Risk Scoring – Getting it as Right as Possible!
Risk Scoring helps us to understand the significance of a risk by calculating a score for each risk. This facilitates the objective ranking of risks based on a numeric score and is helpful when it comes to deciding which risks need to be prioritised in the risk management process. This is important as the more significant the risk, the greater the need to do something about it.
How To Calculate A Risk Assessment Score
We look at a risk from two perspectives – its impact and likelihood. Risk scoring typically involves a scale of 1 to 5 for impact and a similar scale for likelihood. For both scales, 1 is the lowest impact or likelihood and 5 is the highest. The risk score is simply a multiple of the scores for impact and likelihood. For example, a risk with scores of 3 and 4 for impact and likelihood respectively will have a risk score of 12. With scores calculated in this manner, we can easily compare different risks in terms of their significance.
A challenge for risk scoring is its inherent subjectivity. While the use of scoring can give a veneer of objectivity to the risk matrix, it should be remembered that the scores assigned to impact and likelihood are essentially a subjective assessment based on the scorer’s experience and knowledge. Everyone has inherent biases and attitudes to risk management that are part of our make-up. These are reflected in how we score risks whether we realise it or not!
Minimising Subjectivity In Risk Assessment
To be effective and to minimize subjectivity, it is important to have clear definitions of what the values on the scale represent. For impact, definitions for each score should be provided across a range of different areas e.g. reputation, financial, environment, health & safety, operations, legal & regulatory and further areas relevant to the organisation. Examples of financial impacts could be 1 = loss of less than €1,000, 2 = loss between €1,000 and €10,000 and so on. The score where the risk has the highest impact should always be used e.g. a small fine for a regulatory breach may have a much higher reputational impact than the financial impact. In this case, the score attributed should be for the impact on the organisation’s reputation rather than the financial loss it could incur.
For likelihood, the definitions for each score will be statements like ‘once every ten years’ which give some indication of how frequent the risk may occur. However, unlike impact, where the quantum of the impact may often be known, estimating likelihood is very much a forecasting exercise using past experience as a guide and also drawing on current knowledge. For example, if we were to rely only on past experience, we would be quite poor in estimating the likelihood of damaging storms occurring without taking into account the known changes in climate.
To help further minimise subjectivity, it makes sense to involve others. A cross-section of views with different perspectives will help reduce individual biases. Hence, workshops are popular when analysing risks and they also help to increase the understanding of risks. This can help to embed a good risk management culture in the organization.
A written rationale for the scores assigned can also help reduce subjectivity. When a rationale for a score is written down, it is usually more considered than just an ‘off-the-cuff’ opinion. Others can carry out a review to judge whether it is reasonable or not. Furthermore, it can be reviewed in the future to see if the same basis for the scoring still exists or if circumstances have changed which would cause different scores to be assigned.
Overall, risk management scoring is a valuable tool that helps us to understand the significance of a risk and decide where best we should allocate resources to managing the risks facing the organisation.