Risk Tip – how likely is likely?

Assessing the level of likelihood for risk is something I have been questioning for some considerable time.  I have followed the conventional wisdom up until this point and used the ‘traditional’ criteria to express likelihood.  You may have criteria similar to the following:

Likelihood score
Descriptor
Frequency
How often might it/does it happen
1 Rare This will probably never happen/recur
2 Unlikely Do not expect it to happen/recur but it is possible it may do so
3 Possible Might happen or recur occasionally
4 Likely Will probably happen/recur, but is not a persisting issue/circumstances
5 Almost certain Will undoubtedly happen/recur, possibly frequently
Probability
Uncertainty Statement
Evaluation
> 80% Almost certainly 5
61-80% Probable 4
41-60% Improbable 3
21-40% Unlikely 2
1-20% Highly unlikely 1
Likelihood
Quantification
Probability
Description
Almost certain 0 – 12 months 95% – 100% The event is expected to occur
Likely 1 – 3 years 65% – 95% The event will probably occur
Possible 3 – 6 years 35% – 65% The event might occur at some time
Unlikely 6 – 10 years 5% – 35% The event could occur at some time but is improbable
Rare Beyond 10 years < 5% The event may occur only in exceptional circumstances

These descriptors, whilst standard across the industry, have not sat well with me for some time, but I was unsure why. That was until recently when it hit me like the proverbial ton of bricks. It makes absolutely no sense to assess the likelihood of events that are not time or frequency dependent using time or frequency as the measure.

I started to ask – is this an appropriate measure to determine the likelihood of risks such of these?

  • Contaminated food served to restaurant patrons
  • Worker exposed to unbonded/friable asbestos
  • Wrong medication administered to a patient
  • Explosion at fuel storage depot
  • Legionnaires outbreak in the hospital
  • Unauthorised release of, or alteration to client confidential information

The likelihood of these risks occurring is in no way going to be based on frequency or probability. The likelihood of these risks is going to be based on the effectiveness of the current control environment.

So, let’s take one of these – contaminated food served to restaurant patrons as a case study.

What would be the likelihood of this risk if we used this criteria?

Qualitative Rating
General Description
Almost Certain Likely to occur more than once a year
Likely Likely to occur approximately once a year
Possible Likely to occur approximately once every 5 years
Unlikely Likely to occur approximately once every 5 – 10 years
Rare  Likely to occur with less frequency than once every 10 years

To my way of thinking, it is impossible to estimate the likelihood of this risk based on frequency.  What will make this risk unlikely to rare is the effectiveness of the controls  established within the restaurant.

So what if we were to use a likelihood matrix such as this?

Qualitative
General Description
Almost Certain All of the controls associated with the risk are extremely weak and/or non-existent. Without control improvement there is almost no doubt whatsoever that the risk will eventuate
Likely The majority of the controls associated with the risk are weak. Without control improvement it is more likely than not that the risk will eventuate.
Possible There are some controls that need improvement, however, if there is no improvement there is no guarantee the risk will eventuate.
Unlikely The majority of controls are strong with few control gaps. The strength of this control environment means that it is likely that the risk eventuating would be caused by external factors not known to the organisation.
Rare All controls are strong with no control gaps. The strength of this control environment means that, if this risk eventuates, it is most likely as a result of external circumstances outside of our control.

We then assess the likelihood based on the following observations of the effectiveness of the controls. So let’s apply this likelihood matrix to two different restaurants:

Restaurant 1

Current Controls and their Effectiveness
Food handling policy Effective
Food handling training for staff Effective
Food storage policies and procedures Effective
Maintenance of refrigeration Effective
Strict purchase policies in relation to supplies Effective
Monitoring of cooking temperatures Effective

Restaurant 2

Current Controls and their Effectiveness
Food handling policy Effective
Food handling training for staff Partially Effective
Food storage policies and procedures Effective
Maintenance of refrigeration Ineffective
Strict purchase policies in relation to supplies Partially Effective
Monitoring of cooking temperatures Ineffective

Based on the effectiveness of the controls the likelihood of contaminated food being served to restaurant patrons would be significantly higher at restaurant 2.

If we continue to try and estimate likelihood based on frequency for risks where the likelihood is actually dependent on the effectiveness of the controls, the decisions we take may be flawed.

So how likely is likely? Understand the effectiveness of your controls to truly understand how likely it is that the risk will materialise as an issue.

SUBSCRIBE TO OUR NEWSLETTER
Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
FREE RISK MANAGEMENT E-BOOK
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.
{Download-submit}