Oboni Riskope Associates Inc.

www.riskope.com
500-1045 Howe Street
Vancouver, B.C., V6Z 2A9
Dn tIme, on budget, In controI, showIng your IeadershIp wIth sustaInabIe
capItaI expendIture, even durIng recessIons and economIc, fInancIaI
crIses.
PIskope can aIso heIp you soIve Insurance denIaI sItuatIons addIng vaIue to you
exIstIng rIsk assessments, rIsk regIsters, EPh In an IngenIous way.
y Franco Cesar DbonI, DbonI PIskope AssocIates Inc. Vancouver, www.rIskope.com
We will use Ior this discussion Operation Ten (OT) belonging to our client AAA Inc. (AAA)
(names, locations and risk names have been altered to respect client's conIidentiality), let's say a
large production Iacility which oI course uses external transportation networks, commercial
wharves, and receives energy, supplies and chemical Irom the 'world to work in its processing
plant. What this industry actually produces, its geographic location etc. does not matter, Ior this
discussion. Whether OT is a project (Project Risk Assessment), possibly at Pre-Ieasibility or
Feasibility stage, or a thriving Operation (Operational Risk Assessment), the approach will be
conceptually the same.
OT/AAA Management Iormulated an explicit request to Riskope's (www.riskope.com) to deliver a
risk based decision making (RBDM) support study: 'The assessment will consider the particular
environment, specific location and activities of OTs facilities to mitigate risks to the environment to
a tolerable level and to establish a conceptual framework to support decisions regarding the
remediation of ***** sites. In particular, the Action Plans will be mainlv targeted to OTs decision
makers and should answer practical questions...
Riskope started by studying the Status Quo, including the level oI awareness, understanding and
sophistication oI OT/AAA and concluded that they were at par with the international consensus and
standard operating practices (SOPs) in the area oI risk assessment and prioritization. It was
however, obvious that those SOPs were not giving Management the guidance they were seeking.
A stepped approach, tested and proven over the years by Riskope, was deployed. The result oI
Riskope's study brought the Iollowing beIits and results:
The prevalent critical risks were brought Iorward in a clear, rational and deIensible way.
The number oI critical issues was shown to be smaller than originally evaluated at Status
Quo.
The insurance portIolio was shown to be poorly balanced and adjustments were proposed.
The new priority list let Management make better decisions in mitigative investments
(c)Oboni Riskope Associates Inc. Page 1 oI 8
allotment and Ireed moneys that could be better allocated elsewhere.
The methodology allows rational updating oI the probabilities when new data are gathered.
In the Iollowing sections we will go point by point through the stepped approach.
Status uo AnaIysIs: PIsk Assessmentlhanagement Approach before
PIskope's 0epIoyment
In accordance to widespread, common practices, Operation Ten (OT) uses an indexed matrix
approach (some people call this a 'heat map, others 'risk landscape/Paysage risque) to
prioritize risks compiled in a risk register (prepared with a commercial soItware) in view oI their
management. As there are no standardized versions (ISO 31000, COSO (ERM), ONR 490000
1

guidelines do not enIorce a method) oI this empirical approach, and indexes are oIten evaluated
using verbal approximations, qualitative concepts, it is necessary to brieIly summarize AAA's own
'rules beIore going into any Iurther discussion.
AAA's system uses a 5x5 classes (Irequency x severity) matrix deIined as Iollows.
As a side note, the idea oI using Irequencies instead oI probabilities (or annual probabilities) can
lead to some conIusion and misleading results. For example, a risk might not have any Irequency
(typically isolated terrorist attack, change in legislation), yet a non negligible probability to hit in
the next Iuture. A severe rainIall might have a low Irequency, but a high probability oI occurrence
with the current climate change.
As it can be seen below, stepped thresholds have been selected by AAA to deIine Iour levels oI
attention (criticality) oI risks in the matrix: Severe, High, Medium, Low.
1)http://Ioboni.wordpress.com/2010/02/17/a-discussion-oI-the-latest-coso-paper-on-the-
development-oI-organizations-resiliency-to-risk/ , http://Ioboni.wordpress.com/2010/11/10/new-iso-
31000-risk-management-principles-and-guidelines/
(c)Oboni Riskope Associates Inc. Page 2 oI 8
CIassification LeveI Characterization
Frequency 1 1 failure in over 100 years
2 1 failure in 10 to 100 years
3 1 failure in 5 to 10 years
4 1 failure in 1 to 5 years
5 more than 1 failure per year
Severity 1 $0 to $1,000,000 in costs
2 $1,000,000 to $5,000,000 in costs
3 $5,000,000 to $15,000,000 in costs
4 $15,000,000 to $50,000,000 in costs
5 more than $50,000,000 in costs
Frequency
1 2 3 4 5
1 L L L M M
2 L M M M H
Severity 3 L M M H H
4 M M H H S
5 M H H S S
A rule based on the value oI the multiplication between the Irequency and the severity indexes has
indeed been established by AAA as displayed in the Iollowing scheme.
Interestingly, OT's Risk registers delivered to Riskope (www.riskope.com) had risk ratings oI the
H,M,L categories, but none in the Severe class. For example:
Quake has severity x Irequency (2 x 2)4 which give Medium, ranked in the same class as
TraIIic Accidents (5 x 1), Acid or Diesel Oil spills (3 x 3).
Supplier's acid delivery is rated as High (3 x 412), together with Iire at Powerhouse (2 x 5),
Explosion at Boiler (2x 5), HLP leak (2 x 5).
AAA's original rating oI OT's 50 risks scenario split them into 0 Severe, 14 High, 25 Medium and
11 Low risks. Do you remember the old saying about 'crying Ior wolI? Well, with 14 High, 25
Medium, the usual reaction oI Management is to say: 'too many to cope, let's wait, or any one oI
the sixteen excuses we have discussed elsewhere
2
.
The indexed matrix approach usually gives useIul snapshots oI the operation 'risk panorama, but it
doesn't have the ability to deliver clear guidance in the selection oI risks priorities, to deIine iI
mitigation plans are suIIicient or not
3
. As a matter oI Iact, the problem oI expenditure on saIety
measures is indeed one oI allocation oI resources and cost-eIIectiveness which has to be based on
the whole spectrum oI possible events, instead oI the Maximum Credible Event, ALE (Annual Loss
Expected) or some other deterministic parameter only. (Lees loss prevention in the process
industries. ha:ard identification, assessment, and control, Volume 1, Frank P. Lees).
PIskope's Approach. STEP 1: 0efInIng PIsk ToIerabIIIty
As it has been discussed and demonstrated in various occasions
4
, the Management objectives can
only be reached iI a clear deIinition oI the tolerability thresholds oI an organization is carried out.
A series oI Iour proprietary questions designed to allow the deIinition oI tolerability was used in a
Iacilitated workshop with key personnel, including the CFO. Riskope also undertook the task oI
matching the replies to those questions with AAA's empirical stepped matrix thresholds, so as to
deIine a tolerability threshold that could be used Ior rational and transparent prioritization.
2)http://Ioboni.wordpress.com/2009/11/12/one-world-16-common-human-traits-2/
3)http://Ioboni.wordpress.com/2010/06/08/bp-crisis-rational-analysis-what-bp-did-not-perIorm/
4)http://www.slideshare.net/Foboni/generalized-tolerability-and-risk-based-decision-making-
examples-19-oct-5554686
(c)Oboni Riskope Associates Inc. Page 3 oI 8
min max
Risk Rating
Freq * Sev
Severe S 20 25
S = Severe
> 19
High H 10 19
H = High
10 TO 19
Medium M 4 9
M = Medium
4 TO 9
Low L 0 3
L = Low
< 4
PIskope's Approach. STEP 2: ConvertIng PIsk PegIster 0ata Into UsabIe
0ata
In order to move Iorward Riskope had to convert OT's matrix Irequencies into probabilities, and
eliminated the useless and conIusing indexes. Once the indexes were eliminated it became possible
to evaluate 'real risks, as the product oI probability and consequences, expressed in monetary
terms, and plot them in a probability-Consequences (Losses) diagram.
That diagram (Probability (vertical axis, a number between nil and one)- Consequences (horizontal
axis, dollars)) is displayed in Figure 1, with all OT's Risk Register scenarios, the newly deIined
tolerability curve plugged in. As it can be noted, the curve Iollows the steps oI the matrix threshold
(yellow-red limit) classes displayed here in log-log scale (reason Ior which the width and thickness
oI the boxes decreases Irom bottom leIt to top right).
Figure 1. The originaI matrix ceIIs are shown on a Iog-Iog probabiIity-consequences pIot, together
with the newIy deveIoped OT's toIerabiIity curve.
The 'total risk Ior each scenario can be calculated, and when applicable, it is possible to evaluate
which portion oI that risk lies above the tolerability as depicted in Figure 2.
Figure 2. When probabiIity and consequences of a scenario are evaIuated, the totaI risk is equaI (p*C)
to the surface of the rectangIe (sum of orange and bIue areas). The bIue area is the toIerabIe part of
that scenario, the orange part is the intoIerabIe portion. NB: the Iog-Iog scaIe requires some attention
when interpreting the reIative size of surfaces, as shown in the bar diagram at the right, in decimaI
scaIe.
(c)Oboni Riskope Associates Inc. Page 4 oI 8
The bar graph below, in Figure 3 shows, as an example, a small portion oI the risks Irom OT's
original Risk Register, with in blue the tolerable part, the intolerable part in orange, and the total
risk equal to the sum oI the blue and orange bar.
Figure 3. A smaII part of OT's originaI Risk Register, with, for each scenario, toIerabIe and intoIerabIe
risk partition.
II we plot risks Irom highest down to the lowest, the chart in the next page represents the Iirst 20
risks (Figure 4).
We can easily see Irom Figure 4 that even though some risks scenarios are overall higher (blue and
orange bar), the size oI the intolerable part (orange bar) may lead to a completely diIIerent
prioritization and respective allocation oI mitigative resources.
(c)Oboni Riskope Associates Inc. Page 5 oI 8
Figure 4. OT's Iargest totaI risks, in decreasing order from Ieft to right.
PIskope's Approach. STEP 3: PatIonaI PrIorItIzatIon of PIsks
Rational and transparent prioritization is indeed achieved when risks (above tolerability) are ranked
in decreasing order oI intolerable portion (only the orange bars), even iI the overall risk is higher,
leading to the graph displayed in Figure 5, next page.
(c)Oboni Riskope Associates Inc. Page 6 oI 8
Figure 5. OT's Risk Register risks are now ranked in decreasing order (from Ieft to right) of their
intoIerabIe part.
At this point it becomes interesting to compare the relative value oI the risks' intolerable part Ior the
allocation oI resources regarding mitigations measures.
Figure 6. ReIative vaIues of the intoIerabIe part of OT's risks.
(c)Oboni Riskope Associates Inc. Page 7 oI 8
We can see Irom Figure 6 that Iive OT's scenarios count Ior 83 oI the total intolerable risks.
We could thereIore state, at Iirst sight, that Ior every dollar spend Ior mitigation measure around 80
cents should be spent equally (or in relative proportions) Ior the 5 'Iirst risks, then the remaining
20 cents should be split equally amongst the next 16 risks. 30 scenarios should not even be
considered at this time.
In other words, among the 50 risks scenario present in OT's Risk Register, 5 should be allotted 80
oI the resources and 15 others should employ 20 while the remaining 30 should not even be
considered beIore the Iirst 20 are not brought below the tolerability curve.
When the implementation oI mitigative measures will change the risks panorama, the prioritization
will change and it will be very easy to update the rankings with the new rational allotments.
ConcIusIons
By using a newly developed OT's tolerability curve, which complies with AAA matrix classes
thresholds, and using the intolerable part oI risks as a rating parameter, we determined a new rating
which allows Ior more rational capital and eIIorts allotment.
Following the new rating it can be seen that among those 50 risks, 5 should be allotted 80 oI the
resources and 15 others should employ 20 while the remaining 30 should not even be considered
beIore the Iirst 20 are not brought below the tolerability curve. This is way more Iocused and
rational than OT/AAA's original rating oI the same 50 risks which split into 0 Severe, 14 High, 25
Medium and 11 Low risks,
II we look at a comparison, that's 5 risks sharing 80 oI the available resources, against 14 risks
sharing an unspeciIied percentage oI the available resources. Or 15 risks sharing 20 oI the
available resources, instead than 25 risks sharing an unspeciIied percentage oI the same. One other
way oI seeing it? Well, iI OT's Management have to mitigate 5 risks instead oI 14, they will be
keener to do so, and it will be done Iaster, as they do not Ieel overwhelmed.
In this paper, we have shown how your ~standard risk approach (risk assessments, risk
register, ERM) that your peers and superiors already understand and 'own can be turned into a
cutting edge competitive advantage, freeing capitals for business and production development,
leading to more easily defensible, justifiable decisions. In other words, the mantra is: stop
wasting moneys and efforts in security measures that do not pay oII, over-investing in some
mitigations and, may be, under invest in others, with, in both cases, potentially devastating
unjustified consequences. Our metric is consistent, unambiguous, and provides context Ior better
understanding your organization's risks.
Here you have a summary of the benefits yielded by the approach :
The prevalent critical risks were brought Iorward in a clear, rational and deIensible way.
The number oI critical issues was shown to be smaller than originally evaluated at Status
Quo.
The insurance portIolio was shown to be poorly balanced and adjustments were proposed.
The new priority list let Management make better decisions in mitigative investments'
allotment and Ireed moneys that could be better allocated elsewhere.
The methodology allows rational updating oI the probabilities when new data are gathered.
(c)Oboni Riskope Associates Inc. Page 8 oI 8