In what sometimes feels like a previous lifetime, I spent a number of years working in management for a large manufacturing company. As a part of our safety program, we would perform assessments of job tasks to understand the strain placed on the body. There were two categories we would measure. These were repetition and impact. We would then use a matrix style grid to define the level of physical risk the tasks would have.
When we compared how often something was done against how demanding it was, we were able to understand the potential harm of a specific set of tasks. The goal was then to find ways to reduce either the impact or repetition in order to make it a safer and/or less physically demanding task for the employee.
Measuring Risk
Flash forward a few years as I moved into my current role as a security advisor. I found that my experience in measuring health risks in manufacturing overlapped perfectly with my new responsibilities in managing risk more broadly. I now use a very similar measurement system to analyze security risk.
The best way to measure potential risk is to look at both probability and consequence. Compared with the manufacturing example above, probability takes the place of repetition and consequence takes the place of impact. Understood another way, this is the likelihood that a threat will happen measured against the impact of that incident.
“The most accurate way to measure risk to analyze BOTH probability and consequence.”
The intersection of probability and consequence is where we need to look in order to understand true risk. It will also help us best prepare for that risk through proper mitigation and response.
For example, a hurricane hitting my house would have a devastating consequence. Therefore it might seem like a big risk that I should prepare for. However, a hurricane is highly improbable because I live over ten hours from the ocean. When comparing the high consequence against the very low probability, I can now see that my risk is not as high as first thought. Alternatively, something may have a relatively low impact and seem unimportant, but a very high likelihood of happening. This results in a similar risk level.
Controlling Risk
Once we have an accurate way of measuring, we can plot levels of risk on a matrix. This allows us to focus our energy on controlling the risks that actually need to be managed. Below is an example. You can add additional levels according to your preference (eg Medium High, Medium Low, etc).
Measuring risk this way allows us to avoid determining it based on our own fear or the opinions of others. We can take an intentional and thoughtful approach to managing and controlling the risks we face.
There are then two ways to control these risks. We can either reduce the probability of a threat or minimize the consequence. If a threat is either less likely or less impactful, the overall risk level reduces.
As an example: I own a motorcycle. The unmitigated risk level of an accident is probably “High.” I put it there due to the high consequence and a medium probability (because of the frequency of time spent on the bike). However, I reduce my risk level in two primary ways. First, I reduce the consequences of an accident by always wearing a helmet. Second, I reduce the probability of an accident by not driving the motorcycle if I am tired or under stress (also reduces frequency). Putting these practices in place allows me to reduce the risk level of getting into a motorcycle accident from “High” to “Medium.”
Conclusion
We will all face a variety of risk in our lives. The best response is to accurately understand both the probability and consequences. This allows us to respond from an informed perspective, with wisdom. Fear and worry are the wrong way to approach life. So too is ignoring potential problems. Instead, try taking a practical approach to understanding risk so you can improve your quality of life – and that of those around you.
