Douglas Hubbard, in his book “The Failure of Risk Management”, claims that risk management failed us in the lead up to the GFC because of flawed risk models, the use of qualitative risk assessment through the use of risk matrices or both. He contends that anything can be measured and that we should be measuring.
The case for quantification
There is no doubt in my mind that quantification is better than using our best judgement because our minds are at the mercy of our psychological biases. A couple of examples:
Confirmation biases – eg: If you are told a contractor is a poor performer you will have a tendency to pick up on bits of information about their poor performance and ignore the data about their good performance. This is because we all have a tendency to hear through all the noise the “evidence” to confirm our initial feeling about a subject.
Biases from the “availability heuristic” – eg: Shark attack. We tend to overestimate the likelihood of a dramatic event if we have lived it and seen it or been exposed to it in the news recently because the evidence of it has recently been available to us. This is why we underestimate the likelihood of disasters after a long period of calm.
The case against quantification
Two points only here:
1. Business is extremely complex and to do quantification justice it can be very resource intensive. The harder we make it for the business the less likely they will listen to us.
2. You can have the best risk models and risk modellers in an organisation, however, if you have a poor risk culture, calamities are not far away. By taking the less complex option and bulking-up risk management efforts with subjective risk ratings with minimal quantification, you are more likely to lead more staff to better consider risk in their decision-making.
The solution: Create data sets to provide yourself with the opportunity to quantify risks. I am always saying there is no “right way” to do risk management. ISO 31000 itself indicates it is a guidance standard providing principles and guidelines rather the “right way”. So I believe both quantification and qualification have their place, however, longer term I believe we need to increase our ability to quantify risk. If I were you I would be looking to create data sets where success and failure rates can be derived. This would result in more informed analysis of risks as common as IT budget blowouts.