There are several ways in which risks can be dealt with depending on the circumstances and individual or corporate risk appetite. Risks can be defined as:
- Severity – the consequences of an event taking place
- Probability – the likelihood of an event taking place
- Risk = Severity x Probability – high probability and high severity equates to a high-risk, low probability and low severity equates to a low-risk event, and there are varying degrees of risk on a sliding scale between the two ends of the spectrum.
It is also important to note the difference between Perceived Risk and Actual Risk:
- Actual Risk – quantifiable and based on objective data. E.g. according to the Department of Transport, there were 1784 deaths, 25,511 serious injuries and 160,597 casualties of all severities from road traffic accidents in the United Kingdom in 2018. Very few of these were reported in the media.
- Perceived Risk – determined by individual perception and influenced by other factors such as news headlines. Dutch aviation consulting firm To70 reported on 534 deaths in 2018 from passenger airline crashes. Almost every aeroplane crash becomes headline news, even in cases where there are no fatalities.
The perceived risk is that it is more dangerous to travel by passenger jet than to travel by car. However, the reverse is true when considering the actual risk. Statistically, it is far more dangerous to travel by car. A similar analysis shows that parachuting is statistically safer than crossing the road, whereas individual perception of the idea of jumping from a plane tells a different story.
The distinction is important when it comes to managing risk to ensure that actions and investment are proportionate to the risk. Individuals and organisations often need to prioritise risks due to availability of resources, and consequently investment in a perceived risk over dealing with an actual risk can be catastrophic. The reverse can also true. In cases where perceived risk influences a consumer’s decision to buy, huge financials losses can be incurred even if the actual risks are miniscule.
- Risk Avoidance
- Risk Mitigation
- Risk Acceptance
- Risk Transfer
Risk avoidance is about implementing alternative plans and solutions to circumnavigate the events which carry risk. With no possibility of an event taking place, it doesn’t matter how severe the consequences are because in the ‘Severity x Probability’ formula, the Risk becomes ZERO. It is of course possible that implementing alternatives may introduce different risks which need to be assessed, but that is another story.
This is about accepting that the event will at some point take place, and accepting responsibility for the consequences when it does take place. The ‘Severity x Probability’ will help determine the appropriateness of accepting the risk. It is also necessary to consider:
- The legality of accepting the risk
- Does the person accepting the risk have the authority to do so?
- Is the cost of risk mitigation proportionate to risk?
- Is it sensible to accept the risk?
Risks are accepted for all sorts of reasons including:
- Too expensive compared to the benefit
- Insufficient finance to mitigate the risk
- Insufficient human resources or skills to mitigate the risk
- Mitigating the risk is lower priority than other risks
- Plans in place to mitigate risks at a later date
Keeping evidence of what analysis has been undertaken is essential along with conclusions reached and decisions made.
Risk Mitigation is about:
- Reducing the probability of an event taking place
- Reducing the severity of an event when it does take place
The cost of mitigation should be proportionate to the risk of not taking action.
Risk Transfer is the reduction of risk by transferring it someone else or to another company:
- An insurance policy – taking out a policy essentially transfers some of the risk to the insurance company. Insurance policy terms and conditions will determine the level of risk transferred.
- Project Contractual Terms – engaging with 3rd parties to deliver projects or run services often includes terms and conditions of business which transfer risk from one party to another.
The transfer of risk should only be considered or accepted if the party taking on the risk has the opportunity or means of reducing the risk in a reasonable way, either on an ongoing basis or through sufficient evaluation ahead of transferring risk. Risk Transfer is essentially about paying someone else to take the risk, so it is crucial to make sure that the 3rd party has the capability to accept the risk, and for the 3rd party to receive sufficient reward to justify acceptance of the risk.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.