Professional Documents
Culture Documents
Risk Tip – how likely is likely_ - Paladin Risk Management Services _ Providing extensive risk management consultancy and training services
Risk Tip – how likely is likely_ - Paladin Risk Management Services _ Providing extensive risk management consultancy and training services
Assessing the level of likelihood for risk is something I have been questioning for some considerable
time. I have followed the conventional wisdom up until this point and used the ‘traditional’ criteria to ex-
press likelihood. You may have criteria similar to the following:
61-80% Probable 4
41-60% Improbable 3
21-40% Unlikely 2
Possible 3 – 6 years 35% – 65% The event might occur at some time
Unlikely 6 – 10 years 5% – 35% The event could occur at some time but is
improbable
These descriptors, whilst standard across the industry, have not sat well with me for some time, but I
was unsure why. That was until recently when it hit me like the proverbial ton of bricks. It makes abso-
lutely no sense to assess the likelihood of events that are not time or frequency dependent using time or
frequency as the measure.
I started to ask – is this an appropriate measure to determine the likelihood of risks such of these?
The likelihood of these risks occurring is in no way going to be based on frequency or probability. The
likelihood of these risks is going to be based on the effectiveness of the current control environment.
So, let’s take one of these – contaminated food served to restaurant patrons as a case study.
Rare Likely to occur with less frequency than once every 10 years
To my way of thinking, it is impossible to estimate the likelihood of this risk based on frequency. What
will make this risk unlikely to rare is the effectiveness of the controls established within the restaurant.
Al- All of the controls associated with the risk are extremely weak and/or non-existent.
most Without control improvement there is almost no doubt whatsoever that the risk will
Cer- eventuate
tain
Likely The majority of the controls associated with the risk are weak. Without control improve-
ment it is more likely than not that the risk will eventuate.
Pos- There are some controls that need improvement, however, if there is no improvement there
sible is no guarantee the risk will eventuate.
Un- The majority of controls are strong with few control gaps. The strength of this control en-
likely vironment means that it is likely that the risk eventuating would be caused by external
factors not known to the organisation.
Rare All controls are strong with no control gaps. The strength of this control environment means
that, if this risk eventuates, it is most likely as a result of external circumstances outside of
our control.
We then assess the likelihood based on the following observations of the effectiveness of the controls. So
let’s apply this likelihood matrix to two different restaurants:
Restaurant 1
Restaurant 2
Based on the effectiveness of the controls the likelihood of contaminated food being served to restaurant
patrons would be signi cantly higher at restaurant 2.
If we continue to try and estimate likelihood based on frequency for risks where the likelihood is actually
dependent on the effectiveness of the controls, the decisions we take may be awed.
So how likely is likely? Understand the effectiveness of your controls to truly understand how likely it is
that the risk will materialise as an issue.
COPYRIGHT © PALADIN RISK MANAGEMENT SERVICES 2017 PRIVACY POLICY | REFUND POLICY |
STATEMENT OF OWNERSHIP
RELATED COURSES
Advanced Diploma in Governance and Risk Compliance
Diploma of Risk Managment and Business Continuity
Certi cate IV in Risk Management Essentials
RECENT BLOG
Risk Tip 16 – Let us start at the very end
One of the areas that organisations nd dif cult is determining the effectiveness of controls, something I
have written about previously on how we measure effectiveness. The most signi cant challenge I have
noted is the development of performance measures for controls in order for effectiveness to be meas-
ured. The methodology I have developed to assist organisations […]
READ MORE
RECENT BLOG
Risk Tip # 9 – Describing Risk Treatments
I love reading risks treatments in risk registers – they are always so descriptive. Some of the treatments I
have taken from risk registers over time are shown below: better communication; training in contract
management; rolling fraud audit program; additional physical security; more management oversight and
action; better change management; and/or recruit additional staff. increased […]
READ MORE
Lack of quali ed staff would have to be one of the risks that I see most often in risk registers. You may
even have it in yours. Other risks that I see on a regular basis in risk registers include: lack of funding;
failure to meet the Government’s reform agenda; project does not meet its […]
READ MORE
ASQA - 45173