This is Part 3 of a three-part series. Read Part 1 and Part 2.
3 October 2024
Continuing with the thought experiment in Parts 1 & 2 from the archaeological past (for those of you late to the party, read Part 1 and Part 2 first), it's time to bring this trilogy to a conclusion before those who are waiting with their breath baited actually run out of same.
In Parts 1 and 2 of this discussion, we explored the fundamentals of risk assessment through the traditional two-dimensional matrix, which evaluates risks based on likelihood (or probability) and severity (or consequence). We also recognised (or at least I postulated convincingly) that while this approach is useful for evaluating individual risks, it is not sufficient for understanding the Whole of Organisation risk, especially when considering operational activities that occur with varying frequency.
To truly grasp the aggregate risk across an entire organisation, frequency must be considered in the risk calculus, extending the risk matrix into the third dimension. This extension offers decision-makers a clearer picture of risk exposure over time and across repeated operations. In this final instalment, we'll delve into how this three-dimensional risk matrix can be conceptualised and subsequently translated into a practical decision-support tool or methodology.
Without being in any way disrespectful to freighter pilots (one of my closest friends actually was one but he's recovered nicely), it's reasonable to assume that the reputational damage and financial downside for an airline would be more severely negative if there were to be irreparable damage to 436 passengers (plus crew of 12), compared to 60,000 blankets (plus crew of two). Using an imperfect yardstick but one that translates directly to the bottom line, those practising the actuarial arts are certainly supportive of this assumption. Insurance premiums are generally higher when covering people rather than boxes. And although the insurance brokers and underwriters are loath to admit in public, there is a fairly simple numerical determination of likely payout calculated when determining the risk cover needed for any airline operation. People matter (unless they are multiplied by the speed of light squared, then they energy!).
So, to continue our comparative thought experiment, let's consider the idea that even when two operations have the same risk rating based on probability and consequence, their overall risk exposure differs greatly depending on how frequently the operation occurs. A once-a-year operation may pose minimal cumulative risk, whereas a high-frequency operation — executed multiple times per day — magnifies the same individual risk into a much larger organisational concern.
Revisiting the Need for Frequency in Risk Assessment
Here, we move beyond the idea of simply "considering frequency" and explore how to incorporate it as an essential, quantifiable dimension within the risk rating. Doing so provides decision-makers, and possibly independently, those responsible, with the necessary insight to gauge whether aggregate risks fall within the organisation's acceptable bounds, and to adjust strategies and allocate resources for mitigation accordingly.
Defining and Measuring Frequency in Risk Assessment
To operationalise frequency as a third dimension in risk assessment, we need to define and measure it in a way that aligns with organisational needs. Frequency could refer to the number of occurrences within:
- A set time frame (e.g., annual operations, quarterly risk assessments).
- A specific unit of activity (e.g., flights per year, surgeries per month, transactions per week).
For example, in aviation, this could mean how many times a particular flight route is flown within a year. In healthcare, it could refer to how often a particular surgical procedure is performed. In finance, it might be the number of investments of a particular risk profile are made per quarter. In Cyber Security it might be the number or source of API calls made to a critical database.
Understanding the temporal component of risk allows executives to monitor not just single occurrences but trends over time. This data can be used to answer critical questions, such as:
- Has the frequency of high-risk operations increased this quarter?
- Are we conducting more of a particular operation this year compared to last year, and how does that affect our overall risk exposure?
- Are there certain periods where risks are magnified due to seasonal frequency changes (e.g., increased flights during holiday/peak seasons)?
- How does our cumulative risk compare to our Risk Appetite at any point in time, and what's the trend?
Frequency as a Multiplier of Risk
The key insight gained by introducing frequency is that it assists in quantifying total systemic risk rather than a simple single-event view. A once-a-year event rated as "moderate" presents much less overall systemic exposure than an event rated the same but repeated thousands of times annually.
To quantify this, we can introduce a frequency multiplier into the existing risk determination. In its simplest form, the frequency multiplier could be expressed as:
Cumulative Event Risk = Risk Rating × Frequency of Occurrence
Where:
- Risk Rating is determined by the combination of probability and consequence on the traditional two-dimensional matrix.
- Frequency of Occurrence is the number of times the operation is expected to take place within the set time frame.
This formula allows risk owners to see the cumulative risk rather than viewing event risks in isolation. A risk that may appear tolerable on a per-event basis can suddenly become intolerable when its frequency is factored in. For instance:
- A moderate-risk flight occurring once per year might not push organisational risk beyond the limit of the risk appetite and so can be accepted without treatment or mitigation.
- The same moderate-risk flight occurring multiple times per day, however, might exceed the tolerable cumulative risk exposure and require intervention so that the risk owners can sleep soundly at night (in their own beds, not one shared involuntarily with some tattooed felon ironically named "Tiny").
Developing a Three-Dimensional Risk Matrix as a Decision-Support Tool
Assuming that you are now convinced of the need for frequency to be part of the equation, how can we build a practical decision-support tool or methodology around this concept?
Step 1: Identify Core Risk Categories — identify primary risks, determine existing probability and consequence values using traditional risk matrix.
Step 2: Introduce Frequency into Risk Calculations — collect data on how often each operation occurs. Track weekly, monthly, quarterly, or yearly. Create a dynamic cumulative risk profile.
Step 3: Build Visualisation Tools — Heat Maps (layered by frequency band, colours for cumulative risk score), Dynamic Dashboards (What-If capability to vary frequency and see impact), Risk Tables with Frequency Columns (sort by frequency, not just individual event rating).
Step 4: Enable Real-Time Monitoring and Updates — risk management is dynamic, tool must support near real-time updates. Automated systems feed data into dashboard. "Note to self: any dashboard that requires manual updating is in fact a source of systemic risk itself."
Step 5: Factor Frequency into Risk Mitigation Strategies — use frequency insight to guide mitigation. High-frequency operations contributing disproportionate share of total risk get focused attention. Infrequent but severe risks need different strategies.
Conclusion: The Future of Risk Management with Frequency Integration
Integrating frequency into the risk assessment process marks a significant advance in organisational risk management. This shift allows executives to assess not only whether individual risks are tolerable, but also how those risks accumulate across the organisation over time and what they do to the surface of the three-dimensional cumulative risk curve.
Considering frequency of action provides the means to answer critical questions about operational risk, optimal allocation of resources, and to ensure that risk levels remain within the limits of the accepted risk appetite.
Standby for the next exciting instalment, which will investigate the inherent and immutable limitations of risk assessment, the flapping of the butterfly's wings and the inanity of Root Cause analysis. Yes, I'm aware that a trilogy in four parts is problematic so let me leave you with a distracting thought:
There are two types of people in the world: those who can extrapolate from incomplete data.