Professional Documents
Culture Documents
net/publication/240258668
CITATIONS READS
27 4,073
2 authors:
Some of the authors of this publication are also working on these related projects:
The Computational Structure of Environmental Life Cycle Costing - Outline and Application (EN) View project
All content following this page was uploaded by Jan Emblemsvåg on 13 April 2015.
Qualitative risk
Qualitative risk analysis: analysis
some problems and remedies
Jan Emblemsvåg
Fora Form AS, Ørsta, Norway, and 395
Lars Endre Kjølstad
Virtual Park Consulting, Stabekk, Norway Received August 2005
Revised December 2005
Accepted December 2005
Abstract
Purpose – The article sets out to discuss and present a solution to the fact that various qualitative
risk analyses of the same problem can reach significantly different conclusions.
Design/methodology/approach – By reviewing a common risk analysis approach and identifying
where the possible problems arise, the authors propose ways to overcome the problems based on what
they have found in the literature in general.
Findings – There are ways to greatly reduce the problems, but this requires a risk analysis approach
in which information quality and consistency are the subject of greater focus.
Research limitations/implications – The definitions used, Monte Carlo methods and the
analytical hierarchy process are well tested in countless applications. Hence, the authors believe that
this work possesses no major limitations.
Practical implications – The approach has only been applied to theoretical situations; real-life
situations are needed to address possible practical limitations.
Originality/value – The paper illustrates the importance of distinguishing between “uncertainty”,
“risk” and “capabilities” and the associated implications. It also shows how this can be done in a
logically consistent way using the analytical hierarchy process so that the problem of inconsistency is
reduced, and how the analysis can be used to systematically improve itself. The proposed risk analysis
is a novel approach that has, to the authors’ knowledge, never been thought of before.
Keywords Risk management, Uncertainty management, Analytical hierarchy process,
Monte Carlo methods
Paper type Research paper
1. Frame of reference
Risk management is a hot topic for executives. In fact, the Turnbull Report, made at the
request of the London Stock Exchange (LSE), “is about the adoption of a risk-based
approach to establishing a system of internal control and reviewing its effectiveness”
(Jones and Sutherland, 1999), and it is a mandatory requirement for all companies at
the LSE. Moreover, by 2001, around 30 countries were looking at similar arrangements
on a voluntary basis (see Ward, 2001).
Risk management is also important due to the rapid changes in the business
environment. In fact, some of the major problems the Swedish-Swiss engineering giant
ABB was facing in 2002 were due to “poorly understood operational risks” according
to The Economist (2002). Clearly, growing uncertainty increase the need for better risk Management Decision
Vol. 44 No. 3, 2006
pp. 395-408
q Emerald Group Publishing Limited
The views presented in this paper are solely those of the authors and are not necessarily 0025-1747
associated with Fora Form AS or Virtual Park. DOI 10.1108/00251740610656278
MD management. However, we must acknowledge the dilemma that despite some risks
44,3 arising from unpredictable situations for which there is little remedy in traditional risk
management practices, the increasing reliance on risk management has in fact led
decision makers to embark on actions that involve such risks. Thus, risk management
has led decision-makers to take risks they normally would not take (see Bernstein,
1996). Arguably, decision makers face two major risks:
396 (1) the risk of ignoring risks; and
(2) the risk of being deceived by risk management.
Fuzziness occurs whenever definite, sharp, clear or crisp distinctions are not made,
whereas ambiguity is the result of unclear definitions of various alternatives
(outcomes). Uncertainty is therefore the result of lack of information or clarity, and has
nothing to do with choice.
We start by briefly identifying why qualitative risk analyses are flawed in the sense
that they can produce wildly different results. Then, in section 3 we discuss the four
types of analysis required to analyze risks properly. In sections 4 and 5 we present our
remedies. A conclusion is provided in section 6. We use simple, functional examples
where needed to illustrate the points we try to make.
These aspects are elaborated upon in the next two sections. However, we would first
like to clarify the various types of analyses that are crucial to understand risk and
uncertainty as alluded to above.
We propose four types of analyses that are integrated in the same model:
(1) a risk analysis;
(2) a sensitivity analysis of the risk analysis;
(3) an uncertainty analysis of the risk analysis; and
(4) a sensitivity analysis of the uncertainty analysis.
Figure 1.
The arbitrary assignment
of probability and impact
in a risk ranking matrix
MD The purpose of these analyses is not just to analyze risks but to also provide a context
44,3 for information management. Most approaches lack this capability and hence lack any
systematic way of improving themselves. One reason may be that many simply do not
distinguish between risk and uncertainty, for example Friedlob and Schleifer (1999)
claim that “risk is uncertainty” for auditors. Another reason is that simple risk
matrices like the ones shown in Figure 1 are basically too simplistic to provide any
398 guidance with respect to information or decision improvement.
The probability for receiving 10,000 units is an estimated 40 percent, while the
probability for receiving 30,000 units is an estimated 60 percent. If the decision maker
chooses to reuse the bottles but receives only 10,000 she faces a loss, whereas 30,000
will give her the highest profit of $40,000. The recycling action also produces $30,000.
To decide the decision maker designs a decision tree (see Figure 2) and uses the
expected monetary value (EMV) as a measure of risk. The EMV is calculated by
multiplying the outcome values by the associated probabilities, and then summing up
the outcomes of the events associated with an action. We see that recycling has the
highest EMV, and therefore the lowest expected risk because the risks in this example
are opportunity risks – that is, they are associated with loss of opportunity. Note that
risks are “not just bad things happening but also good things not happening”, as
quipped by Jones and Sutherland (1999) and others.
So far, we have only calculated the risk profile for the decision (as indicated by the
EMV) of the two possible actions, but we do not know anything about the uncertainty:
Figure 2.
Decision tree example
the numbers might be associated with major uncertainty, and hence the conclusion Qualitative risk
may be less clear-cut. To gain better understanding we consequently perform an analysis
uncertainty analysis.
In uncertainty analyses we try to understand how the uncertainty in source
variables generates uncertainty in response variables (the EMV). Important questions
to be answered include: “do we have sufficient information to provide decision support
with an acceptable level of uncertainty?” and “what information is most critical for the 399
uncertainty level in the risk analysis?”. In risk analyses, however, we try to understand
how risks are generated, their probability of occurrence and impact and so on. We also
rank the risks to focus.
In Figure 3 we have pictured the difference between modeling risk and modeling
uncertainty in the case shown above. To the left we have simply given a standard
variation around the expected impact of recycling 30,000 bottles, while to the right we
have tried to model the actual uncertainty. So far, there is little apparent difference, but if
we run a Monte Carlo simulation we will understand the point. For brevity we refer to
Emblemsvåg (2003) for more information about Monte Carlo simulations and how they
can be used in a variety of situations, including critical assumption planning (CAP).
The point is that the risk modeling does not provide any insight into the uncertainty
of the risk analysis but rather provides an excellent ranking of source variables.
Because the source variable in Figure 3 is symmetric and bounded (modeled as
triangular distribution with a 10 percent variation around the expected impact) we can
accurately trace the most important factors for the risk profile, as shown in Figure 4.
We see, for example, that it is the probability of receiving 30,000 bottles that is the
single most important factor for the risk profile.
Figure 3.
An example of risk
modeling (left) versus
uncertainty modeling
(right)
Figure 4.
The most important
factors for the risk profile
MD From an uncertainty perspective, however, we see from Figure 5 that it is the recycling
44,3 impact of receiving 30,000 bottles that introduces the most uncertainty into the risk
profile – not the probability estimate. Thus, if we are to spend more resources on
increasing the accuracy of the risk analysis – that is, to reduce the uncertainty – we
should put more work into assessing the recycling impact of receiving 30,000 bottles. If
we are to reduce the actual risk, however, we should try to reduce the probability.
400 In this example we must decide under the presence of both risk and uncertainty,
which is also the most common case in real life. In Figure 6 the two options are
presented, and we see that there is a slight possibility of “Reuse” actually having a
higher EMV than “Recycling”, but under most circumstances we can virtually
guarantee that the Recycling option will have the highest EMV. The sensitivity
analysis in Figure 5 is effective in identifying how to reduce the uncertainty in Figure 6.
We can also use Figure 6 to calculate how much the uncertainty must be reduced in
order to separate the two options, which is important to clarify the decision.
The sensitivity analyses in Figures 4 and 5 also illustrate a vital point that is
usually omitted in risk analyses, namely the importance of conducting sensitivity
analyses. We subscribe to statistical sensitivity analyses, and they can be easily
generated during a Monte Carlo simulation (see Emblemsvåg, 2003). Sensitivity
analyses enable us to identify the critical success factors, whether they are risk,
uncertainty or anything else. Thus, the sensitivity analyses increase our
understanding of both the risk analyses and the uncertainty analyses, which is of
Figure 5.
The most important
uncertainties for the risk
profile
Figure 6.
Comparison under the
presence of risk and
uncertainty
great importance for the improvement of the risk analysis process. A critical review Qualitative risk
will in this context revolve around finding answers for a variety of “why?” questions as analysis
well as judging to what extent the analyses provide useful input to the risk analysis
process and what must be done about significant gaps. Basically, we must understand
how the analyses work, why they work, to what extent they work as planned, and what
can be done to reduce deviations. With this in mind we now proceed to our next topic of
improvement – ensuring consistency in the risk analysis. 401
4. Ensuring consistent risk analyses
The great virtue of mathematics is its consistency – a trait no other system of thought
can match. Despite the inherent translation uncertainty between qualitative and
quantitative measures, the only way to ensure consistent qualitative risk analyses is to
translate the qualitative measures into numbers and then perform some sort of
consistency check. The only approach that can handle qualitative issues with
controlled consistency is the analytical hierarchy process (AHP) and variations thereof.
Thomas Lorie Saaty developed AHP in the late 1960s primarily to provide decision
support for multi-objective selection problems. Since then, Saaty and Forsman (1992)
have utilized AHP in a wide array of situations including resource allocation,
scheduling, project evaluation, military strategy, forecasting, conflict resolution,
political strategy, safety, financial risk and strategic planning. Others have also used
AHP in a variety of situations such as in supplier selection (Bhutta and Huq, 2002), to
determine measures of business performance (Cheng and Li, 2001), and in quantitative
construction risk management of a cross-country petroleum pipeline project in India
(Dey, 2001).
The greatest advantage of the AHP concept, for our purpose, is that it incorporates a
logic consistency check of the answers provided by the various participants in the
process. As Cheng and Li (2001) claim, “it [AHP] is able to prevent respondents from
responding arbitrarily, incorrectly, or non-professionally”. The arbitrariness of Figure 2
will consequently rarely occur. Furthermore, the underlying mathematical structure of
AHP makes sensitivity analyses both with respect to the risk and uncertainty analysis
meaningful, which in turn guides learning efforts. This is impossible in traditional
frameworks.
The relative rankings generated by the AHP matrix system can be used as so-called
subjective probabilities or possibilities (see Emblemsvåg and Kjølstad, 2002), as well as
relative impacts or relative capabilities. The estimates will be relative, but that is
sufficient since the objective of a risk analysis is to effectively direct attention towards
the critical risks so that they will be attended to. However, by including a known
absolute reference in the AHP matrices we can provide absolute ranking if desired.
The first step in applying the AHP matrix system is to first identify the risks we
want to rank, which is done in step 2. Second, due to the hierarchical nature of the AHP
approach, we must organize the items as a hierarchy. For example, all risks are divided
into commercial risks, technological risks, financial risks, operational risks, and so on.
These risk categories are then broken down into detailed risks. For example, financial
risks may consist of cash flow exposure risks, currency risks, interest risks and so
forth. It is important that the number of children below a parent in a hierarchy is not
more than nine, because human cognition has great problems handling more than nine
issues at the same time (see Miller, 1956). In our experience, it is wise to limit oneself to
MD seven or fewer children per parent. Third, we must perform the actual pair-wise
44,3 comparison.
To operationalize the pair-wise comparisons we used the ordinal scales and the
average Random Index (RI) values provided in Tables I and II. According to Peniwati
(2000), the RIs are defined to allow a 10 percent inconsistency in the answers because it
is better to be approximately right than precisely wrong. Note that the values in Table I
402 must be interpreted in its specific context. Thus, when we speak of probability of scale
1 it should linguistically be interpreted as “equally probable”.
To exemplify AHP, suppose we have identified four risks – R1, R2, R3 and R4 –
and want to estimate their subjective probability. We perform a pair-wise comparison
by comparing the probability of R1 to the probability of R2 as shown in Table III using
the scales in Table I. We see, for example, that we believe the probability of R1
occurring is “absolutely greater” than the probability of R2 occurring. Similarly, R4 has
1 0.00
2 0.00
3 0.58
4 0.90
5 1.12
6 1.24
7 1.32
8 1.41
9 1.45
Table II. 10 1.49
Average random index
values Source: Saaty (1990)
moderately higher probability than R3 and so forth. Based on these comparisons we Qualitative risk
calculate the subjective probabilities. R1 has a 57 percent probability of occurrence analysis
relative to the other risks. The relative nature of the matrix system is why there are
ones (1) on the matrix diagonal – the probability of R1 relative to R1 is of course equal.
We also note the consistency ratio (CR), which is 0.046. The corresponding RI is found
in Table II, and is 0.90. Since CR is less than RI we conclude that the matrix is
internally consistent, and the subjective probability estimates are therefore logically 403
consistent.
Ranking many risks in this fashion requires a large number of small matrices, like
the one in Table III, but each one of them is easy to fill in and hence the amount of time
spent is modest. We believe it is far less effective to make arbitrary “guesstimates” and
then wonder what went wrong. For an experienced practitioner, filling out a matrix like
the one in Table III will only take four or five minutes, which is quite efficient. Clearly,
AHP can increase the quality of the risk analyses substantially, and due to the rigorous
mathematics behind the consistency check and rank calculations, uncertainty analyses
can provide meaningful results. For decisions demanding a broader consensus,
uncertainty analysis is an excellent approach in which outcomes tend to be more
strongly rooted despite the existence of differences of opinion about singular pairs
because the approach invites meaningful discussions and not just guesses.
For example, an uncertainty analysis of the situation in Table III is shown in
Figure 7. We see, for example, that the probability estimate for R1 is the one that is
associated with the most uncertainty. From the sensitivity analysis in Figure 8 we see
why: the R1 probability relative to the R4 probability is the single most important
source of uncertainty to the R1 probability estimate. Furthermore, by increasing the
relative probability of R1 to R4, the R1 probability estimate will increase. Hence, if we
Figure 7.
Uncertainty analysis of
the risk estimates in
Table III
MD increase the R1 to R4 comparison from 3 to 4, the R1 probability estimate will increase
44,3 (to 59 percent).
The reason the R4 to R3 comparison impacts the R1 probability estimate is that any
pair-wise comparison influences the basis that the R1 probability estimate is derived
from. In any case, we can easily identify which pair-wise comparisons in Table III
impact the R1 probability estimate the most. Such information is useful in determining
404 how to reduce the uncertainty of the R1 probability estimate further, or at the very least
explain the R1 probability distribution in Figure 7.
In short, the AHP matrix structure can be used to effectively provide relative
rankings that are consistent, and it opens up for meaningful uncertainty and
sensitivity analyses, which in turn improve the risk analysis.
Figure 8.
Sensitivity analysis of the
uncertainty analysis in
Figure 9
– and associated with uncertainty as shown in Figure 9, but it provides a quite good Qualitative risk
indication of the risk profile of the organization relative to its capabilities. We therefore analysis
denote this number and its associated uncertainty distribution the relative risk profile
(RRP) of the organization.
Furthermore, by running a sensitivity analysis of the risk-capability matching we
can identify the critical managerial implications (Figure 10) and the greatest sources of
uncertainty (Figure 11), which in turn can be used to improve the analyses. In Figure 10, 405
Figure 9.
RRP probability
distribution
Figure 10.
Risk sensitivity analysis
MD
44,3
406
Figure 11.
Uncertainty sensitivity
analysis
we can easily identify what drives the RRP. The most important factor is the actual
risk level of R1, followed by the ability of C1 to counter R1 and the actual effectiveness
of C1. From an uncertainty perspective, however, we see that the situation is quite
different. The C4 effectiveness impacts the uncertainty level of RRP the most (see
Figure 11). To reduce the uncertainty of RRP we must consequently obtain better
information about C4. C3 and the uncertainty of R1 are also important.
In this way we have a powerful approach in devising consistent risk analyses for
which sound risk management strategies can be crafted. It should be noted, however,
that even though our approach produces 90 percent consistent risk analyses, mistakes
in the risk analysis will occur if the problem at hand is not well understood. What we
can guarantee, however, is that the risk analyses are internally consistent and hence
that we will always focus on the right risks compared to our capabilities first, albeit to
which degree the risks must be attended must receive further considerations when it
comes to the costs and benefits of attending them. Put differently, we will not be able to
identify the absolute magnitudes of risks, but we will be able to rank them correctly.
This is a step forward compared to the situation described by Backlund and Hannu
(2002) and often found in reality elsewhere as well.
6. Closing remarks
The presented approach is “self-adjusting” in that it can be used to reduce the
uncertainty in the risk analysis while also improving the quality of risk analyses in
general by providing consistency checks and decision support for improved
information management. The next steps in our quest to improve risk management
will be to perform such risk analyses of multiple organizations and then compute the
RRP. This will allow us to also better understand the relations between risk and
profitability over time, which is important for strategic risk management, which is the
topic of our main focus. We also believe that the overall risk management process must
be augmented in order to better facilitate information and knowledge management,
which is vital to further reduce the chance for the problems of self-fulfilling prophecies
in risk management.
As always, however, good results are struck by the combination of skilled
implementation and thorough knowledge about the approach and the actual situation
for the organization. We further believe that the risk analysis approach described here
stands a better chance of avoiding the problems described by Backlund and Hannu Qualitative risk
(2002) because the risk analysis is enhanced by: analysis
.
uncertainty analyses to show the extent of uncertainty in the risk analysis;
.
sensitivity analyses to provide learning on what drives risks and uncertainties;
.
AHP to provide logically consistent results; and
.
the risk-capability matching to allow effective identification of risk management 407
strategies.
Thus, as argued and illustrated in this paper, to distinguish between risk, uncertainty
and capabilities on the one hand and to handle the information in a consistent fashion
is crucial to prevent the risk management process from becoming either a self-fulfilling
prophecy or an arbitrary process, but as Hegel warns: “Theories conceal as much as
they reveal”.
References
Backlund, F. and Hannu, J. (2002), “Can we make maintenance decisions on risk analysis
results?”, Journal of Quality in Maintenance Engineering, Vol. 8 No. 1, pp. 77-91.
Bernstein, P.L. (1996), Against the Gods: The Remarkable Story of Risk, Wiley, New York, NY,
p. 383.
Bhutta, K.S. and Huq, F. (2002), “Supplier selection process: a comparison of the total cost of
ownership and the analytic hierarchy process approaches”, Supply Chain Management:
An International Journal, Vol. 7 No. 3, pp. 126-35.
Cheng, E.W.L. and Li, H. (2001), “Analytic hierarchy process: an approach to determine measures
for business performance”, Measuring Business Excellence, Vol. 5 No. 3, pp. 30-6.
Dey, P.K. (2001), “Decision support system for risk management: a case study”, Management
Decision, Vol. 39 No. 8, pp. 634-49.
(The) Economist (2002), “Barnevik’s bounty”, The Economist, Vol. 362 No. 8262, p. 62.
Emblemsvåg, J. (2003), Life-Cycle Costing: Using Activity-Based Costing and Monte Carlo
Methods to Manage Future Costs and Risks, Wiley, New York, NY, p. 320.
Emblemsvåg, J. and Kjølstad, L.E. (2002), “Strategic risk analysis – a field version”, Management
Decision, Vol. 40 No. 9, pp. 842-52.
Friedlob, G.T. and Schleifer, L.L.F. (1999), “Fuzzy logic: application for audit risk and
uncertainty”, Managerial Auditing Journal, Vol. 14 No. 3, pp. 127-35.
Jones, M.E. and Sutherland, G. (1999), Implementing Turnbull: A Boardroom Briefing, The Center
for Business Performance, The Institute of Chartered Accountants in England and Wales
(ICAEW), London, p. 34.
Miller, G.A. (1956), “The magical number seven, plus or minus two: some limits on our capacity
for processing information”, Psychological Review, Vol. 63, pp. 81-97.
Peniwati, K. (2000), The Analytical Hierarchy Process: Its Basics and Advancements, INSAHP,
Jakarta.
Saaty, T.L. (1990), The Analytic Hierarchy Process: Planning, Priority Setting, Resource
Allocation, RWS Publications, Pittsburgh, PA, p. 480.
Saaty, T.L. and Forsman, E. (1992), The Hierarchon: A Dictionary of Hierarchies, Expert Choice,
Inc., Arlington, VA.
MD Ward, G. (2001), “Corporate governance: why should companies care?”, speech given at INSEAD,
Fontainebleau, July 11.
44,3 Webster’s Encyclopedic Unabridged Dictionary of the English Language (1989), Gramercy Books,
New York, NY, p. 1854.
Further reading
408 Davenport, T.H., Delong, D.W. and Beers, M.D. (1998), “Successful knowledge management
projects”, Sloan Management Review, Vol. 39 No. 2, pp. 43-57.
Government Asset Management Committee (2001), Risk Management Guideline, New South
Wales Government Asset Management Committee, Sydney, p. 43.
Corresponding author
Lars Endre Kjløstad can be contacted at: lakjolst@online.no