A critical step to creating any risk management framework is risk analysis. Risk analysis comprises risk measurement.
Discovering organizational risks has never been too problematic in my experience. The challenge tends to be around the risk quantification where we try to understand how big the risk is and when the risky event is likely to occur.
Here we tend to admit defeat. We feel that we have little clue as to the likelihood of risks. We throw our hands up in despair trying to predict the nature of the risk’s impact.
It doesn’t help that we read books like Nassim Taleb’s 2007 “Black Swan,” where the underpinning idea throughout the book says that humans should not attempt to predict outlier events known as Black Swans because human thinking is limited.
Humans only make predictions based on what they have already seen and experienced.
But with all due respect, I tend to disagree. After 18 years in this field I have successfully used tactics with some pretty remarkable results when it comes to risk measurement.
For me, the key is to never do risk measurement alone. I always get a collective opinion from a group rather than one single expert. Let the wisdom of a crowd prevail. Feed off their collective intelligence.
The notion traces back to the well-known finding of Francis Galton, a cousin to Charles Darwin, who in 1907 attended a country fair where about 800 people estimated the weight of an ox as part of a contest.
The average estimate was shockingly accurate. It was within 1 percent of the true weight — better than any individual guess of the cattle experts. The event is recounted in James Surowiecki’s “The Wisdom of Crowds.”
It appears that the average approximation of a group tends to converge towards a good result, often better than the response given of any one individual. But be aware. Group dynamics are tricky. I rely on two rules-of-thumb when facilitating a group: assure diversity and independence.
First, know the make-up of your group. Make sure you have legitimate subject matter “experts” in the crowd. Also, ensure representation from multiple areas within your organization.
It appears that the average approximation of a group tends to converge towards a good result, often better than the response given of any one individual.
If your risk measurement session is to discuss, for example, cyber security risks, ensure that the room does have participants from not only the IT department but from other divisions such as operations, legal, human resources and communications as well. All these groups see cyber risk from their unique vantage points and estimate risk using their own lens.
Also, don’t forget to invite a few organizational curmudgeons. To gain further accuracy, having those who may strongly disagree with your group is critical. In essence, you don’t want the group to start herding and copy-cat towards a consensus. The wisest groups are the most diverse, made up of diverse opinions and ideologies.
Secondly, try to eliminate social influence and bias in a crowd. Group members should feel comfortable to contribute. Individuals need to feel their initial judgments are independent and are not influenced by other’s responses.
It may be a good idea not to have key contributor’s bosses in the room where they may sway their subordinates. In addition, do know that the more information participants get about each other’s responses, the higher the likelihood you degrade the collective answer — best to use secret ballots or electronic voting mechanisms.
So it appears the many are wiser than the few. Have a party and measure your risk.