Risk Tip – how likely is likely?
Assessing the level of likelihood for risk is something I have been questioning for some considerable time. I have followed the conventional wisdom up until this point and used the ‘traditional’ criteria to express likelihood. You may have criteria similar to the following:
Likelihood score | Descriptor | FrequencyHow often might it/does it happen |
| 1 | Rare | This will probably never happen/recur |
| 2 | Unlikely | Do not expect it to happen/recur but it is possible it may do so |
| 3 | Possible | Might happen or recur occasionally |
| 4 | Likely | Will probably happen/recur, but is not a persisting issue/circumstances |
| 5 | Almost certain | Will undoubtedly happen/recur, possibly frequently |
Probability | Uncertainty Statement | Evaluation |
| > 80% | Almost certainly | 5 |
| 61-80% | Probable | 4 |
| 41-60% | Improbable | 3 |
| 21-40% | Unlikely | 2 |
| 1-20% | Highly unlikely | 1 |
Likelihood | Quantification | Probability | Description |
| Almost certain | 0 – 12 months | 95% – 100% | The event is expected to occur |
| Likely | 1 – 3 years | 65% – 95% | The event will probably occur |
| Possible | 3 – 6 years | 35% – 65% | The event might occur at some time |
| Unlikely | 6 – 10 years | 5% – 35% | The event could occur at some time but is improbable |
| Rare | Beyond 10 years | < 5% | The event may occur only in exceptional circumstances |
These descriptors, whilst standard across the industry, have not sat well with me for some time, but I was unsure why. That was until recently when it hit me like the proverbial ton of bricks. It makes absolutely no sense to assess the likelihood of events that are not time or frequency dependent using time or frequency as the measure.
I started to ask – is this an appropriate measure to determine the likelihood of risks such of these?
- Contaminated food served to restaurant patrons
- Worker exposed to unbonded/friable asbestos
- Wrong medication administered to a patient
- Explosion at fuel storage depot
- Legionnaires outbreak in the hospital
- Unauthorised release of, or alteration to client confidential information
The likelihood of these risks occurring is in no way going to be based on frequency or probability. The likelihood of these risks is going to be based on the effectiveness of the current control environment.
So, let’s take one of these – contaminated food served to restaurant patrons as a case study.
What would be the likelihood of this risk if we used this criteria?
Qualitative Rating | General Description |
| Almost Certain | Likely to occur more than once a year |
| Likely | Likely to occur approximately once a year |
| Possible | Likely to occur approximately once every 5 years |
| Unlikely | Likely to occur approximately once every 5 – 10 years |
| Rare | Likely to occur with less frequency than once every 10 years |
To my way of thinking, it is impossible to estimate the likelihood of this risk based on frequency. What will make this risk unlikely to rare is the effectiveness of the controls established within the restaurant.
So what if we were to use a likelihood matrix such as this?
Qualitative | General Description |
| Almost Certain | All of the controls associated with the risk are extremely weak and/or non-existent. Without control improvement there is almost no doubt whatsoever that the risk will eventuate |
| Likely | The majority of the controls associated with the risk are weak. Without control improvement it is more likely than not that the risk will eventuate. |
| Possible | There are some controls that need improvement, however, if there is no improvement there is no guarantee the risk will eventuate. |
| Unlikely | The majority of controls are strong with few control gaps. The strength of this control environment means that it is likely that the risk eventuating would be caused by external factors not known to the organisation. |
| Rare | All controls are strong with no control gaps. The strength of this control environment means that, if this risk eventuates, it is most likely as a result of external circumstances outside of our control. |
We then assess the likelihood based on the following observations of the effectiveness of the controls. So let’s apply this likelihood matrix to two different restaurants:
Restaurant 1
Current Controls and their Effectiveness | Food handling policy | Effective |
| Food handling training for staff | Effective | |
| Food storage policies and procedures | Effective | |
| Maintenance of refrigeration | Effective | |
| Strict purchase policies in relation to supplies | Effective | |
| Monitoring of cooking temperatures | Effective |
Restaurant 2
Current Controls and their Effectiveness | Food handling policy | Effective |
| Food handling training for staff | Partially Effective | |
| Food storage policies and procedures | Effective | |
| Maintenance of refrigeration | Ineffective | |
| Strict purchase policies in relation to supplies | Partially Effective | |
| Monitoring of cooking temperatures | Ineffective |
Based on the effectiveness of the controls the likelihood of contaminated food being served to restaurant patrons would be significantly higher at restaurant 2.
If we continue to try and estimate likelihood based on frequency for risks where the likelihood is actually dependent on the effectiveness of the controls, the decisions we take may be flawed.
So how likely is likely? Understand the effectiveness of your controls to truly understand how likely it is that the risk will materialise as an issue.
