By Jeremiah Ndhlovu, CERM
Resilient companies create their own luck. The systematic design and application of good risk management practices are the pillars upon which a sound company is built. (Willis Limited, Mining Risk Review, Spring 2014)
Any endeavour to effectively reduce the impact of a risk requires an analysis that indicates the threats that exist and their potential severity. Good risk management practices require risk analysis of the financial, operational, compliance and strategic components of the organisation to ensure that all pertinent enterprise-wide risks are considered.
Oftentimes, risk reports are presented to stakeholders with inherent or residual risk levels identified as high, medium or low. These risk levels are critical as they determine the level of mitigating effort required to contain the risks to levels that organisations are comfortable with. What is fundamental, though, is that the frameworks that define the risk levels as high, medium or low should be well developed and adequate to ensure accurate representation, in risk reports, of the actual risks on the ground. Any fundamental flaws in the risk assessment criteria may yield reports that misrepresent the actual risks on the ground, leading to incorrect decisions made by stakeholders relying on such reports.
Risk assessment techniques are very broad, especially when all the financial, operational, compliance and strategic components of the organisation are considered. In-depth discussion of risk assessment or measurement techniques of the different organisational components will be considered in future articles.
The scope of this article is limited to the general risk types that need to be considered when an organisation is formulating a risk assessment or measurement criteria. This is critical for risk management practitioners, who have a mandate of determining the inherent and residual levels of key risks in an organisation.
Key principles to be covered include absolute risk, relative risk and attributable risk. Understanding the differences between these risks is critical for stakeholders to discern why and where risk management may fail or succeed, and the limits of risk management in general. All the risk types can be considered in formulation of a comprehensive risk assessment framework. The principles are critical for the assessment of safety, health and environmental (SHE) risks, but can be effectively adopted for other risk areas in an organisation. These risk types are normally expressed in the same unit of measure, usually percentages or fractions, for easier comparison. Theoretical illustrative examples will be used in this article to articulate the differences between the risk types.
Absolute risk is the likelihood of an event occurring under specific conditions, e.g. the chance of a person developing pneumoconiosis based on factors such as extended exposure to dusty environment. They are commonly expressed as 1 in 10 chance or a 10% chance, e.g. of developing a pneumoconiosis disease.
Relative risk is the likelihood of an event occurring under specific circumstances that are compared to other circumstances with different characteristics, e.g. incidence rate of the pneumoconiosis disease in a group exposed to dusty conditions as a proportion of the incidence rate of an unexposed group.
Attributable risk is the risk difference. In the example above, attributable risk is the difference of the incidence rates of the exposed group and the unexposed group.
A hypothetical illustration of
the risk types is as shown below:
Absolute Risk for the exposed group is the incidence rate of 1% [5/500*100%], whereas that of the unexposed group is 0.5% [2/400*100%].
Relative Risk of the disease for an exposure is 200% [1%/0.5%].
Risk is 0.5% [1%-0.5%].
As can be deduced from the illustration above, coming up with a risk level for a sole absolute risk is a difficult task due to absence of a reference point. The absolute risk for the unexposed group is, however, critical in assessing the impact of the exposed people to the specific conditions, in this case dusty environment. Having the relative risk of 200% on its own might be misleading as well. There is need for a baseline level, i.e. the absolute risk, to effectively assess the impact of exposing people to the risky environment. Attributable risk represents a linear assessment of the change in risk from the baseline level to the upgraded relative risk level due to exposure to the risky environment.
Understanding the ideal interaction of absolute risk, relative risk and attributable risk is key in influencing how information at an organisation’s disposal can be optimally used to formulate an agile and incisive risk assessment or measurement criteria.
It is noteworthy that interpretation and use of absolute risk measures appear straightforward, but deriving meaningful risk levels as these might require extensive studies over an extended period of time. Risk managers can, therefore, still be more successful if they limit themselves to relative and attributable risks, when possible, especially when there is ambiguity about how an absolute risk measure can be interpreted.
It is possible that a mix of the risk types is subconsciously applied in organisations when formulating risk benchmarks. Based on this background, I encourage risk practitioners to take a stock of their current risk measures and categorise them into absolute, relative and attributable. The outcome of the categorisation should be assessed to determine whether an optimal mix is achieved in the context of available data or information.
For the users of risk reports, the mix of the risk types might be an area of interest depending on the maturity level of the risk management function. This is mainly critical for organisations with advanced risk management systems, with an interest in knowing the inputs and processes that yield the risk reports used for decision making.
About the Author
Jeremiah Ndhlovu is a Certified Expert in Risk Management (CERM). He has acquired extensive risk management insights in the mining sector through outsource projects including enterprise risk management, combined assurance, process and controls standardisation, internal auditing and external auditing.