelihood, impact, velocity, etc.). Third, this methodology typically results in more “separation” of risk scores making it easier to identify the top risks. While the rank ordering may seem more subjective on the surface, it is important to note that there is also a high degree of subjectivity when individuals make assessments using 1 to 5 point scales for the various dimensions discussed above.
As an example of a forced ranking process, each individual providing input on the assessment is asked to choose what they believe are the top ten risks in rank order. The first risk they identify is assigned 10 points, the second 9 points, on down to the tenth risk being assigned 1 point. Scores provided by all individuals are summed for each risk and rank ordered from highest to lowest total score. For example, let’s say that three people out of 15 members of management rank a risk as their number one risk, four people rank it as their number two risk, five people rank it as their number three risk, two rank it as their number four risk, and one person ranks that particular risk as their number five risk. That risk would receive a total risk score of (3x10 + 4x9 + 5x8 + 2x7 + 1x6 = 126 points). That risk would be ranked higher than other risks receiving total scores less than 126.
If your organization has been assessing on both likelihood and impact, it may be worth updating your assessment using forced rankings to see if the results change in any significant way. In those situations where I have seen the forced ranking methodology used, individuals providing the rankings have appreciated the simplicity of the process, and the results have shown much more separation among the risks, particularly when comparing results between different demographic groups (e.g. Board, C-Suite, VP’s, etc.). In some instances, although a lot less frequently, I do hear that there are individuals who have difficulty ranking risks without explicitly ranking likelihood and impact; so this process may not be for everyone. The range of methods employed in risk assessments illustrates once again the importance of tailoring Enterprise Risk Management processes to the needs of the organization.
If you are interested in learning about a variety of techniques used by organizations to assess risks, watch for our forthcoming thought paper, Survey of Risk Assessment Practices, to be released in mid-November. This forthcoming thought paper includes a number of examples of risk assessment processes in place at companies represented on the ERM Initiative’s Advisory Board. This article and the soon-to-be released thought paper will be available for download on our ERM Initiative web site:
Download a copy of the article here.