Douglas W. Hubbard

The Failure of Risk Management


Скачать книгу

Risk matrix based on a standard (ISO, NIST, etc.) 14 Internally developed risk matrix 27 Other qualitative scoring or ranking method 32 Probabilistic methods (e.g., math based including, simulations, statistical empirical methods, etc.) 20 Everything else (including expert intuition and various auditing methods) 7

      Expert Intuition, Checklists, and Audits

      The Risk Matrix

      The most common risk assessment method is some form of a risk matrix. A total of 41 percent of respondents in the HDR/KPMG survey say they use a risk matrix—14 percent use a risk matrix based on one of the major standards (e.g., NIST, ISO, COSO, etc.) and 27 percent use an internally developed risk matrix. Internally developed risk matrices are most common in firms with revenue over $10 billion, where 39 percent say that is the method they use.

Illustration of a risk matrix having two dimensions, labeled as likelihood on one axis and an impact on the other, evaluated on a scale with verbal labels.

      There are many variations of risk matrices in many fields. They may differ in the verbal labels used, the point scale, whether the point scales are themselves defined quantitatively, and so on. Chapter 8 will have a lot more on this.

      Other Qualitative Methods

      The next most common risk assessment method is a qualitative approach other than the risk matrix. These include simply categorizing risks as high, medium, or low without even the step of first assessing likelihood and impact, as with the risk matrix. These also include more elaborate weighted scoring schemes in which the user scores several risk indicators in a situation, multiplies each by a weight, then adds them up. For example, in a safety risk assessment, users might score a particular task based on whether it involves dangerous substances, high temperatures, heavy weights, restricted movement, and so on. Each of these situations would be scored on some scale (e.g., 1 to 5) and multiplied by their weights. The result is a weighted risk score, which is further divided into risk categories (e.g., a total score of 20 to 30 is high and over 30 is critical). This sort of method can sometimes be informed by the previously mentioned checklists and audits.

      Mathematical and Scientific Methods

      As the previous survey showed, quantitative methods usually involve Monte Carlo simulations. This is simply a way of doing calculations when the inputs themselves are uncertain—that is, expressed as probability distributions. Thousands of random samples are run on a computer to determine the probability distribution of an output (say, the total losses due to cyberattacks) from the inputs (the various possible individual types of cyberattacks and their impacts).

      These methods also include various types of statistical analysis of historical data. Although the lack of data is sometimes perceived as a problem in risk analysis (16 percent of HDR/KPMG survey respondents said this was a problem), statistical methods show you need less data than you think, and, if we are resourceful, you have more data than you think. There are a couple of categories of methods that are not strictly based on statistical methods or probabilities, but may get lumped in with mathematical or scientific methods, at least by their proponents. One is deterministic financial analysis. By deterministic I mean that uncertainties are not explicitly stated as probabilities. Readers may be familiar with this as the conventional cost-benefit analysis in a spreadsheet. All the inputs, although they may be only estimates, are stated as exact numbers, but there are sometimes attempts to capture risk analysis. For example, a discount rate is used to adjust future cash flows to reflect the lower value of risky investments. One might also work out best-case and worst-case scenarios for costs and benefits of various decisions.