Risk professionals know that the fundamentals of risk management involve measuring the likelihood and impact of individual risks. The information is then used to create heat maps allowing organizations to determine the high priority risks to control. In addition, for each individual risk, the sources/causes and consequences are used to create bow tie analysis. Add control measures and residual risk, and you can easily be overwhelmed by all the information required to include in your corporate Risk Register and to track Key Risk Indicators (KRIs). But is there another variable that some risk professionals may have overlooked?
Introducing Risk Velocity
Some risk experts are strong advocates of the need to track “risk velocity” as a matter of principle. To understand risk velocity, let’s take a little lesson in physics. The definition of velocity is:
“A measure of the rate of motion of a body expressed as the rate of change of its position in a particular direction with time.”
To simplify further, velocity means how fast something is going over a particular distance and in a particular direction. In the realm of Risk Management, risk velocity indicates how fast a risk may affect an organization. As part of risk assessment, velocity can be measured using a qualitative analysis (High, Medium, Low, etc.), or a quantitative analysis (Hours, Days, Months, Years, etc.). Here are a couple of examples at both ends of the spectrum, to help you understand the concept:
Very High Risk Velocity: Chemicals are not stored in adequate conditions at a facility, resulting in an adverse chemical reaction. The consequences are almost immediate: 1) Explosion, 2) Fire, 3) Worker injury or fatality if any workers are on site, and 4) Immediate interruption of operations at that particular facility.
Very Low Risk Velocity: An ageing workforce with critical subject matter expertise is expected to retire over the next 2-3 years. The consequences would be experienced in the long-term: 1) Loss of knowledge, 2) Loss of productivity, and 3) Potential product quality issues.
Other types of risks with low velocity include risks that can lead to loss of market share to competitors over time, and long-term reputational risks. However, in the case of reputational risks, social media and the 24-hour news cycle have changed their risk velocity.
Evaluating Risk Velocity
Now that we have explained risk velocity, let’s look at various ways in which it can be evaluated. The easiest way would be to simply factor risk velocity into the impact score. The quicker the consequences or impacts are felt, the higher the score, and vice-versa. Other risk experts suggest including risk velocity in a well-defined formula used to evaluate risk scores. Here are two that we came across and found interesting:
- (Likelihood + Velocity) x Impact. This is from a post by Harry Hall published on the PM South blog. Under this formula, the qualitative rating of risk velocity is given equal weight as the likelihood, and both are multiplied by the impact to produce the overall score.
- (Likelihood x Impact) + Velocity. This is mentioned in a guest post by Karel Simpson, Corporate Risk Manager at GardaWorld, on the Capable People blog. To understand this formula, let’s assume your heat map is a 5 x 5 matrix. If the likelihood and severity (or impact) of a risk are 4, your initial score would be 16. Rating velocity as, for example, Hours to Days = 3, Days to Weeks = 2, and Weeks to Months = 1, you then add in velocity to the calculation giving respective scores of 17, 18 and 19.
To Measure or Not to Measure?
Should you measure risk velocity as part of your Enterprise Risk Management? The opinions of experts vary. Some are adamant that risk velocity must be included. Others adopt a more pragmatic approach and stress that the size and complexity of the organization must be factored in before deciding. Those who are in the latter camp emphasize the importance of keeping risk management as simple as possible.
Ultimately, regardless of the position you adopt, it is important to somehow take into account how fast the impacts of risks will be felt by the organization. This will give you a better assessment of risks, and help you prioritize risk mitigation efforts by determining the time you have to react.