Risk affects virtually every aspect of our lives and in turn, virtually every aspect of business. Managing risk therefore is a key activity for us all.
Organisations are about creating value and the way they respond to risks affects their strategies, structure and operating activities. If we recall the definition 'risk is the effect of uncertainty on objectives' , then we know probability plays a large part in the effort required by organisations to respond to risks.
In theory, the probability of a risk is assigned a score from 0 to 1 - with, for example 0.5 representing an equal chance of the risk occurring or not occurring. Just for clarity, a score of zero means there is no risk - the risk will not occur. Likewise a score of 1 is not a risk - it is certain to happen.
Most organisations score this probability or uncertainty as the likelihood on a risk matrix (more on risk matrices in a later post). So, frequently terms like 'very unlikely', 'unlikely', 'possible', 'likely' and 'almost certain' appear as a proxy for the theoretical score for likelihood.
There are pros and cons for using either numbers or descriptors to describe the probability of a risk. Using numbers implies a precision that is probably not realistic whilst the use of words opens the likelihood to interpretation by the individual user. Therefore it is important to clarify with users the limitations and encourage thorough analysis to determine an appropriate likelihood rating.
The importance of getting this right is clear - a risk with a low likelihood rating will get little, if any management attention in terms of mitigation effort. On the other hand, a high likelihood rating will attract significant scrutiny from not only management but typically the Board.
Whilst it's not an exact science, ensuring an appropriate level of due diligence in evaluating and rating the likelihood of identified risks is key to the way an organisation responds and ultimately, creates value.