Estimating and prioritizing risks is a time-consuming process. Furthermore, the results of risk estimation and prioritization don’t often inspire a great deal of confidence in the process. It’s not a perfect process and it will probably never be. We’re not perfect and nothing we ever make will ever be.
Still, we seem to be doing a much better job of judging risk than we did centuries ago. With the advent of “big data” in every line of business, plus the ongoing increase in computing power and increasing sophistication of applications, designers, and users, it stands to reason we’ll be even better at assessing and managing risk a generation or more from now.
Today, we’re going to look at the basics of estimating and prioritizing risks. We’re going to look at:
- What is risk estimation and how do you estimate risk?
- What is risk prioritization and how do you prioritize risk?
- What is the next step in the risk management process?
Risk estimation is taking what knowledge you have about a risk and trying to quantify it so you can fairly and reasonably compare it to other risks. Obviously, not all risks are alike. The risk of my house burning down due to faulty wiring is considerably greater than the risk of my basement flooding due to a storm surge, considering I live hundreds of miles north of the Gulf of Mexico and about 500 feet above sea level.
Considering that risk is essentially a function of:
- The likelihood that a threat will materialize,
- The impact that threat could have (on a business, a geographical area, infrastructure, etc.), and
- Our ability to detect the threat before it causes harm,
I can estimate some risks without performing a detailed analysis. In this example, I sense that I should concentrate on controlling the risk of fire and not concern myself as much with storm surges. The likelihood of a house fire in my neighborhood is considerably greater than the likelihood of a storm surge.
A storm surge would have a much greater impact on the area where I live…if it were ever to happen. It seems reasonable to believe that we’re much more susceptible to house fires – whatever their cause – than to storm surges. In the local news, you will see a story about one or more house fires happening every week. A storm surge? Not in recorded history, at least.
In business, it isn’t so easy to tell what risks your organization should be most concerned about and which risks you should attempt to control. Yes, a few external risks are easy to recognize, but most internal and external risks are insidious and the differences between them are subtle. Sometimes, the naked eye is adequate but at other times, you need a magnifying glass or even an electron microscope.
There are several readily-available tools that can help us spot some of the hard-to-discern differences between various risks we face, like the risk matrix and failure mode effects analysis, or FMEA. They’re not perfect tools but they’re immeasurably better than blind guessing.
Using a tool like the risk matrix or FMEA correctly allows you to determine which risks should be your greatest concern – which risks you need to address first, second, and so on. FMEA, in particular, helps you prioritize risks when they’re “like apples and oranges” – when they don’t have much in common – or when your initial perception is that every risk is important and they all have to be taken care of as soon as possible.
You have finite resources; you can’t possibly deal with every risk you’ll face all at once. You have to prioritize risks and address them sequentially. In addition, once you’ve addressed a priority risk – once you’ve gotten it under control – doesn’t mean your concern for it goes away.
Risk management is like every other process. You regularly revisit risks, to determine if they are again a priority and to refine your methods of control.
The Next Step
In our next installment, we’ll look at risk control. Until then, if you have questions about this article or you’re a small company looking for risk management advice, send me an email and let’s get the conversation started.
 Yes, even artificial intelligence, I’m afraid.
 In the St. Louis, Missouri, metropolitan area
 Weather-related risks, such as hurricanes, tornadoes, or flash flooding, have historically been easy to predict. That’s why you must read Reference #1.
- Gail, William B., “A New Dark Age Looms”, New York Times, 19 April 2016 – http://www.nytimes.com/2016/04/19/opinion/a-new-dark-age-looms.html
- Flick, Stephen M., “Nine of the Biggest Risks Your Company Faces”, Q9C Consulting blog, 27 November 2012 – https://q9cqualityconsulting.com/2012/11/27/9-of-the-biggest-risks-your-business-faces/