• Riskope International

    Risk and Crisis Management Decision Making Support Tolerability and acceptability definition Coaching and Skills development
  • Risk and Crisis Management Decision Making Support Tolerability and acceptability definition Coaching and Skills development

  • Archive

  • Categories

  • Meta

  • Flickr Photos

    Economic downturn crisis forecast November 2008

    Contact us to know details on economic downturn crisis forecast

    graphic results of economic downturn crisis forecast November 2008

    Economic Downturn Magnitude and Duration Quantitative Study by Riskope (http://www.riskope.com), November 2008

    More Photos

Two blasts have rocked saw mills in B.C. in recent times. One in January leveled the Babine Mill (Burns Lake), the other in April destroyed Lakeland Mills (Prince George).

In both cases, unfortunately, there were casualties.

In both cases, the blasts were apparently due to sawdust.

In both cases official inquiries are still ongoing, but the media have been filled with hypotheses and discussions. Reportedly (Globe and Mail, April 27th) “the B.C. Government waited until the second catastrophe this week to issue province-wide guidelines, inspection regimes, deadlines and, possibly, new regulations”. Reportedly (same source) “when an explosion and fire tore through the Burns Lake mill, owners of other mills across the B.C. Interior -including Lakeland- looked at housekeeping and upgrades to address the potential risk (NB: improper technical language: should read potential hazard, the difference is important, see below!) of sawdust explosions at mills working with dry wood killed by pine beetles”; “safety experts noted the potential risk (NB: improper technical language: should read potential hazard, the difference is important, see below!) of sawdust after the January explosion at the Burns Lake sawmill”; “the industry has already been struggling with a massive shift since the mountain pine beetle began the widespread destruction of B.C. Forests”.

Also, the Globe and Mail (April 28th ) quotes Margaret MacDiarmid, the province Labour Minister, saying that “Burns Lake fire had appeared to be unique, pointing to the cold snap in January that had forced the mill to close its windows, increasing the hazard of a dust explosion”.

Out of respect for all parties involved, scientific rigour, we will not discuss the general foreseeability of such an event (Globe and Mail, April 26th reports for example: “in 2009 an inspection report found that Lakeland had not been monitoring worker exposure to wood dust…”), possible explosion triggers, possible preventative actions, post-catastrophe measures, possible responsibilities.

Instead we will focus our attention on some Risk Management points.

  1. Many industries, regulatory bodies, organizations keep confusing “risks” and “hazards”. As far as we know, no risks were formally evaluated for the mills, but hazard inspections, at best, were performed. To use a very simple language, “hazard is something that has potential to go wrong”, whereas “risk is the combination of a hazard with its potential consequences”. The confusion can lead to opposite “equally inappropriate” results:

    a) If the environment is overly optimistic looking at hazards is conducive to reject any preventative action on the basis of “it’s just a hazard like another…we live with them every day”…things will remain as they are until an accident happens.
    b) If the environment is overly pessimistic then excessive preventative actions will be taken, with potential loss of competitiveness.

  2. If risks had been evaluated (properly) instead of just looking at hazards, it would have resulted that a sawdust triggered explosion (due to any reason), and resulting fire, had potential to generate casualties, destroy the plant. Most likely anyone would have considered that event intolerable, and things would have been corrected long ago.

    a) Well balanced regulations are risk based rather than hazard based.
    b) Risk Based Decision Making (RBDM) is a discipline that warrants proper scientific approaches. It is not “improvised”, it requires skills. Methods should be “enforced” rather than resolve to knee-jerk reactions.

  3. When performing Risk Analyses for industries around the world Riskope is often confronted with “long chain” domino effects. From what we have read to date, the explosions’ root causes could both be “climate change” based:

    -pine beetle size and severity of the outbreak and
    -the cold snap

    can indeed be considered somehow linked to the global climate change.

    We do not believe any serious professional would ever be claiming that such a scenario (starting with climate change….down to saw dust explosions) could have been foreseen. However, if during a Risk Assessment site-visit significant volumes of sawdust would have been seen, a fire or explosion scenario would have been generated (not important to define the cause of the dust), potential consequences evaluated, etc. (see point 1,2 above).

    It is time industries start looking at their risks in proper rational ways. Risk Assessment techniques will pave the way to safety, security, competitiveness and long term sustainability.

    A sustainable industry is an industry that can keep working without a break. Avoiding catastrophic accidents is the first step toward sustainability.

Leave a Comment
by coboni on May 9, 2012  •  Permalink
Posted in cost-benefit analysis, crisis, decision, ESM, Gestion, Hazard, management, methodology, RBDM, risk, Uncategorized
Tagged , , , , ,

Posted by coboni on May 9, 2012

http://foboni.wordpress.com/2012/05/09/two-blasts-have-rocked-saw-mills-in-b-c-in-recent-times-one-in-january-leveled-the-babine-mill-burns-lake-the-other-in-april-destroyed-lakeland-mills-prince-george/

Evolution of Risk Management and Risk Managers

Twenty years ago positions like “Risk Manager” were often considered as a “glorified secretarial” positions. We remember some senior corporate officers calling Risk Managers: “the insurance guy”!

Twenty years later, lots of pain and efforts have brought the Risk Manager position to be acknowledged as a V.P. position in many companies around the world. Many Risk Management Societies and non profit organization in the domain of risk management, claim, we believe rightly so, that Risk Managers are the officers that better know their company, and should therefore be embraced, cherished and promised to the shiniest corporate future.

As we have followed and coached/advised some very successful Corporate Risk Managers for two decades now, we might as well tell you another side of the story.

It cost us a lot of effort and convincing to bring our clients to accept that the Corporate Risk Manager (and her/his advisers) should be called in before inception of a project, at early pre-feasibility stages, to avoid the nefarious effects of poor understanding of future risks.

Project teams, often simply too busy to stop and ask the right questions, or simply not skilled in the art of predictive risk management, are oftentimes entangled in conflict of interest (if the project is aborted, they will lose their job, their bonus, after all). They have indeed quite a record of projects turned nightmares for their owners, because of “pain in the neck” type of risks, sometimes bigger accidents and series of quite foreseeable mishaps.

I guess that that battle has now been won, at least with our most clairvoyant clients!

Unfortunately, there is the next one, right here on the table, right now, and it’s a big one!

That new battle is called “cyber risks”.

They are unfortunately considered to be, most of the time, a technical (IT) issue and are kept away from the reach of the Risk Manager.

If on one hand this “exclusion” can be the result of corporate turf wars, where the IT guys hate to see Risk Managers stick their nose into their very own private technological castle, on the other there is a critical reality: as IT has become so pervasive, SCADA and computers (dedicated or not) are so ubiquitous, systems can be linked to internet even if they have been “forgotten” somewhere in the plant, because of maintenance activities etc. the look of the Corporate Risk Manager, a person that asks “silly non tech questions” and possibly has some adviser who asks even more and nastier ones will help limit the chances of a successful attack, and thus profit enormously to the corporation.

If furthermore a program like the one Riskope has designed for a European Ministry of Defence anxious to put in place a holistic cyber country-wide risk management approach is deployed, the least we can say is that corporations will have very seriously increased their resilience, sustainability (in terms of being able to sustain operations in the longer term), and, of course, their competitivity.

Leave a Comment
by coboni on May 2, 2012  •  Permalink
Posted in cyber, Cyber-Attacks, management, risk, Uncategorized
Tagged , , , , ,

Posted by coboni on May 2, 2012

http://foboni.wordpress.com/2012/05/02/evolution-of-risk-management-and-risk-managers/

Protecting Critical Infrastructure Against Cyber-Attacks

Riskope was invited to give a talk in Switzerland at the Geneva Dialogue 16th-17th of April 2012. That conference was geared toward Critical Infrastructure Protection, Resilience Enhancement, Strategies for the Future with participants from Canada, China, various European countries, Mexico and the USA.

Riskope presented “Risk Management: steering your organization through difficult times” (presentation available for free to registered blog users on demand) where we showed how standard heat maps, probability impact graphs and other indexed approaches (PIGs) fail to fulfil the needs of governments and corporations willing to properly evaluate and keep up to date holistic (entreprise-wide) risk assessments (ERM), optimize their risk exposures to gain critical competitive edge, and steer away from downturns or crisis.

A case study from real life was presented where it was shown how predictive knowledge about depth and duration of the economic recession  originally published by Riskope in the fall 2008 can be integrated into an ERM approach. In the same approach various cyber risks can be integrated as well, allowing a process of rational mitigative decision making to take place.

PIGs, as stated earlier in this blog and in other publications simply do not allow the depth, transparency, rationality and repeatability offered by Riskope’s Optimum Risk Estimates (ORE) approach.

Leave a Comment
by coboni on April 25, 2012  •  Permalink
Posted in case study, corporate, cost-benefit analysis, cours, crisis, decision, education, Financial, Gestion, Information, management, methodology, mitigative, operations tool, Optimum Risk Estimates, RBDM, terrorism, Uncategorized
Tagged , , , ,

Posted by coboni on April 25, 2012

http://foboni.wordpress.com/2012/04/25/protecting-critical-infrastructure-against-cyber-attacks/

Resilience: A new buzzword? Discussing the differences between risk and resilience improvement studies.

Let’s start by asking ourselves if our book « Improving Sustainability through Reasonable Risk and Crisis Management (Oboni F., C. Oboni,, ISBN 978-0-9784462-0-8, 2007, www.oboni.net ) could have been entitled instead “Improving Resilience through Reasonable Risk and Crisis Management “?

First of all let’s note that some authors rightly consider and explicitly state that Risk Assessment/ Risk Management are the first step towards a resilience improvement study, and remain at the heart of any attempt to increase the resiliency of a system. We also note that Riskope’s approach has always covered risks as well as crises, and we have always encouraged our clients to establish Crises Plans/ Business Resumption and Continuity Plans, Disaster Recovery Plans, based on scenarios developed during Riskope’s studies.

After a wide spectrum literature search, it appears that a first major difference between a “classical” (meaning “current”)  risk mitigation study and a “pure” (meaning “extreme”) resilience improvement study lies in the fact that the second does not examine in detail the causes of negative outcomes against which the system has to be protected.

That approach sounds however rather simplistic, as shown in the following example: assume that the subject under scrutiny is a ship-loader and that the metric for risk is business/ service interruption (BI). In a risk assessment we will seek to assess the probability of occurrence of certain BIs and formulate scenarios capable of producing them aiming then to define appropriate risk mitigation measures. A resilience improvement study would instead define what should be done to reduce the impacts of a BI of more than, say, 1,000 hours, regardless of the cause. Of course, without knowing what caused the arbitrarily selected 1,000 hours BI, it would be difficult to imagine how to protect the system! Undoubtedly, if the cause was for example a local fire, which would leave the entire adjacent civilian infrastructure intact, we would be in a very different situation than in the aftermath of a major earthquake or a nuclear accident “Fukushima-style”!

The only “excuse” to justify the use of “extreme” resilience improvement studies rather than a risk mitigation study seems to be able to prepare protective plans for events with a very low estimated probability; as a matter of fact, the slogan used by promoters of this approach is “let’s think about the unthinkable”. So, we could say that “extreme” resiliency improvement studies would protect users against the “Human universal optimism” trend in the estimation of probabilities. Unfortunately, we Humans also have very short memory and bad habits such as the one of considering rather common events as Black Swans would push users of “extreme” resilience improvement studies to unsustainable mitigative investments. Let’s not forget that a proper, logical risk assessment process defines scenarios and pushes the reasoning to “think about the unthinkable” as well, where “unthinkable events” have a probability -p- set at the limit of human credibility (10-5 (one in hundred thousand) to 10-6 (one in a million)), a range that is “universally agreed” through many industries . No need to invent “new unthinkable” stuff!

Extreme” resilience improvement studies ” bypass the risk scenarios definition and look at possible extreme damages (Consequences-C-) caused by unspecified “catastrophes”, placing themselves systematically at –Max C-, with -p- as low as an unspecified “unthinkable” can be, regardless of the scenario that could have led to this point …. asteroid, terrorist attack, etc. Resilience improvement studies thus avoid relying on probability estimates, which, if presented improperly or ill-conceived, might give a false impression of precision. Instead they will look to major consequences scenarios, and discuss how to mitigate them.

If this seems to constitute a very conservative approach, it is very likely that it would lead to higher “unjustified”mitigative costs , and almost certainly to biased allocation of funds, compared to what would result from a proper risks assessment taking into account estimates of the probabilities of occurrence.

Some resilience improvement studies seem to follow a more balanced process analyze the hazards, develop a list of possible scenarios, define p, C for each scenario; however, they generally end up biasing for unspecified small p / large C scenarios.

It can be concluded on this basis that resilience improvement studies and risk mitigation studies are virtually identical except for the phase of risk prioritization and decision making / action plan. Naturally, as already in proper day-to-day practice, risk mitigation studies will address extant mitigative measures and controls (NB: in fact, these controls and mitigations are already part of the system’s resilience).

Resilience is generally defined as the:

Capacity to maintain the continuity of activities Even In The Face of Threats, disaster, and adversity ….”

 So a resilience improvement study has to formally include actions that are already part of good management practices such as Business Continuity and Resumption Plans, Recovery Plans, Disaster Recovery, etc. …

 These points having been clarified, the first question still remains open: what distinguishes a risk mitigation study from a resilience improvement study?

 In Riskope’s (www.riskope.com) daily practice studies, for example on logistic nodes (critical infrastructure) such as mineral ore ports, risk studies consistently turn in the direction of resilience because, if a disaster strikes the node, it is essential to ensure operations continuity with alternative solutions/routes. We would even say that a good Risk Management approach must necessarily lead to solutions aimed at increasing resilience to avoid massive and too costly insurance contracts. Incidentally, if an industry is hit by disaster, and is unable to react, thus displaying insufficient resilience, it will have its image severely tarnished, perhaps forever!

 This view is also supported by other professional groups / researchers, such as, for example, http://www.cmcc.it/research/research-projects/concluded-projects/freeman , T. Mitchell and K. Harris, Resilience: A risk management approach, ODI Background Notes, January 2012; S. McManus et Al., Resilience Management, A Framework for Assessing and Improving the Resilience of Organisations, Resilient Organizations, New Zealand, Research Report 2007/01.

 At this point let us note that none of the elements listed above (Business Resumption/ Continuity Plans, Recovery Plans, Disaster Management, etc..) has the power to change the cost of the immediate consequences of an event, but may strongly influence the duration to recovery, which causes a reduction of -C-. Note also that none of the above alters the value of -p-, whatever it might be.

 So ultimately it is not really necessary to invent new buzzwords to solve problems that we have known how to solve for a long time!

Leave a Comment
by coboni on April 4, 2012  •  Permalink
Posted in alternatives, corporate, cost-benefit analysis, decision, Financial, Hazard, Information, methodology, mitigative, operational, pitfalls, RBDM, risk, Uncategorized
Tagged , , , , , , , , ,

Posted by coboni on April 4, 2012

http://foboni.wordpress.com/2012/04/04/resilience-a-new-buzzword-discussing-the-differences-between-risk-and-resilience-improvement-studies/

Résilience: Une nouvelle expression à la mode? Discussion sur les différences entre les études de Risque et de Résilience.

 Commençons par nous demander si notre livre Improving Sustainability through Reasonable Risk and Crisis Management, F. Oboni, C. Oboni,ISBN 978-0-9784462-0-8, 2007 aurait pu s’apeller «Improving Resiliency through Reasonable Risk and Crisis Management»? Notons d’emblée que certains auteurs considèrent que Risk Assessment/Risk Management sont le premier pas vers une étude de Résilience, et restent au cœur de toute tentative d’accroitre la Résilience d’un système. Notons aussi que les méthodes que Riskope déploye depuis des années auprès de nos clients couvrent les risques et les crises, et que nous incitons toujours nos clients à mettre en place des études de crises/redémarrage après catastrophe, suite aux résultats des études de risque.

 Après avoir lu une abondante littérature en la matière, il apparaît que une première grande différence entre une étude de mitigation des risques «classiques» (dans le sens de courantes) et une étude d’accroissement de la résilience «pure» (dans le sens de “extrême”) réside dans le fait que la deuxième ne viennent pas chercher dans le détail les causes des résultats négatifs contre lesquels on désire se protéger.

 Cela paraît cependant assez simpliste, tel que démontré dans l’exemple suivant: supposons que l’objet d’analyse soit un ship-loader minéralier et que la métrique du risque soit l’interruption de service (BI). Dans une étude de risque on cherchera à évaluer les probabilités d’occurrence de certaines BI et on formulera des scénarios capables de les produire en vue de les gérer au mieux avec des mesures de réduction du risque. Dans une étude d’accroissement de la résilience on définira ce qu’il faudrait faire pour réduire les impacts d’une BI d’une certaine entité (par exemple de plus de 1000 heures), sans se soucier de la cause. Bien entendu, sans savoir ce qui a provoqué ces 1000 heures de BI, il est difficile d’imaginer comment se protéger! Si la cause était par exemple un incendie, donc un effet localisé qui a laissé toute l’infrastructure civile adjacente intacte, le cas serait très différent que s’il s’agissait d’un tremblement de terre majeur, ou d’un accident nucléaire!

 La seule «excuse» pour justifier le recours à une étude d’accroissement de la résilience au lieu d’une étude de mitigation des risques serait celle d’avoir une alternative étudiée et implémentable au cas ou un événement de probabilité d’occurrence considérée d’emblée négligeable frapperait le ship-loader. Ceci mettrait à l’abri l’utilisateur de la tendance «universelle à l’optimisme» dans l’estimation des probabilités. Le cheminement logique suivi d’étude de mitigation des risques est celui de définir des scénarios et de pousser le raisonnement jusqu’à think about the unthinkable…, où par unthinkable on entend des évènements qui ont une probabilité -p- à la limite de la crédibilité (10-5 (un sur cent mille) à 10-6 (un sur un million)).

Les études d’accroissement de la résilience «pures», par contre contournent ce pas de formulation des scénarios et regardent juste aux possibles dommage (Conséquences -C-) dus à une «catastrophe» non spécifiée; ils se placent donc à MaxC, avec p à la limite de la crédibilité (10-5 à 10-6) sans se soucier du scénario qui aurait pu amener à ce stade….astéroïde, attentat terroriste, etc. Ce faisant les études d’accroissement de la résilience évitent de se fier d’estimations des probabilités peu correctes, qui pourraient donner une fausse impression de précision. Elles regarderont aux conséquences majeures et discuterons comment les éviter, plutôt que de se laisser guider par des scénarios.

 Si d’un côté une telle approche paraît très prudente, de l’autre il est possible qu’elle amènerait éventuellement à des coûts de gestion supérieurs «injustifiés», et quasi certainement à une allocation de fonds biaisée, par rapport à une étude de mitigation des risques qui tienne compte des probabilités d’occurrence.

 Les études d’accroissement de la résilience qui paraissent donc suivre un chemin plus pondéré analysent les dangers, développent une liste de scénarios possibles, définissent p,C pour chaque scénario, puis biaisent, apparemment, pour s’occuper des petits p/grands C uniquement.

 On peut conclure sur cette base qu’une étude d’accroissement de la résilience et étude de mitigation des risques sont quasi identiques, sauf pour la phase de priorisation des risques et de prise de décision/plan d’action. Naturellement, comme cela est déjà dans la pratique de tous les jours, l’étude de mitigation des risques tiendra compte de contrôles et mesures mitigatives qui sont déjà en place dans le système (NB: en effet, ces contrôles et mitigations constituent déjà part de la résilience).

 Mais la résilience complète est définie comme:

.the capacity to maintain continuity of activities even in the face of threats, disaster, and adversity….

 ..donc une étude d’accroissement de la résilience doit formellement inclure des éléments qui font déjà partie de la bonne gestion comme  Business Continuity Plans, Business Resumption Plans, Distaster Recovery Plans, etc…

 Ces points ayant été clarifiés, la question première reste encore ouverte: que distingue une étude de mitigation des risque d’une étude d’accroissement de la résilience?

 Dans la pratique journalière de Riskope (www.riskope.com ) des études, portant par exemple sur des nœuds logistiques (infrastructures critiques) tels que des ports minéraliers, des études de risque tournent systématiquement du côté de l’étude de résilience car, en cas de catastrophe frappant le nœud, il est fondamental de garantir la continuité des opérations avec des solutions alternatives. On oserait même dire qu’une bonne étude de Gestion des Risques doit forcement déboucher sur des solutions visant à l’accroissement de la résilience afin d’éviter de faire recours massif et trop onéreux à des contrat d’assurance. Notons en passant qu’une industrie frappée par une catastrophe, et incapable de réagir, donc avec peu de résilience, verra son image ternie peut-être à tout jamais!

Ce point de vue est aussi soutenu par des autres groupes de professionnels/chercheurs, tel que, par exemple http://www.cmcc.it/research/research-projects/concluded-projects/freeman , T. Mitchell and K. Harris, Resilience: A risk management approach, ODI Background notes, Jan 2012; S. McManus et Al., A Framework for Assessing and Improving the Resilience of Organisations, Resilient Organisations, New Zealand, Research Report 2007/01.

 A ce point notons encore qu’aucun des éléments cités ci-dessus (Business Resumption Plans, Distaster Recovery Plans, etc.) ne changera pas le coût des conséquences immédiates d’un événement, mais que sa durée peut être fortement influencée par des plans bien faits, ce qui entraine une diminution de -C-. Notons aussi qu’aucun des éléments ci-dessus ne change -p-.

 Alors, en fin de compte il n’est pas vraiment nécessaire inventer de nouveaux mots à la mode pour résoudre des problèmes que nous savons résoudre depuis bien longtemps!

Leave a Comment
by coboni on March 30, 2012  •  Permalink
Posted in alternatives, cost-benefit analysis, crisis, Financial, Hazard, Information, Insurance, methodologies, pitfalls, Risque, Uncategorized
Tagged ,

Posted by coboni on March 30, 2012

http://foboni.wordpress.com/2012/03/30/resilience-une-nouvelle-expression-a-la-mode-discussion-sur-les-differences-entre-les-etudes-de-risque-et-de-resilience/

Avoid liabilities by using Optimum Risk Estimates

In one of our recent post we published a series of embarrassing questions that could arise in Court if you had used PIGs…here is how you would reply if you had used ORE instead.

1) So, on which basis did you decide that the probability of the event was “medium” , and more importantly, how did you evaluate the probability of the events? By using ORE we did not define classes, rather we ranked risks by looking at their possible intolerable part for the specific case. Probabilities were defined by methods which are applicable to available data sets, by selecting the most appropriate methodology for each scenario. Inevitable uncertainties were given due consideration as ranges of probabilities were considered and the ranking was based on maximum intolerable risk.


2) Which is the basis for defining the consequence (loss) classes? How did you ended up considering that 20M$ loss was worse then 5 casualties and had to be used as the driving parameter for the selection of the consequence class? By using ORE we did not need to define consequences classes. We did not need to arbitrarily select “the worse” between a physical loss or human losses, or environmental losses. Rather we used well established methodologies to define multi-parameter functions (or, as an alternative style of application: we kept physical/environmental losses separated from human losses).


3) Which studies did you develop to define the various classes limits? On which basis did you select the limits? See above.


4) Why did you limit the highest class to -x- casualties and -y- millions? What about any scenario that would overcome that value? Did you imply it does not exist? We did not do any of the above, avoided those pitfalls by using ORE which does not set an arbitrary upper limit to losses.


5) …is the method you used “State of the Art”? Is it compliant with Risk Management Standard (ISO, COSO, ONR)? ORE takes into account the latest literature on the subject, avoids all PIGs pitfalls, and is compliant with international standards insofar it uses a well defined glossary and definitions, is a logical development based on sound mathematics and logic.


6) What lead you to use ORE? We decided to use ORE because we understand the limitation and gross conceptual mistakes lined to using PIGs, and we refuse to do what everyone does as we recognize that common practice is not an excuse for negligent approaches.


7) Commercial PIGs software generally bear a disclaimer saying: “beware users”…this software is just a way to display an information treatment that is common use….That’s logical, and ORE applications are not different. However, the ORE designers know that those notes are not written to cover a fundamental pitfall of ORE, but rather to protect from abusive assumptions on data made by the end-user.


8) Which criteria did you use to select the colours of your cells, which correspond to various levels of criticality? If we understand well, your criticality criteria is used as a pseudo tolerability criteria, whereby red color means highest risk, that should be dealt with, mitigated immediately, yellow means attention and green means “they are ok”, right? We did not do any of that by using ORE. Our tolerability criteria was established using repeatable methods specifically for the client’s operation under consideration.


9) There are numerous tolerability criteria published since the mid ’60s. How come your color threshold does not match any known tolerability criteria, and how come that cells overcome or straddle those tolerability criteria? There are no cells in our ORE, no colors, and our tolerability criteria either matches well-known societal thresholds, or uses specifically developed threshold (for physical losses) which suits client’s organization needs and requirements.


10) Using “credible scenario” is a censoring decision. How come you felt entitled to censor your analysis? We did not censor our scenarios using ORE.


11) Using “average p, C” is a biasing decision. How come you felt entitled to bias your analysis towards the center for each single scenario? We did not do any of that. It was not necessary to do that with ORE.


12) In your opening statement you say that scenarios entering in your PIG have to be credible scenarios. What threshold to credibility did you use? How does it match with your PIGs cells limits? By using ORE we considered a threshold of 10-5 to 10-6 as credibility scenario which is compliant with best practices in highly regulated industries, like, for example, chemical processing. We did not run in the conundrum you describe which arise when using PIGs.

At the end of this drill, we can say that the user/you will be feeling in a strong position to further argue the case because you have used State of the Art methodologies and referred to well-known published rules.

Should the rules change, it will be easy to assess the changes, if you use ORE.

Using ORE is a winning strategy.

Do not wait any further. It’s most likely easier than you think to upgrade from PIGs to ORE!

Contact us.

Leave a Comment
by foboni on March 22, 2012  •  Permalink
Posted in Acceptability, ANCOLD, corporate, decision, education, law, management, methodologies, pitfalls, reduction, risk, Uncategorized
Tagged , , , , , , , , , , , ,

Posted by foboni on March 22, 2012

http://foboni.wordpress.com/2012/03/22/avoid-liabilities-by-using-optimum-risk-estimates/

Is it true that PIGS can fly?

Despite their notoriety, “Risk Matrices”, Probability-Impact Graphs (PIGs), “Heat Maps”, have critical and potentially damaging intrinsic problems. That’s what Oboni Riskope Associates Inc. have learned thanks to two decades of Risk Assessments for extremely interesting and unusual projects awarded by a number of forward thinking clients.

When looking at Risk Assessments of operations, plants, networks, we can affirm that PIGs (we will use the acronym generically, to also include risk matrices and heat maps) do not fly. They are misleading and could get you/your company straight in front of a Judge.

Oboni Riskope Associates Inc. is not the only entity to reckon this. Academia, other consultants around the world are indeed starting to or have already published papers going in the same direction.

The presentation (or the PDF) Oboni Riskope Associates Inc. has prepared first reviews experience gathered in the last twenty years, and then shows point by point the fallacies of PIGs, “Risk Matrices”, Probability-Impact Graphs (PIGs), “Heat Maps”.

Fortunately, Riskope has developed a viable, proven, transparent alternative to PIGs which is explained using a real life Risk Assessment. Happily, ORA’s alternative can reuse most of the work you have already developed to establish your PIGs.

With ORA’s Optimum Risk Estimates you will be able to upgrade the existing corporate risk register and to steer your company towards a rational, defensible and transparent stance.

You cannot allow yourself/your company to use a delusive tool, carrying potentially damaging legal liabilities.

Leave a Comment
by coboni on March 14, 2012  •  Permalink
Posted in alternatives, decision, management, methodology, operational, RBDM, risk, tolerability
Tagged , , , , ,

Posted by coboni on March 14, 2012

http://foboni.wordpress.com/2012/03/14/is-it-true-that-pigs-can-fly/

Arbitrary selections in Risk Management are a liability.

We can see a day when a case will be challenged in court against a company that used Probability Impact Graphs (PIGs) for their risk assessment. The questions that could be asked will be horribly embarrassing and very damaging to the PIGs’ user, as they will tend to prove that the approach constituted a professional negligence, due to the breach of Duty of Care.

Here is a preliminary list of questions that could be asked:

  1. So, on which basis did you decide that the probability of the event was “medium” (or “pink”) or whatever your PIG shows, and more importantly, why did you neglect to use any of the methods, published from the ’80s on about (subjective, expert driven) approximations of probabilities?
  2. Which is the basis for defining the consequence (loss) classes in your PIG? How did you ended up considering that 20M$ loss was worse then 5 casualties and had to be used as the driving parameter for the selection of the consequence class? Methodologies to define multi-parameter functions have been published at least since the ’80s, why didn’t you use them?
  3. Which studies did you develop to define the various classes limits of likelihood, losses? On which basis did you select those limits?
  4. Why did you limit the highest class to -x- casualties and -y- millions? What about any scenario that would overcome that value? Did you imply it does not exist?
  5. …in your statements you mentioned that PIGs correspond to State of the Art, yet we do not know any Risk Management Standard (ISO, COSO, ONR) that would formally advise to use PIGs, neither we know of any standard formal definition of PIGs, class limits, methods to define class limits.
  6. So, did you use PIGs just because every one uses them? Are you saying that PIGs are State of the Art? (NB: SoA is the highest level of development at a particular time (especially the present time); NOT what is done by the most!). PIGs are not SoA, they might be assimilated to “common practice”, or “standard practice”, BUT there is ample evidence that appeals to Common Practice constitute a fallacy: using PIGs because every body seems to do so is not a justification!
  7. Commercial PIGs software generally bear a disclaimer saying: “beware users”…this software is just a way to display an information treatment that the user produces…the software house does not bear any liability…
  8. Which criteria did you use to select the colours of your cells, which correspond to various levels of criticality? If we understand well, your criticality criteria is used as a pseudo tolerability criteria, whereby red color means highest risk, risks that should be dealt with, mitigated immediately, yellow means attention and green means “they are ok”, right? What criteria did you use to define those levels of criticality?
  9. There are tolerability criteria published since the mid ’60s. How come your color threshold does not match any known tolerability criteria, and how come that cells straddle those tolerability criteria?
  10. Using “credible scenario” is a censoring decision. How come you felt entitled to censor your analysis?
  11. Using “average p, C (loss)” is a biasing decision. How come you felt entitled to bias your analysis towards the center for each single scenario?
  12. In your opening statement you say that scenarios entering in your PIG have to be credible scenarios. What threshold to credibility did you use? How does that threshold match with your PIGs cells limits?

At the end of this drill, we doubt the user/you will be feeling in a strong position to further argue the case. We believe the user would be facing unpleasant consequences because his behavior has been negligent.

Remember, State of the Art is not what everybody does…and common practice is not an excuse, constitutes a fallacy.

Do not set yourself to be the looser by confusing “what every body does” as State of the Art.

We will soon publish a post explaining how you can avoid these pitfalls.

2 Comments
by coboni on March 1, 2012  •  Permalink
Posted in decision, law, methodology, pitfalls, risk, threshold, tolerability
Tagged , , , , ,

Posted by coboni on March 1, 2012

http://foboni.wordpress.com/2012/03/01/arbitrary-selections-in-risk-management-are-a-liability/

Our judgements are clouded by prejudices and misconceptions.

We humans often assess the probability of an event by asking ourselves if there are “cognitively available” examples, (i.e. readily available through memory) as Kahneman (Nobel Prize in Economics) and Tversky demonstrated in a series of papers published between 1971 and 1984, among which the most popular is likely the one entitled “Prospect Theory”.(1979 quoted at page 212 in our book)

The phenomenon highlighted by Kahneman and Tversky is called “availability heuristic” and is one of the very well know cognitive biases that plague us Humans when we are confronted with decisions under uncertainty.

That’s most likely why the 2008 recession was considered unheard of, a Black Swan: just because most people did not remember (were not even born) in 1929! The Black Swan “fad”, as we have demonstrated in earlier blog posts is indeed based on Humans having “short memory” and considering the last events as “unique”.

Sometimes we are forced to use availability heuristics because available data are indeed very scarce and only recently gathered, but reliable statistical evidence will systematically outperform “intuition” when “looking backwards” in time to past events to draw conclusions.

Looking backwards, however, is not enough, actually it is critically limiting and incomplete, when we are confronted with managing risks of corporations and projects. A good risk assessment has to be “looking forward”, examining “classic” scenarios and hypothetical ones, that have not yet occurred, or not yet occurred with larger magnitudes, to make management decisions.

Over the last five decades or so the risk management community has settled on representing the results of Risk Assessments with Probability Impact Graphs (PIGs), risk matrices, “Heat Maps”, which have a number of staggering intrinsic conceptual errors, with potential dramatic consequences on their users. Voices raise in various parts of the world to discuss these fallacies, but they remain for the great par unheard.

The continued “main stream” reliance in using inappropriate techniques like PIGs, and being satisfied of their results, or, using intuition to correct PIGs’ evident fallacies, is simply another manifestation of Kahneman and Tversky explored ways we, Humans, have found to introduce irrelevant criteria in decision-making.

As a matter of fact Kahneman and Tversky have explored in detail how human judgement can be distorted when making decisions under uncertainty: humans tend to be risk-averse when facing the prospect of a gain, and paradoxically risk-prone when facing the prospect of a loss (even if the loss is almost certain to occur)! So, using improper methods like PIGs which almost surely will lead to confusion, losses, poor planning sits well with “main stream” human nature.

So, “now that we know that we do not know how to know better”, the whole idea of building a rational prioritization on top of existing PIGs, as they stand in most industries, or after enhancing them, comes out as a clear winner: by deploying rational prioritization we give a rest to our scientifically proven fallacious intuition, allowing our rational ego to make better informed solutions! Do not be “main stream”: belong to the small elite that adheres t stricter cognitive standards and make you industry thrive and prosper.

We will soon publish a post explaining how you can do that.

Leave a Comment
by coboni on February 22, 2012  •  Permalink
Posted in decision, Information, pitfalls, risk, Uncategorized
Tagged , , , , , , , , ,

Posted by coboni on February 22, 2012

http://foboni.wordpress.com/2012/02/22/our-judgements-are-clouded-by-prejudices-and-misconceptions/

Systemic Organizational Constellations (SOC) Strengthen Your Organization/Project From Within

Riskope has teamed up with an international expert in the systemic organizations’ approach and offers a new format of educational seminars aiming at making you and your organization/project reach new highs toward organizing a serene, well-balanced, sustainable and profitable future.

What about your team being able to simultaneously acquire the basis for a rational and scientific approach to risk prioritization and management, while becoming aware of any systemic obstacles that would render implementation difficult, how to solve them and develop new dynamics within the organization.

Riskope can indeed strengthen your organization/project from within through a new kind of seminar.

As a man/woman of great experience you know from history, compelling studies (Harvard School of Business, etc.) and recent events (stock market, financial crashes, BP gulf oil spill, various political debacles) that lack of preparation in terms of risk and crisis management can lead to critical, sometimes intolerable situations. Those events and studies have also shown that prepared organizations survive more successfully and maintain leadership and control.

Being prepared means having a clear(er) idea of your risk priorities, having in place the right impact prevention and reduction plans. Prioritization based on sound scientific basis and the resulting robust planning costs a fraction of the insurance premiums you pay year after year without blinking an eye, and certainly less than biased, intuitive prioritization, based on approximate concepts that we encounter by clients entrusting their future in commercial software, or following advice from “past oriented specialists”.

However, the path to rational, prioritized risk and crisis management is often complicated, precisely “from within”, by systemic obstacles, by somewhat erroneous perceptions of the complexity of the endeavor, or any of the recognized biases (19 social, 8 memory, 42 decisions making and 36 probability/belief).

Your team will be able to simultaneously acquire the basis for a rational and scientific approach to risk prioritization and management, while becoming aware of any systemic obstacles that would render implementation difficult, how to solve them, develop new dynamics within the organization. Look at the course brochure.

Leave a Comment
by coboni on February 15, 2012  •  Permalink
Posted in corporate, cours, Information, management, methodology, operations tool, Sustainability profile, Uncategorized
Tagged , , ,

Posted by coboni on February 15, 2012

http://foboni.wordpress.com/2012/02/15/systemic-organizational-constellations-soc-strengthen-your-organizationproject-from-within/

« Older Posts
Follow

Get every new post delivered to your Inbox.

Join 1,041 other followers