It is very easy to get so caught up in analysis paralysis that you never get around to actually responding to your identified risks. Estimating them instead provides a quick, low-cost way to figure out how big each of your risks are relative to each other. Risk estimation is easy when you remember that risk consists of two components: impact and probability—each of which has a simple proxy for quick estimation.
Many organizations that make the conscious decision to actively manage risk often hit the brick wall of analysis paralysis. They get so paralyzed spending time and energy trying to figure out exactly how big risks are that they don’t get around to responding to most important (i.e., the largest) risks early (when it is easier to address them).
Estimation IS good enough (for comparative analysis)
I found the easiest way to avoid the analysis paralysis trap is simply to decide NOT to calculate exactly how large each risk is. Instead simply estimate the size of each.
I know what you are saying, “Estimating a risk could lease to make very bad investments.” But remember what we are doing. We are not calculating the cost of a Collateralized Debt Swap Obligation (something the Quants did not apparently do well in 2008, even with their advances mathematical models). We are simply figuring out the size of each of our risks relative to each other (so we know which ones to address first).
Since we are using the same approach to estimate every identified risk, we will come up with an almost identical assessment of how big each of risks are relative to each other. However, with estimation, we will do this with much less time and effort.
People are better at estimation than they think
When I ask people to estimate risk, they usually tell me that they would not even begin to know how to calculate the size of a risk. However, people are much better at performing accurute estimates in their head than they think. If you don’t believe me just watch a baseball player estimate the trajectory of a parabolic arc through a near-constant gravity field and a non-linear drag coefficient, i.e., figure out where to stand to catch a pop fly.
The trick to estimating risk: RIP it up first
The authors of Freakanomics (and Super Freakonomics) describe a lot of scenarios in which people make decisions that are not good for them because they do not calculate risk correctly. At the core, these scenarios usually boil down to one point: people forget the size of a risk is comprised of two dimensions:
A RISK is a possible unplanned situation that would
materially affect your plan or operations—if it occurs
To estimate how big a risk is, you need to estimate two things: the possibility and the effect. For the mathematically inclined:
RiskSize = ImpactSize x ProbabiltyOf Occurance
To estimate the size of a risk, RIP it in two parts: Impact and Probability. Then estimate each part and multiply the results together.
Estimating (the) Impact (that a risk would cause)
First I ask them what type of impact they are trying to estimate: the cost of lost time, the cost of extra effort, lost revenue, lost market share or lost market capitalization. Each of these has a simple proxy (for estimation purposes), DAYS LOST:
- Cost of Lost Time = Days Lost x Daily Cost of Operations (or Budget)
- Cost of Extra Effort = Days Lost (Extra Effort) x Number of People x Daily Pay Rate
- Lost Revenue* = Days Lost x (Annual Revenue / Sales Days per Year)
- Lost Market Cap* = (Lost Revenue / Annual Revenue) x Current Market Capitalization
- Lost Market Share* = (Sales Days Lost / Sales Days per Year) x Current Market Share
*Sometimes you are only interrupting revenue, not losing it. In these cases I simply calculate the cost of deferred revenue by multiplying these impact by you Cost of Capital (Return on Equity can serve as a proxy)
So I ask this question:
“Roughly how many days will we lose if [X] happens: one day, one week, two weeks, one month, one quarter, six months or a whole year?”
Take the answer and apply it to the above estimation model. This is good enough to get a rough estimate for planning and prioritization purposes.
Note: If you are estimating life and safety, you are in an entirely different spectrum. Most organizations that do this have a model already in place (usually tied to combination of actuarial tables and local liability trends). Contact your Legal or Safety department to find out how they do this.
Estimating (the) Probability (of a risk occurring)
Estimating probability can also get complicated. However, it too can be simple.
I ask people to tell me how LIKELY it is they think [X] will occur:
- Remote Chance (Less than 1 in a 1000 chance)
- Very Low Chance (1 in a 100 chance)
- Low Chance (1 in 3 chance)
- Toss-Up (50/50 or 1 in 2 chance)
- Likely (3 in 4 chance)
- Near Certain (> 9 in 10 chance)
People are usually comfortable providing this kind of estimate.
Putting both estimates together
Once you have your two estimates, simply multiple them together. You may be surprised by the results. For example, that remotely-possible-but-utterly-horrible-thing-that-might-occur could turn out to be a relatively much smaller risk than the 50/50 chance that your vendor will ship two weeks late.
A few best practices to make this easier and more accurate
Since you are performing an estimate, you can use all the tools available for estimation to make this easier. I recommend, Steve McConnell’s Demystifying the Black Art for a fun, informative read on variety of effective estimation techniques. I like to use the following:
- De-composition/Re-composition. Rather than estimate really big risk, I break it down into smaller parts and estimate each (then manage the component risks separately)
- Wide-band Delphi. I never like to estimate my own risks (I might be biased). Instead, I ask my stakeholders to give me their estimates, then bring them together to converge on a single one
- Count (or Measure) Whenever You Can. I revise my risk estimates weekly based on new data. I also measure the accuracy of past estimates to account for future bias
Finally, to make things simple, I like to use a spread sheet-based Risk Register that lets me toggle my DAYS LOST and LIKELIHOOD inputs so I can easily perform quick sensitivity analysis of size estimates. This also lets me sort risks according to Total Size, Probability or Impact.
Author’s Acknowledgment: I would like to credit the following past associates with whom I have worked with for years to develop and apply the lessons regarding estimation of risk: Neal Beliveau, James Gaines, Simon Grant, Jeff Kolar, Clare Little and Igor Mandrosov.