Better risk classification

The ultimate focus of risk management is action: better decisions. With this aim, it makes sense to facilitate decision making by grouping together items which would benefit from the same management actions, contingency plans and other forms of risk management, spending your time and money wisely.

In the context of a typical 2015 risk classification scheme – used across the UK private, public and voluntary sectors:

  • I suggest that the scheme does not easily lend itself to proactive (risk management) or reactive (crisis management) actions
  • I set out an alternative 3-way classification which is more intuitive, more robust, more action-based and more helpful

Other schemes offer similar insights: multi-dimensionality of risk (CARE, 2010) is one such source. Pardon the pun: choose your classification with care.

Traditional and proposed classifications: a brief comparison

KnowledgeFar from unknown in e.g. decision analysis. Ranges from certainty through risk, uncertainty, ambiguity and chaos.
TypeUse with care. Credit risk, operational risk etc.
ProbabilityReplaced by source
ImpactReplaced by source
SourceInternal versus external: a more helpful replacement for probability and impact
VelocityThe speed at which risk crystallises or uncertainty emerages.

Typical classification: type, probability and impact

More detailed insights. This section briefly critiques probability-impact. [2] below covers "type". Traditional risk classification gives more detailed insight.

One classification scheme – still widely used in 2015 – is the 3-way type-probability-impact. The deployment of probability and impact generally shows a distinct lack of care. One organisation "markets" probability-impact as an initial screening assessment for risks:

An initial screening of the risks and opportunities is performed using qualitative techniques followed by a more quantitative treatment of the most important risks and opportunities COSO guidance on risk assessment in practice (2012)

Risk practitioners know that often the quantitative stage is not reached, resulting in a criticism from a UK Government Office for Science review said:

One key weakness of deterministic assessments is that they are not readily comparable across risks ... comparisons between deterministic scenarios will not be on a consistent basis as both the likelihood and impact for scenarios will vary. However in practice risk managers routinely compare several deterministic scenarios and make decisions on that basis. Blackett review: High impact low probability risks

[1] Knowledge focus: risk and uncertainty as lack of knowledge

Reality check: Are all the items on your risk register "event-like"? This could be the most important classificaiton for you.

Insight: Risk classifications such as those set out in WARNING: Physics envy may be hazardous to your wealth! and Decision theory: a brief introduction may seem academic, but their insights can help us understand the potential for managing uncertainty and therefore (e.g.) see where to focus our efforts.

One classification system, motivated partly by the two papers referred to above is:

  1. Certainty: this rarely exists, but in many situations non-risk factors dominate – this is not always apparent from risk material.
  2. Risk: known probabilities (dice cards etc). Rarely directly relevant, but sometimes more data means uncertainty moves closer to risk.
  3. Uncertainty: unknown probabilities for key variables – this is the norm for organisations.
  4. Ambiguity: not only are probabilities unknown, the presence and effect of contributing factors and the potential outcome are also unknown.
  5. Chaos: nothing is known and "black swans" seem to be frequent.

Getting real: Risk, uncertainty and Profit was an influential 1920s book by US economist Frank Knight in which he suggested that profit accrues to firms which take on uncertainty (manageable through expertise) rather than risk (manageable through diversification). Although we sometimes behave as though we're in a (1) or (2) world, (3) and (4) is the norm for most organisations. Lack of knowledge, calibration challenges and model risk abound. A simpler summary may be:

  1. Random variation: Our models are fine; we get caught out (only) by statistical fluctuations.
  2. Estimation risk: The true values of important parameters in our models are unknown and must be estimated.
  3. Model risk: Models are simplifications. We may not have perceived the influence of supposedly immaterial factors and may have completely missed others.

Non-random variation. In reality much variation is not random; the impact of estimation error increases as we sell more product, insure more people etc. It is a systematic risk; the difference between our assumption and the true underlying value will become clearer over time, rather than diversify. Of course there is hope:

  • We may be able to improve our estimates and our uncertainty around them, by investigations.
  • One way of managing may be to diversify across "products", so long as there is no underlying estimation bias e.g. to optimism over costs.

The board and models

Models are important, but risk management is almost never a matter of just mathematics and models; the judgements of (e.g.) an organisation's Board must be brought to bear on business decisions which have uncertainty at their core. Models are an excellent servant, but a poor master.

[2] Type focus: functional and expert-led risk types

More detailed insights. I like risk type. Traditional risk classification gives more detail on how it can be best used, with a particular focus on operational risk.

These risk types are used in many larger companies, with multiple further levels of sub-type for a given risk type.

Insight: Uncertainty is often best managed by front line people with expertise, with central back up; multiple "lines of defence".

  • Strategic: Below we link to evidence that this hybrid risk is often the biggest facing an organisation.
  • Operational: the potential for loss arising from inadequate or failed procedures, systems or policies – see the Basel II categories.
  • Financial: a host of risks which can be classified at various levels (investment, credit, market etc).
  • Insurance-like: most organisations have at least some of this, either through exposure to hazards (weather, fire, death) or through their pension schemes.
  • Other: some companies will put (e.g.) reputational or legal risks here.

Getting real: Used as part of a toolset there is nothing wrong with this perspective. It can be applied in a unfortunate way; a Chief Risk Officer may be employed not to help manage overall risk and uncertainty, but to be responsible that the firm does not incur substantial losses from its investment policy. Not good.

[3] Control focus: managing internal v external risks

Insight: the amount and type of influence we have over risks depends on whether they arise within or outside our organisation.

  • Internal risks: we have most influence over these; we may influence both the "probability" and "impact".
  • External risks: we have less influence over "probability" (lobbying may help for some e.g. political risks) and may need to mitigate potential "impact".
  • Hybrids: In reality uncertainty can be a combination of internal and external factors e.g. strategic and competitive risks.

Getting real: The risk of a hurricane on a Florida head office may be unmanageable without insurance (manage impact not probability). Competitive uncertainty may be limited by diversifying our business interests (diversification, managing impact not probability) although our business may thereby suffer from lack of focus or specialisation. We can reduce the probability of internal network failure by purchasing higher quality components and manage the impact by using offsite facilities.

[4] Speed focus: risk velocity

Insight: the faster something can happen the more you need to be prepared.

A risk which crystallise and escalates rapidly can leave little time for thought: action is the watchword. For this reason I suggest a big role for an old-fashioned concept, much-neglected in many risk management circles: contingency plans. Would you expect the military to do without this? Enough said.

The recent emphasis on organisational agility and resilience might also suggest that we need to be able to react appropriately to sudden events. But a true understanding of velocity should take us beyond that. How do you boil a frog? Slowly. How does an organisation fail? Read Sinking, fast and slow.

Getting real: At best risk velocity is a double edged concept. By analogy to the field of time management, used in the wrong way risk velocity might suggest that we should concentrate mainly on the "urgent" at the expense of the "important". Individuals can get poor results if they fail to find the right urgent-important balance. The same applies to organisations. The useful thing about risk velocity is that the classification can highlight if we've got the balance right.

Where next?


© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited