You’ve come up with a risk: a way in which something uncertain may affect achievement of your objectives.
You want to assess your risk for consequence or impact, along with likelihood.
You run into a problem. The size of the risk trigger event, and the severity of its consequence, could be anything or nothing. The trigger event itself may or may not happen. The path from the event to the effect on objectives is long, complicated, and uncertain.
A power failure in a data centre without a backup or fail-over is such a risk event. A power failure can be trivially brief. Then again, it might last for weeks. The enterprise consequences can range from nothing to total enterprise failure—or to something worse, for critical infrastructure.
The problem gets worse in a departmental risk assessment, conducted a long way from the boardroom. Members of the department know their risks very well, so far as those risks threaten their own objectives. The department might well struggle effects on enterprise objectives. Those enterprise effects might be unpredictable, or even unknowable, within the department. Yet the usual idea of enterprise risk management demands that they make a precise connection between local ‘risks’ and enterprise consequences.
The Clear Lines on Audit and Risk take a route different from that taken by conventional enterprise risk management. The Clear Lines go entirely around the problem of long consequence pathways from departments to the enterprise. The problem of varying consequences comes up along either route.
You end up in this place even if you prefer to identify risks by working backward, from consequences back to events and hazards.
When you identify ‘a risk’ with varying event sizes and varying consequences, you still need a consequence rating. Do you take an average impact, the most likely case impact, or the worst imaginable impact? Or do you see each impact case as a separate risk?
This post recommends answers to that question.
Here is part of the answer: the best case to start with is the ‘reasonable worst case’ for that risk. The reasonable worst case has a definite consequence. It has a likelihood, to the extent that every risk has a likelihood. That likelihood may be low, but, by definition, that case is worth considering. From there you can decide if the risk of the reasonable worst case is acceptable.
By analysing the reasonable worst case you have already moved the assessment from confusion to clarity. It has even started to help with decisions.
That isn’t the end of risk-assessing a potential event with uncertain consequences.
The very best response to the problem of uncertain consequences is to assess a range of representative cases, each with a separate consequence rating.
For a given potential event, you end up with a range of risk cases, each with an assessed likelihood and an assessed consequence. Each case may or may not present unacceptable risk. Just one unacceptable risk is a reason to change your plans.
|Risk: Average sales volume for the main product is different from expectations.
|Consequence level (for profitability)
|Actual average sales below 50% of break-even volume.
|Very low (indicatively, 5%)
|Reasonable worst case
|Actual average sales are 50%-110% of break-even volume.
|Low (indicatively, 15%)
|Actual average sales 110% to 130% of break-even volume.
|Possible (indicatively, 35%)
|Planned case (not a ‘risk’)
|Actual average sales 130% to 150% of break-even volume.
|Possible (indicatively, 25%)
|Actual average sales 150%-250% of break-even volume. Further sales might be possible if supplies were increased.
|Low (indicatively 13%)
|Actual average sales over 250% of break-even volume. Further sales would be assured if supplies were increased. If supply increases are not possible, there could be price increases to balance demand with supply.
|Very low (indicatively, 2%)
For choosing the specific risk treatment (response action), you look at all the cases, as the same treatment will usually affect all the cases.
The worst idea is to analyse only the ‘average’ or most likely case.
‘Cases’ are used as a matter of course in quantitative risk assessment. In this respect, quantitative risk assessment is ‘better’. At the same time, restricting ‘risk management’ to formally quantified objectives will inevitably mean that the most important decisions are not subject to risk management. The Clear Lines generally focus on the important decisions.
The Clear Lines talk about ‘the risk’ in two senses. The usual Clear Lines meaning of ‘the risk’ (or ‘a risk’ or ‘a separate risk’) is ‘the (a) pathway in which uncertainty affects achievement of objectives’. That pathway is a chain of causes, from hazards through a possible event, to the final achievement of objectives, as changed by the event. The ‘consequence’ is the last part of the chain. The risk pathway can also be a chain of deduction, from uncertain facts to the uncertainty of future success. The chain of deduction can include a surprise discovery in the place of an unpredictable event. You identify ‘the risk’ (and other risks) during risk identification. You typically list ‘the risk’ in a risk register, along with other identified ‘risks’.
In this sense, ‘a risk’ is a qualitative description.
The second meaning of ‘the risk’ is the amount of uncertainty of final achievements against objectives. The amount of uncertainty is constructed from the amounts of deviation from planned achievement, and the likelihood of each amount of deviation. The type of deviation (the affected objective) must always be specified. This secondary meaning of ‘the risk’ is a replacement for ‘level of risk’, but not an exact synonym. ‘Level of risk’ is usually a scalar measure, whereas the Clear Lines risk measure is a picture of the deviation from the objective, qualified by a likelihood. The Clear Lines prefer to avoid the scalar ‘level of risk’. They use a different scalar construct for making decisions. That different construct is risk acceptability. Acceptability is applied to total deviation likelihoods rather than to individual ‘risks’.
Both Clear Lines meanings for ‘the risk’ are aligned with the ISO 31000 phrase defining ‘risk’ as the effect of uncertainty on objectives. That defining phrase, and ISO 31000 usage of ‘risk’, can refer either to a qualitatively defined pathway, or to a quantified construct that might be measured by numbers or scales (such as ‘level of risk’).
An ‘effect on objectives’ can be understood either as ‘the amount by which achievement of the objective deviates from plan’, or as ‘the level of achievement that will be reached if reality matches the risk’. In practice, there may be little difference. The Clear Lines explored this difference between ideas of ‘effect’ in an earlier post.
A different and outdated understanding of ‘risk’ is ‘something bad that might happen, or will happen to some degree, one the way to achieving objectives’. That old idea of ‘risk’ excludes uncertainty other than events, and excludes the uncertain achievement of objectives from risk management.
What is the reasonable worst case?
The ‘reasonable worst case’ is the version of the risk that has the worst consequence, among those versions with a likelihood clearly of concern.
The scenario can start with a type of event, or with a different kind of uncertainty, such as a planning assumption.
Here is a reasonable worst case for a staircase injury in the workplace:
Someone has a staircase accident, suffers a bone fracture injury, and recovers within a reasonable time.
And here is a hypothetical reasonable worst case for launching a product in a new market:
Actual average sales are 50%-110% of break-even volume.
The steps in this post, and the ‘reasonable worst case’ concept, apply only when ‘the risk’ has been described as something that may or may not happen—once—on the path to the objective. The steps do not apply if the described risk might happen many times during the time covered by the risk assessment, and the number of instances determines success or failure on an objective. An enterprise example of ‘a risk’ that can repeat is ‘a minor injury’, when a few minor injuries are almost certain, and consistent with enterprise success on the safety objective.
The ‘cases’ concept can be extended from a few discrete cases to a continuous range of numerical consequence values, for quantitative risk analysis. In quantitative analysis, a ‘case’ usually corresponds with a point or range within a continuous scale of potential consequences. Quantitative risk analysis would usually include multiple cases as a matter of course.
Consequence and likelihood for the reasonable worst case
You may have assessed the consequence of the worst case already. The worst case was defined as the one with the worst plausible consequence.
You need to estimate the likelihood of that reasonable worst case occurring. The likelihood of the worst case (or of any specific case) is necessarily lower, often dramatically lower, than the likelihood of other cases.
The reasonable worst case for staircase injury was Someone has a staircase accident, suffers a bone fracture injury, and recovers within a reasonable time. You might indicate its likelihood as 15% in the coming year, and scale its consequence as ‘disappointing’.
Here is another case for staircase injury:
At least one person has a minor staircase injury such as a bruise or sprain. Such an event is almost certain within the coming year (practically 100%), but a single instance is not worth registering on the consequence scale. (Multiple instances would be worth registering, but incident counts require a different approach.)
The reasonable worst case for launching a product in a new market was Actual average sales are 50%-110% of break-even volume. You might indicate its likelihood as 15% and its consequence as ‘disappointing’.
Another case for the product launch might be:
Actual average sales are 110% to 130% of break-even volume. You might indicate its likelihood as 35%, and scale its consequence as ‘qualified success’.
It is a common mistake to combine the likelihood of the risk event (regardless of consequence case) with the consequence level for the worst case of that type of event. Doing that is always wrong. That massively overstates the level of risk.
For example, the likelihood of any staircase injury is close to 100%. There is a near 100% likelihood of some minor injuries. The reasonable worst case was Someone suffers a bone fracture injury from a staircase accident, and recovers within a reasonable time, which has a consequence of ‘Disappointing’. ‘Disappointing’ is further defined in the consequence scale. The beginner mistake is to put those together, concluding that staircases pose a near 100% likelihood of that ‘disappointing’ injury level. Such an assessment of the staircase injury risk would be radically misleading.
When you have analysed the reasonable worst case, it’s more than a good idea to identify and analyse some other cases of a risk.
You simply pick a lesser plausible consequence and include that consequence in the case description. You can then assess the likelihood and acceptability of that case for the risk. You have already rated the consequence.
If your reasonable worst case was not the worst that could be imagined, it is also a good idea to analyse a case worse than the reasonable worst case. In the staircase example there is obviously a case worse than the reasonable worst case, which was Someone suffers a bone fracture from a staircase accident, resulting in some level of permanent disability.
You might label the case even worse as the ‘Extreme’ case. In a risk assessment process, that Extreme case might first have been set aside as too implausible, but it also makes sense to come back to it, if only to prove that its likelihood is low enough to dismiss. In the staircase example, the likelihood might be an indicative 2%, which is probably not low enough to dismiss entirely. Your own Extreme case could go either way.
Acceptability of the reasonable worst case
Before identifying other cases, you can first assess acceptability of the reasonable worst case. You can compare the combination of likelihood and consequence for that worst case with acceptable combinations of likelihood and consequence.
In conventional risk management doctrine—but not in formal standards—you look up a ‘level of risk’ from the assessed likelihood and consequence levels, in a multi-coloured table. The multi-coloured table is often called the ‘risk matrix’, though there are other matrix artefacts in risk work.
In those memes, ‘level of risk’ is a simple scale, represented by colours in the table. The ‘level of risk’ is either acceptable or not, based on thresholds supposedly representing risk capacity, appetite, and tolerance. Thresholds look like a zig-zag or diagonal line on the multi-coloured table.
Different cases of the same risk will often have the same ‘level of risk’ because each increase in consequence is accompanied by a decrease in likelihood.
The Clear Lines do not recommend lookup tables, nor ‘level of risk’. The Clear Lines do not even use designated consequence levels as consequence criteria. The Clear Lines offer alternatives consistent with formal standards, which relate more directly to real-world decision-making. I have heard that real-world decisions have something to do with the purpose of risk management. The formal standards go on and on about that purpose, directly opposing some conventional wisdom and common practice. (See the ISO 31000 Principles.)
Both the conventional lines and the Clear Lines end at an action decision based on risk acceptability. Reasonable worst cases, and other cases, can play nicely with any risk evaluation pathway leading to an action decision based on risk acceptability.
Acceptability of other cases
If the worst case represents an acceptable risk, it is usual that milder cases will also represent acceptable risk. That conclusion does not follow automatically. It is possible for a case with a less severe consequence to be unacceptable, even though the reasonable worst case was accepted. That can happen if the milder case has a less severe consequence, but still an important consequence, and a higher likelihood.
In the staircase injury example, the reasonable worst case was Someone has a staircase accident, suffers a bone fracture injury, and recovers within a reasonable time, with likelihood indicated at 15%. This risk might be considered acceptable, in isolation. Hypothetically, the enterprise might classify this risk’s consequence as ‘disappointing’ within a scale of injury avoidance over a year. Its acceptability threshold for such an outcome might be a maximum likelihood of 20%. The risk from the reasonable worst case (alone) is within that limit of acceptability.
In the product launch example, the reasonable worst case was Actual average sales are 50%-110% of break-even volume, with indicative likelihood of 15%. The enterprise might classify the consequence for profitability as ‘disappointing’, on a scale for profitability consequences. It might also set a maximum acceptable likelihood for a ‘disappointing’ profit at a 20% maximum likelihood. A relatively high likelihood of ‘disappointment’ is accepted, because the enterprise also hopes for profits higher than expected, and has a level of comfort with the uncertainty of profits.
For risk acceptance decisions, the Clear Lines prefer to look at the total likelihood from all risks and cases leading to the annual consequence deviation. That total is equivalent to the total likelihood of the given deviation from the planned achievement of the objective.
In the staircase example, that would mean summing the likelihood of the reasonable worst case for staircase injury with the likelihoods of other types and counts of injury leading to a ‘disappointing’ annual injury outcome. The total will probably exceed the threshold 20%, so the total risk of a ‘disappointing outcome’ would not be acceptable.
In the product launch example, the reasonable worst case for the sales volume is also an acceptable risk on its own, but the total likelihood of a disappointing profit may be much higher, due to risks to profit from other sources: cost of product, salaries and expenses, interest rates, working capital availability, and so on. In that case the total risk to profitability would not be acceptable.
In cases where ‘a single risk’ is acceptable but the total outcome risk is not, the enterprise looks for risk treatments that will bring the total risk within an acceptable range, while maximising the likelihood of planned success or better outcomes. Maximising other outcomes might be seen as minimising the ‘cost’ of the risk treatments. There may be a choice of risks to be treated and risks to be accepted.
The idea of a ‘single risk’ is itself an artefact of the risk identification and registration method. There is no real-world entity matching a ‘single risk’. No matter how precisely you define ‘a risk’, it can always be broken down into finer cases. Such break-downs can easily go too far. Deciding the useful level of granularity is an art within risk management.
Question for risk experts
It is obviously valid to risk-assess the reasonable worst case, and other cases. It is very important to find any unacceptable case of a risk.
But in the practical world of enterprise and everyday risk management, without quantitative methods, how many cases are enough? Do you need a complete range of cases, or is it useful enough to get some clarity on the worst case?
The content of this post was developed with extensive help from Steve Daniels FMS, FIOR, FBCS, CITP. You can find Steve on LinkedIn. Steve explained the ‘reasonable worst case’ to me for the first time. I thought it worth sharing, as I hadn’t seen much about it in other places. I am solely responsible for any remaining bad explanations, misrepresentations, or unsupported embellishments. I inflicted plenty of those on Steve during the development dialectic, and he hasn’t checked the final version.
|Version 3.0 Beta
Previous article for Debate