The Math of Risk: Using the Composite Risk Management Approach
One of the greatest challenges of risk management is staying on top of the various threats that plague your organization, while also keeping a lookout for new challenges and using resources strategically. It all seems very subjective and hypothetical—that is, unless you take a mathematical approach to risk using composite risk management, or CRM.
CRM is the primary decision-making process used by the U.S. Army to manage risk. And this is an agency that knows quite a bit about risk in all forms, ranging from recruitment shortages to enemy threat, physical obstacles, soldier fatigue, and mission complexity. CRM is a well-structured technique that enables the Army to identify and manage hazards to its personnel, equipment, and overall mission effectiveness. The approach is simple enough to be easily referenced by thousands of people, in locations around the globe, and it is streamlined enough to be applied to both tactical risk and accident risk.
The CRM process involves assigning a risk “score” to each threat in order to accurately prioritize threats and track them over time, while also helping stakeholders focus their efforts and save time and resources.
While your organization faces much different risks than the U.S. Army, the agency’s CRM approach offers businesses valuable lessons that can be applied to their own risk management programs. Indeed, understanding the “math of risk” could help your team strengthen and streamline its risk management efforts in unprecedented ways.
Assessing Your Risk
The Army follows a five-step composite risk management process, which you can readily replicate in the corporate world:
- Identify all potential hazards to the organization.
- Assess hazards to determine their risk score, using the formula below.
- Develop controls to mitigate the possibility or the impact of each risk.
- Implement the control measures.
- Supervise and evaluate over time.
One of the most important elements of the CRM approach is Step 2, assigning a risk score to each potential threat. Quantifying your risk enables you to better prioritize hazards and more readily evaluate them after you implement control measures.
To calculate your risk, use the following formula for each hazard:
Probability + Severity = Level of Risk
Start by assigning each threat a probability score from the following options:
- Frequent: 5
These are threats that happen regularly, even if they are minor. Depending on your business, highly probable risks might include unplanned network downtime, shipping delays, employee illness, PR challenges, and the like.
- Likely: 4
If you’re like most modern businesses, you probably have to combat phishing and hacking attacks fairly regularly. For example, this year, we saw a big increase in ransomware attacks, such as the WannaCry ransomware attack, which indicates that this type of threat will become more frequent in the coming years.
- Occasional: 3
These are risks that might happen only occasionally, such as icy weather preventing employees from making it in to work.
- Seldom: 2
Examples here might include utility outages or, depending on your geographic region, severe weather events, like this year’s disastrous hurricane season.
- Unlikely: 1
Unlikely threats include those that will probably never happen in your area—such as widespread flooding in a state with very little rain—and those that are very rare, including active shooting events and acts of terrorism.
Then, assign the hazard a severity score from the following options:
- Catastrophic: 4
A prime example of a catastrophic threat is a large-scale data breach, which recent research shows can cost an organization more than $3 million and can hurt a business for years to come. In coastal areas, catastrophic threats might also include severe hurricanes and flooding.
- Critical: 3
These are threats that can impact the business but won’t necessarily close its doors. Examples might include supply chain problems, local or national economic downturns, or difficulty retaining or finding high-quality employees.
- Marginal: 2
These are smaller, less impactful threats that don’t require as much planning or preparation effort; however, they still need to be dealt with so they don’t grow more serious. Marginal threats may include changes to regulations that govern your industry.
- Negligible: 1
A threat with a negligible impact is likely one that you are already well prepared for, such as a fire in your warehouse facility. If you already have a well-established protocol for handling a threat, it’s unlikely to have much of an impact.
After ranking each threat’s probability and severity, add the numbers together to get its level of risk. Then, reference this number as you move through the rest of the composite risk management steps. It will help you monitor each threat over time.
As you can see, by quantifying your risk with the CRM approach, you’ll be better equipped to prioritize the most serious threats facing your business. And, just like the U.S. Army, you’ll have greater insight into every angle of risk, which improves your chances of success against every type of threat.