No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

How to Spot (And Avoid) Biases when Identifying, Evaluating and Prioritizing Risk

Strategies for Long-term Success

by Yo McDonald
October 1, 2020
in Featured, Risk
bias spelled in wooden blocks

Identifying, prioritizing and evaluating risks are crucial to any business’s long-term success. MetricStream’s Yo McDonald lays out how specific biases affect these processes and ways to find them.

We are all familiar with the risk/reward terminology. Risk is everywhere, and identifying risks is an art of applying scientific principles of known and unknowns. The knowns are a phenomenon of the past, and unknowns are the transformation of the presence in the future. The biases in risk identification evolve from individual, institutional or global experiences. The biases that effect risk identifications leading into the risk prioritizations process include the following:

Cognitive Bias – A collection of predispositions and perceptions – often influenced by incentives, wants and fears – that could affect the risk assessment process.

Confirmation Bias – As humans, we are always seeking approval from others who will confirm our position. During risk identification, this may lead to a failure to capture a range of alternative risks in an organization.

Groupthink Bias – Conducting a risk identification in a group setting might lead to thoughts of a population who think alike. In the process, an important risk raised by an outlier may be ignored due to a false consensus effect.

Availability Bias – Our minds remain focused on things we see and hear frequently. For example, if there are a series of cyberattacks in the news, even if its likelihood of occurrence is lower in your organization, it may end up as a top risk.

Hindsight Bias – When decisions are made based only on what went wrong, it could result in identifying risks and processes that may not be applicable in the future.

In order to establish an effective risk identification process, identification of all existing biases is key. Primary ways to identify such biases include:

Open Communication

Having open communication, listening and asking for the facts are all important steps – along with listing what may or may not be considered risks by digging deeper into your organization.

Conducting Risk Surveys, Interviews and Workshops

By sending broad surveys, various perspectives can be gathered. After reviewing the responses, one-on-one interviews can be conducted with key stakeholders to gain greater insights. Lastly, the findings from surveys and interviews can be presented to the C-suite and risk committee for final decision-making.

Once biases are successfully removed, risk prioritization and principles of risk evaluation involve the following methods:

Qualitative Risk Evaluation

Most risk managers apply qualitative methods to evaluate risks. This leads to subjectivity. One simple method to reduce subjectivity for smaller projects is to apply the “impact likelihood” scale. This involves measuring impact and likelihood in a scale of:

  • Very Low
  • Low
  • Medium
  • High
  • Very High

Each impact and likelihood can be assigned a number from 1 to 5 for Very Low to Very High respectively. See table below:

Type Scale Percent
Very Low 1 1 – 20%
Low 2 21 – 40%
Medium 3 41 – 60%
High 4 61 – 80%
Very High 5 81% – 100%

Final risk rating as a product of impact and likelihood will fall in between a range of 1 and 25. The product can be translated into a subjective rating as per the below table:

Rating Range
Very Low 1 – 5
Low 6 – 10
Medium 11 – 15
High 16 – 20
Very High 21 – 25

A simple example can illustrate the qualitative method.

There have been four Category 5 hurricanes (with a wind speed of 157 miles per hour or more) hitting the U.S. in the last 100 years. This means there is a 4 percent chance of a Category 5 storm hitting the U.S. in a year. Applying the qualitative principles, the likelihood of the risk is Very Low. However, the impact of a Category 5 hurricane can be devastating (i.e., Very High). The below table determines the risk rating:

Risk Impact Likelihood Risk Rating = Impact x Likelihood
Category 5 Hurricane in United States Very Low: 1 Very High: 5 Very Low: 5

Although we considered the likelihood based on historic data, we need to consider external factors that might increase or decrease the likelihood over time.

If we dig deeper into the hurricane example, eight out of 35 Category 5 hurricanes were initiated in the North Atlantic Ocean in the last decade (i.e., 25 percent of Category 5 hurricanes in the past 10 years), which is a significant number to ignore. In 2020, it is forecasted that there will be 18 named storms, nine hurricanes and four major hurricanes compared to a 30-year average of 13 named storms, seven hurricanes and three major hurricanes. Whether it eventually happens or not, the difference is too high to disregard. Moreover, the effect of climate change will make hurricane seasons worse over the years. As we ask more questions and are presented with clearer facts, our likelihood scale is bound to change, resulting in a shift in risk rating.

Quantitative Risk Evaluation

The quantitative risk evaluation method is objective. It uses verifiable data to determine multiple risk factors and requires a heavy volume of data, specialized software and vigorous risk models.

A simple example can illustrate quantitative evaluation: California is severely affected by wildfires every year. In order to perform quantitative fire risk evaluation, we need to characterize and combine fire behavior probabilities and effects. These probabilities are different from likelihoods based on historic data, since they depend on spatial and temporal factors controlling fire growth. The likelihood of a wildfire in a specific location is dependent on various factors, such as weather condition, topography, forest dryness and fire direction. The fire behavior distribution requires scientific computation of these factors. The impact or effect of wildfires needs to be appraised based on a common scale of infrastructure and human values susceptible to fire. Ultimately, this will determine the investment needed to evaluate the likelihood of wildfire in that location and to minimize the damage.

It might sound like the quantitative approach is the more reliable of the two. However, both methods hold equal merits. Qualitative risk should always be performed. It is the most perfect way to analyze and prioritize risks that can be broadly adopted across an organization. On the other hand, quantitative risk evaluation is vital, especially in high-risk industries, such as mining, oil and gas, construction and anything that presents a threat to the safety of workers on a day-to-day basis. Indeed, it’s a legal requirement.

The following table provides the difference between the qualitative and quantitative risk evaluation methods:

Qualitative Quantitative
Easily Performed Objective
Subjective Detailed and complex
Quick Takes more time
Needed for smaller projects Needed for industries with threat to safety
Should always be performed Can be optional
Degree of overall risk is undermined Degree of overall risk is determined

The above methods of identifying biases and evaluating risks for strategic prioritization may result in reducing the impact of unforeseeable events, but they can never eliminate the possibilities of a failed risk prioritization, as we have experienced in 2020.

The Global Risks Report of 2020 by the World Economic Forum (WEF) prioritized climate change and related environmental issues as the top five risks in terms of likelihood. However, we have all experienced how the global pandemic has turned our worlds upside down.

Going back to the report, if one prioritizes risk based on the Global Risk Landscape 2020 (fig II), infectious disease would unlikely make it onto the prioritization list. In the short-term risk outlook (fig 1.1), the pandemic doesn’t even appear anywhere.


Source: Global Risk Report of 2020 by World Economic Forum

Once the pandemic is over, we will run into various biases while identifying future risks; therefore, all the methods to mitigate such biases will be critical. It won’t eradicate similar occurrences but will reduce the impact of these risk factors through better mitigation strategies.

In 2015, in a now famous TED Talk, Bill Gates repeatedly warned how we were not prepared for the next epidemic. During the Obama administration, when we experienced the 2009 H1N1 (swine flu) and 2014 Ebola outbreaks, the former president emphasized building a public health infrastructure globally to combat the next pandemic. Unfortunately, the world was not prepared for the current COVID pandemic, and we now face the irreversible consequences of poor planning and poor risk prioritization. Let’s learn from the struggles following 9/11 and create a unified effort to prepare for the next pandemic.


Tags: Risk Assessment
Previous Post

Accounting for Loss Contingencies – “Hindsight is 20/20”

Next Post

The Herbalife FCPA Enforcement Action

Yo McDonald

Yo McDonald

Yo McDonald is Vice President of Customer Success and Engagement at MetricStream. Yo is a seasoned executive in governance, risk and compliance (GRC) consulting and product solutions. She drives customer engagement and community best practices in GRC programs, fostering a culture of customer success at MetricStream.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

NAVEX regional whistleblowing hotline benchmark report_f

Navex 2022 Regional Whistleblowing Hotline Benchmark Report

by Corporate Compliance Insights
November 9, 2022

Explore benchmark data and regional comparisons for Europe, APAC, North America and South America. Regional Benchmark Report 2022 Regional Whistleblowing...

Next Post
The Herbalife FCPA Enforcement Action

The Herbalife FCPA Enforcement Action

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT