Jeffrey Wheatman, Guest Blogger
Last week, after grueling but exciting five days at Gartner Symposium in Orlando I found myself sitting on my return flight back to the home office. I cracked open my brand-new copy of Freakonomics, which is a book I have long had on my list and never quite got around to reading. While reading the book, which I enjoyed very much, but of course this is not a book review article, I stumbled across a very interesting concept that the authors referenced and I think may be highly valuable.
We’re all familiar with the commonly utilized equation for risk –
risk = impact * probability
Very simply, the likelihood of something bad happening multiplied by how much damage it would do tells us what our risks are. Seems to make sense, yet many of our clients struggle with using this type of information to justify expenditures in hard dollars and work effort in order to remediate these risks.
The authors reference work by Peter Sandman, a self-described risk communication consultant located in Princeton, NJ. Mr. Sandman has built a successful consulting business around a very different equation for communicating risk –
risk = hazard + outrage
Mr. Sandman’s work is predicated on the fact that people don’t really understand the components that make up risk, instead they are much more influenced by the perceived hazard, i.e. how much harm is it likely to do and the level of outrage, i.e. how upset people are likely to be than the realities of the risks. There are many examples of how terrible humans are at estimating probability and impact, e.g. you are 12 times more likely to die in a car accident than a motorcycle accident and yet every time I talk to my wife about buying a motorcycle she tells me how dangerous they are, but she thinks nothing of sending me to pick up this kids in the car.
It seemed to me as I flew through the air at 750 miles an hour in a huge hunk of metal (BTW it is safer per hour of travel to fly than it is to drive) that maybe our traditional approach of expressing risk was doomed to failure because of two factors –
- Impact is incredibly difficult to quantify — we’ve seen many attempts to quantify and/or qualify risk to various levels of success. But the reality is that even with the hundreds of clients that we work with every year at the end of the day we are asking our managers to accept our estimation of what impact would. Recognizing that these assessments of the impact are based on our experience, knowledge and ability to ferret out real from perceived issues are really just best guess estimations
- Probability is a variable that is very difficult to quantify with any great level of success or defensibility. We have seen numerous attempts to communicate probabilities, i.e. there is a 20% likelihood that this will occur this year, it is extremely likely that this will occur this year, or it is highly likely that this risk will occur once over the next five years. All of these are different ways of expressing probability but frankly none of them are all that accurate or defensible.
I began to think that as much as we tell clients not to use FUD (fear, uncertainty and doubt) to sell security maybe Mr. Sandman actually has the right idea. Throughout the chapter we see various discussions that revolve around the “interpretation” of the impact of risk that motivate people to change behavior or our legislators to enact laws to protect us from ourselves but are not tied to any reality.
Maybe we ought to start thinking of risk in more than one way before we go ask for money, or process changes or whatever we think we need to do to protect our companies from themselves – for good or for bad.
Hey I am just thinking here.