How to mitigate biases during risk identification, evaluation, and prioritisation

MetricStream’s Yo McDonald discusses how businesses can identify biases when evaluating risks, how it affects processes, and the steps businesses should take to mitigate bias.

Evidently, risk evaluation is fundamental in business to protect the organisation, its workers and to guarantee long-term success. To ensure an organisation’s risk evaluation is accurate, the presence of biases that may affect the outcomes needs to be acknowledged. Several biases may arise within a business, and this is either from personal, institutional, or global experiences throughout one’s lifetime. These biases can affect the risk identification, evaluation, and prioritisation process in the five following ways:

1. Cognitive Bias – Everyone has ideas about reality that may stem from one’s own fears or desires, yet these ideas are not necessarily the objective truth or reality. Bias can often occur as these ideas differ from person to person based on individual life experiences.  
2. Confirmation Bias –There is often a tendency among humans to gain approval from others that will then help corroborate our position. This means one may more readily accept information that is in line with their beliefs than information that contradicts prior beliefs. This can cause risk identification to be inaccurate due to a lack of range in alternative risks within the business.
3. Groupthink Bias – Teamwork may make the dream work but putting together a group of like-minded people means risk conclusions are more likely to be reached by the majority of the group who will all agree with each other, and the opinions of the minority in the group may be overlooked. This could lead to outliers within the group being ignored when raising an important risk due to the false consensus effect.
4. Availability Bias – We tend to rely on immediate examples for context of future possibilities rather than looking for an accurate representation of the future, which hampers the validity of the risk identification. For example, one might recognise ransomware as a major risk if there have been several reports in the news about it, even if it were an unlikely risk in their organisation.
5. Hindsight Bias – Sometimes referred to as the ‘knew-it-all-along bias’, hindsight bias occurs when people assume events are more predictable than they actually are, and so will continue to think that they can accurately predict future events. Risks that have already occurred may not be applicable in the future, so solely identifying these risks would be inaccurate and incomplete.

For businesses to be able to establish an effective risk identification process, recognising bias is essential. Biases can be identified through two methods – open communication and by conducting risk surveys and interviews among employees.

Through open communication, businesses will be able to achieve complete insight and determine what is needed to produce an accurate risk identification and prioritisation process.

Surveys are also an effective method to gain a broad range of perspectives, and for an even greater range of opinions, one-on-one interviews can be conducted with key stakeholders. Once these steps have been taken, conclusions can then be presented to the C-suite and risk committee to ensure a more meticulous and final decision-making process to combat risk.

After having removed biases, both qualitative and quantitative risk evaluations should be used to prioritise and evaluate risks.

Qualitative Risk Evaluation

When evaluating risks, it is common for risk managers to use qualitative methods, but this can lead to subjectivity. To reduce subjectivity within smaller projects, the ‘impact likelihood’ scale can be used where the scale rates the impact and likelihood of a risk from very low to very high to determine the overall risk rating:  Very Low, Low, Medium, High, Very High

The impact and likelihood can be separately rated from 1-5 with 1 as very low and 5 as very high, as seen in the table below:

Type               Scale            Percent

Very Low           1                 1 – 20%

Low                   2                  21 – 40%

Medium             3                 41 – 60%

High                   4                61 – 80%

Very High           5                81% – 100%

Final risk rating is the product of the individual ratings given for the impact and likelihood. The rating is likely to change due to rapidly changing variables so it is essential to look further into contributing factors.

Rating                     Range

Very Low                  1 – 5

Low                          6 – 10

Medium                   11 – 15

High                         16 – 20

Very High                 21 – 25

Quantitative Risk Evaluation

This is an objective method which uses large amounts of data, specialised software and vigorous risk models to reach a justified risk evaluation.

Though the results from quantitative risk evaluation cannot be disputed easily and this method can appear to be more reliable, qualitative evaluation should not be overlooked as both methods can be of great benefit to the business. Qualitative risk has the advantage of analysing risks that an organisation can easily adopt, and the quantitative method is also critical, especially in more risk-prone environments such as mines or factories, where incidentally, it’s also the law.

Where qualitative risk evaluation methods are quick and easy to perform, quantitative methods are more complex and will take more time. The former should always be performed, but are especially needed for smaller projects, whereas quantitative methods can be optional – except in industries with serious and highly likely threats to safety.

The methods laid out for identifying biases and evaluating risks can reduce risks of unforeseeable events, but they will not account for all potential risks, as we have indeed experienced this year.

The world was not prepared for the COVID-19 pandemic, but the future of a post-COVID organisation should learn from past mistakes and seek to become even more diligent in the risk evaluation process. Yet, it is likely that businesses will still encounter various biases while identifying future risks. Hence, the methods outlined above aiming to reduce biases will be essential and although we won’t be able to control similar events from arising, the impact of such events will certainly be reasonably minimised by following the appropriate strategies.