RISK CRITERIA: RADIATION

Natural background radiation consists of cosmic rays (8%), the earth’s crust (8%), internal exposure (11%), man-made sources (medical 11% & nucluear medical devices 4%), and other sources (<1%). The effective radiation dose is measured as probability of stochastic consequences, and is the sum of the weighted equivalent doses in all tissues or organs.

Radiation Poisoning Case Analysis

RISK CRITERIA: COMMUNICATIONS

The internet is a function of the “Information Revolution”. Communications flow, without boundaries, from handheld devices to global networks; to cars, computers, and to super computers. Quantum computers have the potential to render all cryptological systems obsolete. Organizations cannot ignore communications in their risk criteria.

Weapons of Deception

RISK CRITERIA: FREQUENCY

There has been a substantial increase in most measures of Atlantic hurricane activity since the early 1980s, the period during which high-quality satellite data are available. These include measures of intensity, frequency, and duration as well as the number of strongest (Category 4 and 5) storms, according to the National Climate Assessment.

RISK CRITERIA: SPECIFICITY

Sensitivity and specificity are the most widely used statistics used to determine the probability of disease given a positive or negative test. In medical diagnosis, specificity is the ability of the test to correctly identify those without a disease, while test sensitivity is the ability of a test to correctly identify those with the disease (true positive rate).

Abstract

The Risk Management Software market continues to move toward forward looking risk assessments that aim to resolve the uncertainties inherent in all business activities. To ensure that uncertainties are understood and managed effectively, our customers seek to define risk criteria that reflect a range of possible scenarios. Multiple risk assessment criteria, and the ability to define scenarios, are common customer case studies. We see customers more frequently requiring the ability to define iterative risk assessment processes where risk managers consider risk criteria whenever circumstances change, and use the risk information for capital allocation decisions.

We see a trend in our customr risk assessment processes to include multiple consequence dimensions, quantitative and qualitative calculations, scenario analysis and risk treatment efficiency calculations.

We empower our users with the tools to quantify potential future outcomes for what-if analysis of treatment options, and use these outcomes in their business cases for budgeting purposes.

Customer Risk Criteria

  • Financial 100%
  • Operational 90%
  • Health and Safety 75%
  • Environmental 75%
  • Trend 50%
  • Control Effectiveness 50%
  • Schedule 10%
  • Quality 10%
  • Communications 10%

The Standard

ISO 31000 explains that risk criteria should be tailored to the organiztion, and tailored to the context of each risk management practice and process. Risk criteria may include qualitative and quantitative dimensions, and therefore may include information that varies between organizational levels, domains and practices.

  • Risk is the effect of uncertainty on objectives, ISO 31000:2009
  • Objectives can be of any type, any measure
  • Risk criteria are the terms in which significance of risk is expressed
  • Level of Risk is the magnitude of a risk, or combination of risks, expressed in terms of the combination of consequences and their likelihood

ISO 31000 Risk Management Process

Source: International Organization for Standardization

The Model

Risk Assessment can consist of any qualitative or quantitative criteria, including frequencies of events or probabilities of outcomes. Scenarios could be developed and used for what-if analysis, and calulated if the criteria are expressed in quantitative terms. Weighing up scenarios against each other forms part of the risk evalaution and risk treatment steps and may span all proactices and processes that manage risk. Each of these practices or processes may have risk criteria that were defined in qualitaive and/or quantitative terms, and should be considered when communicating about risk with stakeholders that are not familiar with those terms. The most effctive way to communciate risk to a broad stakeholder group, seems to be quantitative terms.

Risk-Informed Decision Making

Sources: Adapted from ISO 31000 and NASA, Risk-Informed Decision Making Handbook

The Matrix Question

Level of Risk

Level of Risk is the magnitude of a risk, or combination of risks, expressed in terms of the combination of consequences and their likelihood

ISO 31000 Definition

It seems that the ISO 31000 definition implies that the level of risk is expressed in quantitative terms because each consequence should be considered in terms of its likelihood, and can not be compared with another consequence with uniquely different criteria.

Matrix Dilemma

Even if risk criteria were accurately defined in completely qualitative terms, the traditional risk matrix is limited to its dimensions. Therefore, qualitative risk assessment cannot factor in all risk criteria needed to make informed decisions.

The Data Answer

Quantitative data does not necessarily mean currency, but it is likely the direct criterion to communicate risk to a varirty of stakeholders.

Quantitative data may include any risk criteria, and any unit of measure, usually directly related to how objectives and targets are expressed and measured.

1

Quantitative units of measure can be converted to a single unit (like curency) for comparison and to weigh up alternatives.

Quantitative data provides the basis to compare effectiveness vs. efficiency when weighing up alternatives in the risk informed decision making process

THE CONCLUSION

Quantitative data provides us with a basis of evaluating what we bought vs what we got in terms that a wider audience can understand, interpret and act upon.

Risk Criteria

Risk Management Insights for Managers

By Johannes Swanepoel