Choosing A Risk Model

One of the methods to understand and manage risks is to develop models of them. Models are a useful tool in science and engineering because they allow us to describe the physical world and to create predictions. Some models are more accurate than others. In other words, some models are a more accurate representation of observations than others and make better (more accurate) predictions. We will examine two models of risk which are the Standard Risk Model and the Simple Risk Model. We will identify a risk using the Standard Risk Model and show how and why the Simple Risk Model is insufficient for modeling it.

risk1a
Figure 1. The standard risk model and the simple risk model.

Standard Risk Model
The Standard Risk Model is illustrated in Figure 1. Note how it has separate probability of risk, Pe, and probability of impact, Pi. This ability to separate out these probabilities can be important for some risk modeling. Also, the risk event drivers and impact drivers are separately considered. The major feature of the Standard Risk Model is that the probabilities of risk event and impact and their associated drivers are separately considered.

Simple Risk Model
The simple risk model is also illustrated in Figure 1. Note how the probability of the risk event and the probability of impact are combined. The risk event and impact drivers are also combined. This is certainly a simpler model to be sure, but it comes at the price of less flexibility in modeling risks. Although this model may seem too simple to be useful, the Software Engineering Institute’s Risk Taxonomy is based on this model. [1]

Using The Standard Risk Model
Now, let’s turn to the task of illustrating a risk that can be modeled on the Standard Risk Model but not on the Simple Risk Model using a postage machine example. For that product, an important risk is obtaining approval for the machine from the appropriate government agencies. The probability that the risk will occur is low (say, 0.05) since there is a history of the government granting such licenses. However, the probability of impact to the product is very high (say 0.95) since a rejection of approval will mean re-application and delays in product release. Also, the risk event drivers are separated for the risk event and the impact. For these reasons, the Standard Risk Model is able to accurately capture and model this particular risk.

Issues With The Simple Risk Model
How does the Simple Risk Model fair for modeling risk? One of the issues with combining the probability of the risk event and the probability of impact into one parameter is that it is difficult to know to combine them. This is especially important when the probability of the event is very low, but the probability of its impact is very high. Should they be combined as a simple average or as a weighted average? The point is, knowing how the probabilities should be combined is not straight forward. Another issue with using the Simple Risk Model in this case is that risk resolution planning is difficult because “you cannot distinguish drivers contributing to the risk event from those contributing to its impact[2].” In other words, while the Simple Risk Model can be a useful tool, it lacks some fidelity which is needed when developing proactive prevention plans.

This example shows that it important to understand the features of the available models and their limitations.

References
[1] P.G. Smith, G.M. Merritt, Proactive Risk Management (Boca Raton, FL: CRC Press, 2002), p. 21.
[2] Smith, Merritt, Proactive Risk Management, p. 22.

Leave a Reply

Your email address will not be published. Required fields are marked *