Thirty-four million nine hundred thousand results. Having Googled “risk analysis,” this number was the immediate result. Twenty-five million eight hundred thousand results. This number is the Google result for “risk assessment.”
These numbers are overwhelming. Given their magnitude, one could conclude that everything that could be written has been written about risk analysis and risk assessment.
In the spirit of these numbers, this article is not an attempt to add one more promotion of the added value or the basic planning foundation provided by either a risk assessment, a risk analysis, or both but rather to present to the reader a technique this author has used, in many cases, to obtain ninety percent of the benefit of a full risk analysis with 10 percent of the effort. The author is the first to concede that this technique is not 100 percent all inclusive and is not fool-proof; however, over years and multiple client circumstances it has provided a substantial and dependable building block with which to construct emergency response plans and has a potential for disaster recovery and business continuity plans too. The author leaves it to the reader to determine the value this technique brings to each situation and its appropriateness for use.
A list of risks must be established or built in order to prioritize and classify their severity to the organization. The team must not only consider those risks internal to the organization such as illness or lack of air conditioning, over which they may have some element of control, but also external influences from the outside environment, such as blizzard, airplane crash, and labor disputes over which they will have little or no control. Appendix A displays a one-page listing of a variety of risks. The author provides this list to his clients, not as an all inclusive list of everything that could happen, but to nurture the client’s thought process in reviewing their business environment. As the list of risks is built, it is imperative that the participants understand and agree on the scope and definition of each risk added to the list.
To achieve maximum benefit of this exercise, a representative population of the organization and site personnel should participate in the selection process in order to have the most accurate list. Consider making a part of the risk analysis exercise, (as appropriate), facilities, emergency response, security, business process owner(s), system owner(s), IT, and the right audit, quality, or validation representatives in addition to those who will first come to mind.
The two most important factors in performing this process are the perspectives of the participants around the table and the risks itemized on the list to be considered and analyzed.
The risk analysis exercise facilitator will want to have all potential risks identified. Using this method, the maximum numbers of risks that can be successfully addressed at any one sitting are 20; however, it has been this author’s experience that a quantity between seven and 14 risks usually works best. More than 14 requires a greater piece of the participant’s time than is usually available. A larger number of risks to be considered make it more difficult to retain the participant’s attention and participation in the process. There have been instances where the author has combined similar risks to be considered as one risk. Keep in mind that a major goal of this process is to keep it short, effective, focused, and accomplishable in one sitting, thereby obtaining the ninety percent benefit with ten percent of the normal overhead of time and effort.
To perform the risk analysis process as this paper describes, the team will want to have at least three copies of the worksheet displayed in Appendix B, because the exercise, as described herein, will require three passes over the list of risks. A suitable substitute is a writing surface, such as coordinate graph paper, that can be laid out in a manner similar to Appendix B. The author initially used graph charts in a manual process but now uses a multi-tabbed spreadsheet which remembers, counts, calculates and sorts values. The reader will understand that Appendix B was originally designed as a demonstration tool (for the conservation of time) and not for actual use.
The reader may at first be confused by the appearance of two numbers for each intersection of a column and row. Remembering that this is a demonstration model, each pair of numbers represents the finite selection from which choices will be made later in the process. Using the author’s spreadsheet, the selected number is typed into the cell.
Down the diagonal line from upper left to lower right, enter the list of risks determined in Step I. This is displayed in Appendix C. Again, Appendix C was built as a demonstration tool. The risks displayed were randomly selected and do not represent any specific situation or condition. Optimistically, your list will not have as many as 20 entries. For this example, 20 risks provide the fullest execution of the process.
Under the direction of a facilitator, the assembled team makes three passes across a sheet or work space that resembles Appendix C, thus the need for three copies. With the exception of the facilitator, all participants vote by raising their hand or some other signal. A very basic but important rule to this process is that “the majority rules.” When there are even numbers of participants and tie votes happen, allow a fixed time for discussion, and then vote again. An egg timer works well in this circumstance. A representation of the first pass is displayed in Appendix D. Beginning in the upper left corner; ask the question, “Which is more likely to happen? A fire? (No. 1), or an earthquake? (No. 2). As indicated on the sheet by the bold italic number 1, (for this demonstration), a fire was voted to be more likely than an earthquake. A key point to the simplicity of this process is that it is not necessary for the participants to know the exact mathematical probability of either event; only that one is more likely than the other to happen. Ask the question a second time, “Which is more likely to happen? A fire? (No. 1), or sabotage, (No. 3)? Sabotage was selected to be more likely to happen so No. 3 was marked in bold italic. And again, “Which is more likely to happen? A fire? (No. 1), or a disgruntled employee, (No. 4)? The disgruntled employee was selected so the 4 was marked in bold italic. Continue this process comparing the likelihood of a fire to the rest of the risk items. When FIRE is completed, then move to the next column to the right and compare EARTHQUAKE against the remaining risk items just as done previously for FIRE. “Which is more likely to happen; an earthquake, (No. 2), or sabotage, (No. 3)?” Continue this process until the last question asked is “Which is more likely to happen? Embezzlement (No. 19) or war (No. 20) ?”
Using the T-table at the bottom of the grid, count the number of times each risk was selected. In the example, FIRE was selected six times, EARTHQUAKE, one time; SABATOGE, eight times, and so on as displayed in Appendix D. Using charts or graph papers, this counting is a manual process. The use of a multi-tabbed spreadsheet has the potential to make the remembering, counting, sorting, and calculating automatic.
The risk analysis participants then complete two more passes of the grid. On the second pass, ask the question, “Which will cost more when it happens?” This cost is not only in lost revenue, but also in lost discounts, overtime, fines, etc. This is displayed in Appendix E. Again, it is not necessary that the participants know exact dollar amounts; but relatively which event they would expect to costs more when it happens.
Again, tally the occurrences.
On the third pass through the risks, ask the question, “Which will have a greater impact on the organization when it happens?” Examples of impact are also displayed in Appendix E
Having completed the three passes, the review team’s worksheet or collection of worksheets should look something like Appendix F. The three T-tables show the number of times each risk was selected for (1) likelihood to happen, (2) costs, and (3) impact on the organization.
The fourth T-Table in Appendix F, labeled RISK #/SUM is obtained by adding across the previous three T-tables. For the first entry, (6) plus (18) plus (2) equals 26. For the second entry, (1) plus (18) plus (16) equals 35, and so on.
After all addition sums are completed, the fifth T-table, labeled, RISK #/SUM SORTED, is obtained by sorting the SUMs in descending order. At this point the list of risks has been prioritized from most severe to least severe, considering (1) Likelihood to Happen, (2) Costs, and (3) Impact on the Organization.
The last step in the process is to determine and assign the risk priority number (RPN). To determine the RPN:
- Multiply (N-1) by 3 where N is the number of risks being analyzed and 3 is the number of passes made. In this case of this demonstration it would be twenty risks minus one or 19. Nineteen multiplied by three is 57. Nineteen is the number because 19 is the maximum number of times any one risk of the list of 20 can be selected when compared to the other 19.
- Then calculate the percentage the sum is of 57 to obtain the RPN. For the purpose of this demonstration, an RPN of 60 or higher is a “High Risk;” 40-59 is a “Medium Risk”, and less than 40 is a “Low Risk.” The results of this demonstration example are displayed in Appendix F. As an example of the power and flexibility of this process, is that referencing the RPN permits the practitioner to compare results across multiple risk analysis exercises using a common unit of comparison.
At times, two or more risks will have identical RPNs. The immediate situation may require an ability to break ties. For the example displayed in Appendix F, risks 2, 3, and 4 have an RPN of 61.4 percent. By reviewing Appendix D, the reader will observe that risk 3 was selected over risk 2. Risk 4 was selected over both risk 3 and risk 2. For the purpose of this example, even though they have equal RPNs, within this tie, these risks prioritize 4, 3, and then 2.
The 12 steps described represent a basic execution of the 90-10 process. Flexibility is a key to the success and power of this process. While the three questions demonstrated in this paper could be replaced by other questions, these three seem to generally be the questions of highest concern and attention. The risk analysis team does not necessarily need to make three passes. They may decide that two passes are appropriate for their situation. It is certainly possible they could have different questions more specific to their local condition. Or, they may think of a fourth question to be asked and make four passes. It may be that the risk analysis team prefers to weight one question heavier than the others. To do that, they would accordingly adjust the counts. The No. 3 in the example above would be increased or decreased proportionally with the weighting factor.
It may be that the situation requires threshold percentages different from 60 percent and 40 percent. These too can be adjusted to fit the business condition. The reader should keep in mind that consistency across the organization must be maintained to obtain meaningful results. Maintain the same questions and the same thresholds across the organization.
At the end of the process the risk analysis team has a prioritized finite list of risks. Each risk is assigned a label of “High,” “Medium,” or “Low.” While the risk analysis team could more quickly and with less effort get to a high-medium-low rating by using a subjective three by three square, this 90-10 process provides detailed support for the rating, an understanding of how the rating came to be, and displays the response to the relative questions of, “High, with respect to what? Medium, with respect to what? Low, with respect to what?” This process allows the team to look inside and interpolate the results. The RPN provides a method to observe how the risks cluster together or separate themselves from each other. The RPN feeds management an understandable number it can use to elect to address or accept a risk.
The power of this process lies within its flexibility. The end result is a risk analysis process that is relatively straight forward, easy to execute, and highly fruitful to the planning process. It is short, effective, focused, detailed, and accomplishable in one sitting.
For the past 16 years, Gary G. Wyne, CBCP, has been the business continuity planning coordinator for enterprise information services of Eli Lilly and Company, Indianapolis, Ind. He is a past president of Midwest Contingency Planners, Inc. and is currently a member of the DRII Certification Commission, chairing the recertification committee.