REASONING ON RISK Multi-Dimension Risk, Mobile Apps and Betting on FootballWelcome again to our regular newsletter as we race on into the year with January already a distant memory. Anyone who knows us will probably immediately guess who wrote each article mentioned in the title! The London and Manchester seminars are booking fast, they are a good opportunity to network with others from a variety of business sectors, as well as hear about some interesting topics of course - book here. If you want the pdf version of this newsletter click here. Prioritising Risks - more than a single dimensionAs some of you may know, I am involved in a number of discussions regarding risk. One of these is on LinkedIn, and concerns calculating a risk score from probability and impact. As you probably know, Severity = Probability x Impact, if the scales of probability and impact are linear. This should all be obvious stuff but what intrigued me was the discussion that then developed. It became apparent that the real issue was how the Severity “score” was used, and why this didn’t cater for some of the risk “outliers” – very low probability but very high impact risks. The problem with reducing probability and impact down to a single value is that useful information is lost – the value can help in prioritising risks but it can’t give the whole story. Many years ago, I was the technical director for a virtual reality software company. A lot of the dynamic calculations for the position and movement of objects could be very complex. I rapidly discovered that calculations in each dimension were far easier than attempting to combine dimensions. This is a very similar situation. Probability and Impact are two separate dimensions and one can get a lot more useful information by displaying them like that. This is why risk priority matrices or heat maps are so popular:
They retain the information that is needed to determine which risks to deal with (the ones nearest the red) and what type of actions would give most benefit (preventative actions to move the risks to the right, limiting or mitigating actions to move the risks down). They can also be used to show the results of actions:
Most of the risks have been moved right or down, and only two remain in the same place (shown with red blocks by them). However, that is not to dismiss calculating Severity. It does give a good idea of which risks to concentrate upon first but it doesn’t tell the whole story. So when working out which risks to deal with in turn, we suggest the following sequence: 1. Use Severity score to prioritise risks. Deal with each in turn, down to a threshold set by your organisation. 2. Now use the Impact score to prioritise risks. Deal with any risks that haven’t already been dealt with, in turn, down to a threshold set by your organisation. 3. Now use the probability score. Deal with any risks that haven’t already been dealt with, in turn, down to a threshold set by your organisation. Now you can be certain that you are covering the main risks, the very low probability, very high impact risks and the high probability risks. If this sounds like hard work, it needn’t be. The matrix will allow you to do this visually, especially if the threshold is sketched in:
The risk register should also be capable of being ordered by severity, impact or probability, to ensure the priorities are all covered. This is why RiskAid provides:-
1. risk priority matrices for
2. risk registers that can be ordered by All of which allows you to view the situation from different dimensions or points of view. Mark Swabey |
Let Your Competitors Gamble Whilst You Take Informed DecisionsI was watching the Chelsea versus Manchester United game whilst my son was in the room and one of those live betting ads came on at half time which started some discussion about the odds they displayed. Just after the start of the second half, Chelsea got two more goals to make it 3-0 and my son said it was only then he would bet (in theory) on Chelsea to win! Discussion followed about what makes a certainty but he felt that, with 35 minutes to go, playing at home and beating Manchester United 3-0 meant that only getting 15% return on a bet where you could lose your entire “investment” was safe money. For any other team perhaps it was safe money but Manchester United have a habit of fighting back and scoring lots of late goals. What fascinated me was that at 75 minutes when the score was suddenly 3-2, you could get nearly 4-1 on either Chelsea or Manchester United scoring next. Another goal or two seemed very likely to me with the time left and knowing that both teams often scored late goals, I thought those odds seemed way too high and a gamble worth taking. After betting my pretend money on that, minutes later we had the Manchester equaliser. High degree of smug factor for me as I “won” money and annoyance for my son as his “sure bet” of Chelsea winning failed. I think this highlights some key points about where applying your knowledge and experience help load the dice in your favour. I watch a lot of football, my son doesn’t. I know how many late goals Manchester United score and their fearsome ability to recover, my son doesn’t. I knew how fragile Chelsea have been recently and my son doesn’t – you get the picture. This is what is key about turning “predicting the future” from gambling to balanced decision making. If you want to totally gamble then buy some lottery tickets or bet on tossing a coin because it doesn’t matter how clever you are or how experienced you are or what stats you’ve built up it’s random and up to chance. Even, as in my case, if you know a lot about football and have the stats in mind or to hand, it’s hard to win bets. Why? Because the bookies have similar experience and stats available and use it! Imagine the situation where a bookmaker just sticks their finger in the air and essentially guesses! Wow, wouldn’t we make a lot of money? Yet this is exactly what many organisations do. Plans are written with little or no contingency for handling unplanned events. Yet how many plans have we ever seen work out the way they were intended? The better you can manage uncertainty and more accurately predict future events then the better off your business will be. Give your organisation a great edge and leave your competitors doing the gambling. Stuart Harrison Risks with mobile applicationsThe onslaught of smart phones and related application markets means that there are yet more ways to install things on what are essentially pocket computers. Most companies may have usage (acceptable usage) policies for computers, but acceptable use of phones provided by the business is probably still defined in terms of calls and texts. Take a few of the Android phone apps. “Weed Farmer” may appear to be an innocuous game, but is described as ‘much more than a virtual plant growing app’. This might not go down well with an employer that does random drug testing. Another app is for virtual dog fighting; there is a petition to get it banned because it promotes animal cruelty. Other great ones – “Serial Killer Quote of the Day”; “MiuMeet” - this app lets you “Meet, chat, flirt, play & party with people who are near you right now for free!” , “Pocket Girlfriend” - this little app is described as “An exotic, erotic, hot & sexy girl avatar with voice recognition in your pocket.” There’s a pretty good chance that this one would violate your company usage policy. Then there are ones really should be kept behind closed doors – let’s say that they are aimed at 13 year old boys. There are also security risk ones, such as “AndSMB” which can open up shared network drives – remember most smart phones will use wireless access when they can and a company may well have enabled smartphone use protected by keys. Some of the other security risk ones may have been removed from Android market and are now circulating underground, such as WEP cracker (for cracking WEP passwords to gain unauthorised wireless network access). Your average smartphone has a number of computing engines in it – some are specialised for graphics and signal processing but lend themselves to being used to crack passwords. My own phone (not an Android one) has an application that allows it to act as a wireless access point out to the cell phone network. Thus it would be easy to get it to fake a network access point. Many companies have a separate wireless network for visitors, which is either open or only has a simple key, often posted on the noticeboard in meeting rooms. With the information on there, I can configure my smartphone sat in my pocket to appear to be that access point and thus log the activity of visitors. When I misuse the information later, the visitors finally figure out where they got hacked, and your company gets blamed. What can you do to minimise the risks? 1. Technological solutions will always lag the problem, and any close to leading edge will be expensive, cumbersome and imperfect. (A lock – a defence mechanism, is a lot more complicated than a crowbar – an attack mechanism). But solutions do exist, so blocking access to high risk sites such as Facebook is relatively easy. 2. Awareness – keep track of what is the leading edge of risk – if not yourself, make sure someone in the organisation at least keeps a watching brief. 3. Review company policies regularly. Ensure that they keep up with a reasonable balance between legitimate use and what is not acceptable. There are two reasons for this – it acts as a deterrent – people at least know where the line is, even if it is fuzzy, and secondly, it provides the means to discipline people who step over that line. And if you do have to take action, the breaches of policy should be clear and documented. One of the downsides of ubiquitous, easy to use technology, is that users are less aware of the implications of what they are doing than when it required an understanding of what you were doing Tony Gore |
Risk Reasoning
Reasoning on Risk
