ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close

Biases in Risk Identification, Prioritization and Principles of Risk Evaluation

 

 

Introduction

Risk is a very common phenomenon in today’s world, and it is changing rapidly. That calls for risk leaders to be prepared to handle the opportunities and challenges of risks. Read on to find out more about the types of bias in risk identification, the principles of risk evaluation, and how to prioritize risk.

Types of Bias

  • Cognitive Bias

    A collection of predispositions and perceptions, often influenced by incentives, wants, and fears, which could affect the risk assessment process.  

  • Confirmation Bias

    As humans, we are always seeking approval from others who will confirm our position. During risk identification, this may lead to a failure to capture a range of alternative risks in an organization. 

  • Groupthink Bias

    Conducting a risk identification in a group setting might lead to thoughts of a population who think alike. In the process, an important risk raised by an outlier may be ignored due to a false consensus effect. 

  • Availability Bias Our minds remain focused on things that we see and hear frequently. For example, if there are a series of cyber attacks in the news, even if its likelihood of occurrence is lower in the organization, it may end up as a top risk. 
     

  • Hindsight Bias

    When decisions are made based only on what went wrong, it could result in identifying risks and processes that may not be applicable in the future. 
     

Effective Risk Identification

In order to establish an effective risk identification process, identification of all existing biases is key. Primary ways to identify such biases include:   

Open Communication

Having open communication, listening and asking for the facts are all important steps – along with listing what may or may not be considered risks by digging deeper into your organization.   

Conducting Risk Surveys, Interviews, and Workshops

By sending broad surveys, various perspectives can be gathered. After reviewing the responses, one-on-one interviews can be conducted with key stakeholders to gain greater insights. Lastly, the findings from surveys and interviews can be presented to the C-suite and risk committee for final decision-making.

Risk Evaluation

Once biases are successfully removed, risk prioritization and principles of risk evaluation involve Qualitative and Quantitative methods.

The following table provides the difference between Qualitative and Quantitative risk evaluation methods:

risk mangement

Qualitative Risk Evaluation

Most risk managers apply qualitative methods to evaluate risks. This leads to subjectivity. One simple method to reduce subjectivity for smaller projects is to apply the impact likelihood scale.

Measuring Impact and Likelihood on a Scale

  • Very Low
  • Low
  • Medium
  • High
  • Very High

Each impact and likelihood can be assigned a number from 1 to 5 for Very Low to Very High, respectively. See table below:

risk mangement

Final Risk rating as a product of impact and likelihood will fall in-between a range of 1 and 25. The product can be translated into a subjective rating as per the below table:

risk mangement

A simple example can illustrate the qualitative method. There have been four Category 5 hurricanes (with a wind speed of 157 miles per hour or more) hitting the U.S. in the last 100 years. This means there is a 4 percent chance of a Category 5 storm hitting the U.S. in a year. Applying the qualitative principles, the likelihood of the risk is Very Low. The impact of a Category 5 hurricane can be devastating i.e. Very High. The below table determines the risk rating:

risk mangement

Although we considered the likelihood based on historic data, we need to consider external factors that might increase or decrease the likelihood over time.

If we dig deeper into the hurricane example, 8 out of 35 Category 5 hurricanes were initiated in the North Atlantic Ocean in the last decade i.e., 25 percent of Category 5 hurricanes in the past 10 years, which is a significant number to ignore. In 2020, it is forecasted that there will be 18 named storms, 9 hurricanes, and 4 major hurricanes compared to a 30-year average of 13 named storms, 7 hurricanes, and 3 major hurricanes. Whether it eventually happens or not, the difference is too high to disregard. Moreover, the effect of climate change will make hurricane seasons worse over the years. As we ask more questions and are presented with clearer facts, our likelihood scale is bound to change, resulting in a shift in risk rating.

Quantitative risk evaluation method is objective. It uses verifiable data to determine multiple risk factors and requires a heavy volume of data, specialized software, and vigorous risk models.

A simple example can illustrate quantitative evaluation.

California is severely affected by wildfires every year. In order to perform quantitative fire risk evaluation, we need to characterize and combine fire behavior probabilities and effects. These probabilities are different from likelihoods based on historic data since they depend on spatial and temporal factors controlling fire growth. The likelihood of a wildfire in a specific location is dependent on various factors such as weather conditions, topography, forest dryness, and fire direction. The fire behavior distribution requires scientific computational of these factors. The impact or effect of wildfires needs to be appraised based on a common scale of infrastructure and human values susceptible to fire. Ultimately, this will determine the investment needed to evaluate the likelihood of wildfire in that location and minimize the damage.

It might sound like the quantitative approach is the more reliable of the two. However, both methods hold equal merits. Qualitative risk should always be performed. It is the most perfect way to analyze and prioritize risks that can be broadly adopted across an organization. On the other hand, quantitative risk evaluation is vital, especially in high-risk industries such as mining, oil and gas, construction, and anything that presents a threat to the safety of workers on a day-to-day basis. Indeed, it’s a legal requirement.

The above methods of identifying biases and evaluating risks for strategic prioritization may result in reducing the impact of unforeseeable events but can never eliminate the possibilities of a failed risk prioritization as we experienced in 2020.

Risk Prioritization

The Global Risks Report of 2020 by the World Economic Forum (WEF) prioritized climate change and related environmental issues as the top five risks in terms of likelihood. However, we have all experienced how the global pandemic turned our world upside down.

Going back to the report, if one prioritizes risk based on the Global Risk Landscape 2020 (fig II), the infectious disease would unlikely make it onto the prioritization list. In the Short-Term Risk Outlook (fig 1.1), the pandemic doesn’t even appear anywhere.

risk mangementrisk mangement

Once the pandemic is over, we will run into various biases while identifying future risks, therefore, all the methods to mitigate such biases will be critical. It won’t eradicate similar occurrences but will reduce the impact of these risk factors through better mitigation strategies.

In 2015, in a now-famous TED talk, Bill Gates repeatedly warned how we were not prepared for the next epidemic. During the Obama Administration, when we experienced the 2009 H1N1 (swine flu) and 2014 Ebola outbreaks, the former president emphasized building a public health infrastructure globally to combat the next pandemic. Unfortunately, for the current COVID-19 pandemic, the world was not prepared, and we now face the irreversible consequences of poor planning of risk prioritization. Let’s learn from the struggles following 9-11 and create a unified effort to prepare for the next pandemic.

In summary, risks need to be identified carefully, and its accurate evaluation will determine if we are successful in mitigating those before these risks lead to a path of no return.

Risk is a very common phenomenon in today’s world, and it is changing rapidly. That calls for risk leaders to be prepared to handle the opportunities and challenges of risks. Read on to find out more about the types of bias in risk identification, the principles of risk evaluation, and how to prioritize risk.

  • Cognitive Bias

    A collection of predispositions and perceptions, often influenced by incentives, wants, and fears, which could affect the risk assessment process.  

  • Confirmation Bias

    As humans, we are always seeking approval from others who will confirm our position. During risk identification, this may lead to a failure to capture a range of alternative risks in an organization. 

  • Groupthink Bias

    Conducting a risk identification in a group setting might lead to thoughts of a population who think alike. In the process, an important risk raised by an outlier may be ignored due to a false consensus effect. 

  • Availability Bias Our minds remain focused on things that we see and hear frequently. For example, if there are a series of cyber attacks in the news, even if its likelihood of occurrence is lower in the organization, it may end up as a top risk. 
     

  • Hindsight Bias

    When decisions are made based only on what went wrong, it could result in identifying risks and processes that may not be applicable in the future. 
     

In order to establish an effective risk identification process, identification of all existing biases is key. Primary ways to identify such biases include:   

Open Communication

Having open communication, listening and asking for the facts are all important steps – along with listing what may or may not be considered risks by digging deeper into your organization.   

Conducting Risk Surveys, Interviews, and Workshops

By sending broad surveys, various perspectives can be gathered. After reviewing the responses, one-on-one interviews can be conducted with key stakeholders to gain greater insights. Lastly, the findings from surveys and interviews can be presented to the C-suite and risk committee for final decision-making.

Once biases are successfully removed, risk prioritization and principles of risk evaluation involve Qualitative and Quantitative methods.

The following table provides the difference between Qualitative and Quantitative risk evaluation methods:

risk mangement

Qualitative Risk Evaluation

Most risk managers apply qualitative methods to evaluate risks. This leads to subjectivity. One simple method to reduce subjectivity for smaller projects is to apply the impact likelihood scale.

  • Very Low
  • Low
  • Medium
  • High
  • Very High

Each impact and likelihood can be assigned a number from 1 to 5 for Very Low to Very High, respectively. See table below:

risk mangement

Final Risk rating as a product of impact and likelihood will fall in-between a range of 1 and 25. The product can be translated into a subjective rating as per the below table:

risk mangement

A simple example can illustrate the qualitative method. There have been four Category 5 hurricanes (with a wind speed of 157 miles per hour or more) hitting the U.S. in the last 100 years. This means there is a 4 percent chance of a Category 5 storm hitting the U.S. in a year. Applying the qualitative principles, the likelihood of the risk is Very Low. The impact of a Category 5 hurricane can be devastating i.e. Very High. The below table determines the risk rating:

risk mangement

Although we considered the likelihood based on historic data, we need to consider external factors that might increase or decrease the likelihood over time.

If we dig deeper into the hurricane example, 8 out of 35 Category 5 hurricanes were initiated in the North Atlantic Ocean in the last decade i.e., 25 percent of Category 5 hurricanes in the past 10 years, which is a significant number to ignore. In 2020, it is forecasted that there will be 18 named storms, 9 hurricanes, and 4 major hurricanes compared to a 30-year average of 13 named storms, 7 hurricanes, and 3 major hurricanes. Whether it eventually happens or not, the difference is too high to disregard. Moreover, the effect of climate change will make hurricane seasons worse over the years. As we ask more questions and are presented with clearer facts, our likelihood scale is bound to change, resulting in a shift in risk rating.

Quantitative risk evaluation method is objective. It uses verifiable data to determine multiple risk factors and requires a heavy volume of data, specialized software, and vigorous risk models.

A simple example can illustrate quantitative evaluation.

California is severely affected by wildfires every year. In order to perform quantitative fire risk evaluation, we need to characterize and combine fire behavior probabilities and effects. These probabilities are different from likelihoods based on historic data since they depend on spatial and temporal factors controlling fire growth. The likelihood of a wildfire in a specific location is dependent on various factors such as weather conditions, topography, forest dryness, and fire direction. The fire behavior distribution requires scientific computational of these factors. The impact or effect of wildfires needs to be appraised based on a common scale of infrastructure and human values susceptible to fire. Ultimately, this will determine the investment needed to evaluate the likelihood of wildfire in that location and minimize the damage.

It might sound like the quantitative approach is the more reliable of the two. However, both methods hold equal merits. Qualitative risk should always be performed. It is the most perfect way to analyze and prioritize risks that can be broadly adopted across an organization. On the other hand, quantitative risk evaluation is vital, especially in high-risk industries such as mining, oil and gas, construction, and anything that presents a threat to the safety of workers on a day-to-day basis. Indeed, it’s a legal requirement.

The above methods of identifying biases and evaluating risks for strategic prioritization may result in reducing the impact of unforeseeable events but can never eliminate the possibilities of a failed risk prioritization as we experienced in 2020.

The Global Risks Report of 2020 by the World Economic Forum (WEF) prioritized climate change and related environmental issues as the top five risks in terms of likelihood. However, we have all experienced how the global pandemic turned our world upside down.

Going back to the report, if one prioritizes risk based on the Global Risk Landscape 2020 (fig II), the infectious disease would unlikely make it onto the prioritization list. In the Short-Term Risk Outlook (fig 1.1), the pandemic doesn’t even appear anywhere.

risk mangementrisk mangement

Once the pandemic is over, we will run into various biases while identifying future risks, therefore, all the methods to mitigate such biases will be critical. It won’t eradicate similar occurrences but will reduce the impact of these risk factors through better mitigation strategies.

In 2015, in a now-famous TED talk, Bill Gates repeatedly warned how we were not prepared for the next epidemic. During the Obama Administration, when we experienced the 2009 H1N1 (swine flu) and 2014 Ebola outbreaks, the former president emphasized building a public health infrastructure globally to combat the next pandemic. Unfortunately, for the current COVID-19 pandemic, the world was not prepared, and we now face the irreversible consequences of poor planning of risk prioritization. Let’s learn from the struggles following 9-11 and create a unified effort to prepare for the next pandemic.

In summary, risks need to be identified carefully, and its accurate evaluation will determine if we are successful in mitigating those before these risks lead to a path of no return.

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk