In the contemporary era, characterized by rapid changes and globally impactful events, the concept of risk management has become an essential pillar in corporate strategies.
Particularly, after the pandemic that redefined business paradigms, companies are increasingly aware of the need for a proactive approach to risk. Thus, in the light of new challenges and uncertainties, we observe a heightened interest in the field of risk management among companies from various sectors.
Moving forward, we will explore the theory in the field of risk management (emphasizing the critical role of the risk assessment) hoping that we will rise the importance of the fact that companies need to adjust their strategies to cope with contemporary challenges and include risk management at all the levels.
As it is evident that, nowadays, risk management is no longer merely a compliance obligation with regulatory norms but is becoming a key element of organizational performance and sustainability.
Risk management is a systematic process of identification, analysis and response to the project risks, process comprising the risk identification, risk quantification, risk response plan, risk response control sub processes. Depending on the author of the methodology, the name or the order of these sub processes is different. Thus, risk identification and risk quantification are sometimes taken together and are called risk assessment or risk analysis; the risk response plan is sometimes met under the name of risk mitigation plan; the risk response plan and the risk control plan are sometimes taken together under the name of risk management plan.
All the elements of the risk management cycle are important, but risk assessment is the headstone for all the other elements. There are two assessment models: the qualitative model and the quantitative model.
The qualitative risk analysis is a process of assessment of the impact of the identified risk factors. Through this process the priorities are determined to solve the potential risk factors, depending on the impact they could have. The definite characteristic of the qualitative model is the use of subjective indexes, such as ordinal hierarchy: low-medium-high, vital-critical-important, benchmark etc.
Through the quantitative risk analysis, it is sought to obtain some numerical results that express the probability of each risk factor and its consequences on the objectives of the project, but also the risk on the entire project level. The process uses techniques such as the Monte Carlo method for:
- determining the probability of reaching an objective.
- risk quantification on the entire project’s level and determining the additional cost that could be necessary.
- identifying risk factors through the quantification of their contribution to the risk index on the level of the entire project.
- identifying some realistic changes of cost and activity plan.
The most common formula for evaluating risk exposure is RE = P x L, where:
– RE = risk exposure
– P = risk probability
– L = loss
(note the fact that new approaches take into consideration another P = proximity).
In these analyses the fact that it is sometimes hard to estimate the exact value of this relation must also be considered. The recommendation in these situations is to use all known mathematical methods which could be useful in the situation, but without getting stuck in this type of analysis, and considering personal judgment also.
The term „quantitative risk analysis” implies generally the reliance on probability and statistics.
Still, some quantitative decisional methodologies based on risk, such as the game theory, does not require probability knowledge. As Yacov Haimes has mentioned in Risk Modeling, Assessment and Management [Haimes, Y., Y., 1998] here are a few examples of decisional criteria for administrating risk and uncertainty without requesting the involvement of probabilities: maximizing minimum gain (maximin), minimizing maximum loss (minimax or maximin criteria – the pessimistic rule), maximizing maximum gain (maximax – the optimistic rule). There is also a compromise rule: the Hurwitz rule. In this case an α (0 ≤ α ≤ 1) index appears in order to define the optimistic level of the decision maker.
As Hal Tipton and Micki Krause noted in Handbook of Information Security Management [Tipton, H. & Krause, M., 1998], whether we choose the quantitative assessment, whether we try a qualitative assessment, the elements that need to be considered (if we recall the „Divide et Impera” adage) are:
- tangible or intangible asset value (the value of these assets is determined, usually, in terms of cost required for replacing them)
- threat frequency (the threat defines an event whose would lead to an unwanted impact.) existence
- threat exposure factor (this factor represents a measure of the magnitude of loss or the impact on the value of an asset.)
- safeguard effectiveness (this term represents the degree to which a safeguard manages to effectively minimize a vulnerability and to reduce the risks of associated loss.)
- safeguard cost (safeguards are often described as controls or countermeasures and we can talk here about the practice of the cost/benefit analysis.)
- uncertainty (this term characterizes the degree, expressed in percentages of trust in the value of any element of the risk assessment process)
The elements presented before do, in truth, perform a risk assessment, but more through risk „behavior” (the exterior event with devastating potential, the financial damages it causes etc.). For this reason, we think that other elements can also be considered in risk assessment, such as:
- the professionalism of the assessment team / trust granted to the human factor;
- the time available to make the assessment;
- the moment of risk identification in the system’s life cycle (analysis, project, implementing, testing, effective functioning etc.);
- the necessary cost for assessment and adopting the risk response plan – acceptance, avoidance, mitigation or transfer;
- the PESTLE factors (political, economic, social, technological, legal, environmental).
We reveal on this opportunity another factor which should be considered in the assessment of risk generated by the human component – the psychological factor.
Not just abilities, skill (ability consolidated through habit) or intelligence (analytical, synthetic, pragmatic, and theoretical); but personality, character, creativity (when required), and temperament as well. Let us take for example temperament. Without going into such an analysis for the moment, we mention that temperament is a form of manifestation of personality under the aspect of energy, quickness, regularity, and intensity of the psychic processes. It is the dynamic side of personality with influence on the character. The temperament is influenced by aspects of genetics, experience, chemical substances in the body at a certain point. Closely connected with temperament is the attitude towards risk. Each person has a natural preference towards risk and by knowing a person’s preference towards risk (adverse / seeking / neutral), we can anticipate which choices they are going to make.
As a conclusion, if these elements are evaluated starting from a high-medium-low type criteria, the assessment will be qualitative. To the degree to which each of these elements is quantified into independent objective indexes such as the monetary value of replacing the value of the asset or the annual occurrence rate for the frequency of the threat, risk assessment becomes predominantly quantitative. If all the elements we have mentioned above (including the psychological factors we have referred to) are quantified through objective independent indexes, risk assessment is fully quantitative, undergoing a series of statistical analyses.
Valentin MAZAREANU
Group Compliance Expert, CREATEQ