BACK TO BASICS
Balancing the cost of risk and uncertainty
by Peter J. Sherman
After reading Jeffrey A. Robinson’s insightful QP article, "Keep Moving,"1 I thought of other ways decision makers can effectively manage risk and uncertainty. Risk and uncertainty is what management is all about. If there were no risks, there would be no need for managers. In other words, if everything were certain and predictable, there would be nothing to manage.
Risk is something you can put a price on; uncertainty is risk that’s difficult to measure. Organizations tend to either be risk-tolerant or risk-averse. An organization’s tolerance of risk plays a role in how it responds to it.
Risk-tolerant organizations see the benefits of accepting risks that outweigh potential harm (that is, commodity products or services). Organizations willing to accept higher risks may have a higher potential for return on investments. Risk-averse organizations (such as pharmaceutical organizations) are more cautious about accepting risks because risk events can cause lawsuits, negative publicity and even death.
The combination of risk (magnitude of loss) with uncertainty (probability of occurrence) creates four basic categories of risk levels that are shown in Figure 1. As the figure illustrates, organizations have four basic responses for any identified risk:
Risk acceptance (bottom-left quadrant). Accepting risk often is the best strategy for organizations facing issues characterized by low magnitude of loss and low probability of occurrence. For example, an organization seeking to grow its market share by distributing its software online generally accepts the inherent risks of piracy by protecting itself through secure access, limited licenses and encryption.
Risk transfer or avoidance (top-right quadrant). Organizations can avoid risk entirely. For example, some pharmaceutical organizations choose not to develop vaccines to avoid lawsuits spurred by claims of harmful side effects. Alternatively, organizations can transfer risk to a third-party insurance provider or supplier. This requires purchasing insurance or contractually transferring risk to an outsourced supplier.
Risk mitigation (bottom-right quadrant). Organizations facing circumstances of high magnitude of loss and low probability of occurrence can mitigate the probability and severity of identified risks by applying preventive measures. These include: properly designed products, facilities and processes; employee training; compliance management; preventive maintenance; business diversification; and the creation of redundant systems. Organizations also may use contingency plans to minimize the monetary, physical or reputation damage from risk events.
Risk mitigation (top-left quadrant). Organizations facing circumstances with low magnitude of loss and high probability of occurrence also may mitigate risk by implementing the preventive measures outlined in No. 3.
Before deciding on a response to the identified risk, an organization must balance the cost of the risk response against the risk level. The resources expended to mitigate risk should be less than the consequence of inaction.
Risk level is commonly described using the following cost justification formula:
Risk level = probability of occurrence x magnitude of loss.
For example, a 5-year-old piece of equipment valued at $100,000 has a 10% probability of breaking down in the next 12 months. The risk level can be quantified at $10,000 ($100,000 x 0.10). The response should cost no more than $10,000.
Quality professionals can use this formula when presenting plans and budgets for approval. Keep in mind that cost justifications are not always as simple as doing math. Understanding the context is critical. For example, product liability insurance often costs more than the expected value, but the insurance is justified because the potential loss is so great. The bottom line is that managers who understand risk and uncertainty will better manage the organization.
Jeffrey A. Robinson, "Keep Moving," Quality Progress, November 2012, p. 71.
Peter J. Sherman is the director of Process Excellence with Cbeyond Communications in Atlanta. He earned a master’s degree in civil engineering from the Massachusetts Institute of Technology in Cambridge and an MBA from Georgia State University in Atlanta. A senior member of ASQ, Sherman is a certified Lean Six Sigma Master Black Belt, an ASQ-certified quality engineer and an Association for Operations Management-certified supply chain professional.