Risk, Riskion (and Comparion)

Expert Choice Riskion addresses losses that can occur from the occurrence of risk events. While some definitions of risk include gains as well as losses, Expert Choice Riskion adopts the more traditional definition of risk as the expected value of losses.

Another Expert Choice product, called Comparion, focuses on the achievement of objectives (gains) from a decision to choose one or a combination of alternatives. 

Riskion and Comparion can be used independently of one another. Typically, Riskion is used by professionals responsible for identifying and analyzing losses that can occur in an organization, activity, or process, from the occurrence of one or more risk events. Comparion,  on the other hand, is typically used by professionals responsible for strategic or tactical decision-making activities involving the choice of one or a combination of alternatives.

Riskion and Comparion can also be used in conjunction with one another wherein Riskion provides a detailed analysis of the risks of the alternatives being considered in a Comparion decision. The phrase "Risk Informed Decision Making (RIDM) is sometimes used to refer to decision making (choosing alternatives) when the risks of alternatives are explicitly included in the process.  

In Comparion, risks of the alternatives being considered are treated as part of the decision making and resource allocation processes. These risks can be evaluated in a choice  decision in three ways as follows -- each with an increasing level of explicit  detail and greater accuracy:

1) An intuitive assessment of the overall risk of each of  the alternatives 

  • This involves an implicit (Intuitive assessment and mental synthesis) of 
    • impacts, 
    • likelihoods,  
    • events
    • threats, hazards, ..
  • The intuitive assessment is difficult to do in one person's head, much less synthesize over many people's judgments
    • Example: Including 'Risk' factors in an objectives hierarchy of the Risk Informed Decision Model and evaluating the relative              risks of the alternatives with respect to the risk factors

2) An analysis of risk factors,   such as Cost, Schedule, Scope, Environment

  • This involves an 
    • explicit assessment of the relative importance of the risk factors, along with an 
    • implicit evaluation (intuitive assessment and mental synthesis) of
      • likelihood,  
      • impacts,
      • risk events for each alternative 
    • The intuitive assessment can be difficult to do in one person's head, much less synthesize over many people's judgments
    • Example: Associated Risk Model in a Resource Allocation with Comparion
      • A risk factors hierarchy might include Cost, Schedule, Scope, and Environment
      • The alternatives are evaluated for their relative risks with respect to each of these factors
        • Events and the product of likelihood and impact of these events are not explicit
      • The anticipated benefit of each alternative is discounted by its resultant risk 

3) A detailed analysis: 

  • Explicitly addressing:
  • Sources/Threats/Hazards of risk events
  • Risk events
  • A hierarchy of objectives for which events result in loss
  • Ratio scale measures of
    • likelihood of sources/threats/hazards
    • the vulnerability of events to sources/threats/hazards
    • importance of objectives
    • impact of events to objectives

Example: A Riskion risk assessment of each alternatives' risks (events) resulting in a mathematically sound synthesis of the above. The resulting risks can then be included in the Risk Informed Decision Model.

The first two approaches above do not require Riskion. Riskion is appropriate for the third approach, which includes an explicit treatment of events.

Summary: 

  • While Expert Choice Comparion focuses on
    • prioritizing/deciding/allocating resources to 'alternatives', such as strategies, products, projects.
  • Expert Choice Riskion focuses on 
    • 'events' and sources of events that can cause loss, such as terrorist attacks, information technology vulnerabilities, fire, cost overruns, etc.

Organizational responsibility for strategic planning is often assigned to different personnel than those responsible for risk assessment and management, Comparion is typically more relevant to those responsible for strategy and decision making while Riskion is typically more relevant to those responsible for identifying, analyzing, and mitigating risks.   

Or course planning and management involve both; For example, Riskion can be used to provide a more detailed analysis of risks for projects being considered in a Comparion resource allocation.

Questions that need to be answered as part of a risk assessment are:

  1. What events might take place to result in losses to the organization?
  2. For each event, how likely is the event?
  3. If the event were to occur, what would the impact be on the organization's objectives?
  4. Given an event's likelihood and impact,  what is its risk?
  5. What can be done to reduce the risk?
  6. Considering all events and options to reduce their risk, what should the organization do to reduce the overall risk?

Without Riskion, risk analysis and management  processes are difficult to understand and implement, owing to the following  challenges:

  • RISK, defined to be the expected value of a loss or failure to achieve one or more OBJECTIVES due to an uncertain event can be computed as the product of the LIKELIHOOD of the event and its IMPACT. 
    • The likelihood of so many events can be difficult to estimate because: 
    • there may be no historical data;
    • history is not always a good indication of what will happen in the future; 
    • judgment by humans is often necessary/valuable to supplement historical data even when data is available; 
    • simulation may necessary/valuable to supplement historical data;
    • when risks DEPEND on CAUSES/THREATS, estimates of the likelihood of the CAUSES/THREATS occurring, as well as the likelihood of the EVENTS given the CAUSES (VULNERABILITIES) must be estimated 
    • likelihood estimates must be 'ratio level' measures in order for risk estimates to be mathematically meaningful (this is rarely the case using tools other than Riskion);
  • The impact of some/many events is difficult to estimate because:
    • the impact is the loss due to an organization's failure to achieve its objectives; 
    • organizations have multiple objectives which, unless structured in a manageable form, such as a hierarchy, can be difficult to understand and prioritize;
    • some objectives are quantitative while others are qualitative;
    • the relative importance of objectives differ and must be estimated/prioritized;
    • judgments about the relative importance of objectives differ among different individuals and constituencies;
    • estimates of the relative importance of objectives as well as the impact on the objectives by an event must be 'ratio level measures in order for the risk estimates to be mathematically meaningful.
  • Controls to reduce risk must be identified evaluated as to their anticipated effectiveness in reducing risk.  There are three types of treatments:
    • those that reduce the likelihoods of CAUSES/THREATS,
    • those that reduce the VULNERABILITY or the likelihood an event occurring given CAUSES/THREATS);
    • those that mitigate the impacts of one or more events on one or more objectives.

Estimates of the anticipated reduction in risk for each treatment under consideration must be proportional -- that is possessing the ratio level measurement property.

  • Decisions as to which CONTROLS to implement are complex and difficult to make due to:
    • constraints in budget and other resources as well as
      • dependencies
      • laws and regulations
      • ...
    • a large number of possible combinations of treatments that might be implemented; governance and politics
  • Failing any one or more of the above challenges is likely to produce misleading risk estimates and ineffective allocation of resources in reducing risk.

A major goal of Riskion is to present a coherent framework for the components of risk analysis and their relationships in a way that makes an extremely complex subject understandable and manageable.

  • This is achieved by carefully defining the components (or elements-- see below) and their relationships, and providing tools to identify, measure, and synthesize the component parts.