Measuring the ‘likelihood’ in risk management, training session for Internal Auditor

​Measuring the ‘likelihood’ in risk management, training session for Internal Auditor

Zach le Roux, a well-known trainer from South Africa, conducted a webinar for the Institute of Internal Auditors Doha Chapter. The training was on risk management with the topic titled "Problems and solutions to measuring likelihood." Zach is an Internal Audit practitioner who dedicated decades to research on internal audit. He is one of the regular trainers in the IIA conventions globally. 

"The risk management terminology 'Likelihood' or "how often" – means the probability of the risk occurring over a defined time frame. The key learnings were Current Day challenges, Measuring likelihood and reliability, and Solutions and alternatives. The talk explored the problems with measuring likelihood and suggested and alternative avenues. It is a remarkable value add for day-to-day internal audit fieldwork," stated Sundaresan Rajeswar, the IIA Chapter board member.

Zach believes that accurate risk measurements lie at the heart of good management decisions. Management should prioritize their energy and resources on areas based on their measured risk. But various problems with the current measuring approaches exist.

There are limitations such as the agency problem (managers responsible for managing the likelihood of risk down are measuring their success), uninformed managers also vote on risks, not in their own area of responsibility, high measures get averaged out on consolidation.

"There is a natural human tendency to overestimate the likelihood of fearful events and underestimate the likelihood of familiar events. Managers also confuse exposure to risk with knowledge of that risk," said  Zach le Roux.

The traditional limitations to risk management also have an influence. These include that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management can override enterprise risk management decisions. 

In addition to measurement limitations, the way likelihood is reported and represented also leads to diminished usefulness for management decisions. In Zach's opinion, too many organizations plot impacts against the likelihood and then use the combined factor to measure exposure for risk prioritization.

The same effect is obtained using heatmaps to depict priorities. But these approaches ignore the non-linear characteristic of harm and the danger of "the black swan events." A Black Swan Event is a highly unexpected event for a given observer that carries significant consequences. Most catastrophes fall in this category, but due to the low perceived likelihood, these are not given the attention warranted and fall in the "yellow part of the heatmap." Exposure calculations do the same thing: 5 X 1 = 1 X 5, but falling 5 meters once does not cause the same damage than falling 1 meter 5 times! 

IIA Chapter President Adel Al-Hashmi introduced the speaker. Board members Fahad al-Marri, Hassan al Mulla, Rajeswar, Chris Adonis, Girish Jain, Muralikrishna, Don Felix, were present in training attended by about 100 members.  Aisha Rafique coordinated the event for the chapter