I am frequently asked if you can “aggregate” multiple risks together so that you can identify which strategic objective, product, business process, operating unit, or other framework element has the greatest risk. The quick and dirty answer is no, you can’t aggregate multiple risks together into one overall risk score unless the risks are related. And in most, but not all cases, risks rolling up through an organization are not going to be related.
As an example, let’s say we run a subscription on-line publishing website. Our revenue stream is dependent on our providing quality content to our customers on a timely basis and in a format that is appealing and user friendly. Examples of risk we face in achieving our objective include:
- Business interruption due to a natural or man-made disaster
- Litigation from publishing content that violates a third party’s copyright or slanders a prominent person
- The employee handling customer subscription payments commits fraud and diverts payments for their own personal use
- Our most popular columnists jump ship to competitors due to sweetheart offers that we can’t match and we are unable to find comparable writers in the market to replace them
- The internet service provider on which we host our website goes out of business due to financial problems
- Customer demand for our product shifts because of a general economic downturn and subscription volume materially declines
None of these risks are related. A business interruption from a hurricane will not result in a copyright violation nor will an employee stealing customer subscription payments affect columnists being bid away from us by competitors. So, to “add up” all of these risks would be misleading as there is no covariance between the risks.
The next question always is, but we have multiple objectives, products, business processes, and operating units and each of these have multiple risks assigned to them. How can we tell which one has the greatest overall risk if we can’t aggregate the individual risks?
This example is a Business Unit record titled “Alberta”.
The risk scale is depicted as follows:
There are 14 risks associated with Alberta. From the Risk Scorecard portion of the record you can see that 6 of the risks have a High Inherent Risk, 6 a Medium Inherent Risk, 1 a Medium Inherent Risk, and 1 a Medium Low Inherent Risk. There are 3 basic ways of depicting overall risk for the business unit: (1) Scorecard sum; (2) Average; and (3) Maximum.
The calculations are as follows:
Scorecard sum of Inherent Risk = (6*5)+(6*4)+(1*3)+(1*2)+(0*1) = 59
Average Inherent Risk = Scorecard sum of Inherent Risk/14 = 4.21 or Orange
Maximum Inherent Risk = 5 or Red. Which means there is at least 1 risk associated with the Alberta business unit that has an inherent risk score of 5.
The Maximum scoring method provides the most useful information for risk management. Because it tells you the highest values of risk that are associated with the business unit, you are able to immediately determine whether the business unit’s risk exceeds your operating tolerance. If your organization does not accept any risk over “Medium”, you know that you must respond to every risk above that level.
The Scorecard sum and Average methods produce much less meaningful information and may in fact obfuscate critical risks that should be addressed. If there is 1 High risk and 9 low risks associated with Alberta, then the sum is only 14 and the average is 1.4! Not very helpful from a risk practitioner’s perspective.
Finally, if the purpose behind your desire to aggregate risk is to determine which business units you should focus on the most, you should consider adding up the count of those risks that exceed your risk tolerance. In this example, there are 6 High Inherent Risks + 6 Medium High Inherent Risks. This business unit’s risk should be addressed before business units with 11 or fewer High and Medium High risks.
Now for the caveats. The examples above utilize qualitative scales. Qualitative scales are themselves inherently flawed when it comes to conversations about aggregate risk. When using qualitative scales, it is very difficult to say how much are 2 High risks? How high is a High risk? Or, do 2 Mediums make a High? This is a primary motivation for trying to monetize rating scales. The other caveat is that some risks ARE related to one another and do have a covariance. We will save these topics for a later day.