* IIA Doha Chapter holds virtual training on risk management
The Institute of Internal Auditors (IIA) Doha Chapter recently hosted a webinar on risk management with South Africa-based trainer Zach le Roux, who discussed the topic ‘Problems and Solutions to Measuring Likelihood’.
Le Roux, an internal audit practitioner who dedicated decades to research on internal audit, is one of the regular trainers in the IIA conventions globally. He said, “The risk management terminology, ‘likelihood’ or ‘how often’, means the probability of the risk occurring over a defined time frame.”
Sundaresan Rajeswar, IIA Chapter board member, said: “The key learnings were current day challenges, measuring likelihood and reliability, and solutions and alternatives. The talk explored the problems with measuring likelihood and suggested and alternative avenues. It is a remarkable value add for day-to-day internal audit fieldwork.”
Le Roux believes that accurate risk measurements lie at the heart of good management decisions. Management should prioritise their energy and resources on areas based on their measured risk. But various problems with the current measuring approaches exist, le Roux also said.
“There are limitations, such as the agency problem (managers responsible for managing the likelihood of risk down are measuring their success). Uninformed managers also vote on risks, not on their own area of responsibility; high measures get averaged out on consolidation.
“There is a natural human tendency to overestimate the likelihood of fearful events and underestimate the likelihood of familiar events. Managers also confuse exposure to risk with knowledge of that risk,” le Roux stressed.
The traditional limitations to risk management also have an influence, le Roux said, adding that human judgment in decision-making “can be faulty.”
“Decisions on responding to risk and establishing controls must consider the relative costs and benefits. Breakdowns can occur because of human failures, such as simple errors or mistakes. Controls can be circumvented by the collusion of two or more people, and management can override enterprise risk management decisions.
“In addition to measurement limitations, the way likelihood is reported and represented also leads to diminished usefulness for management decisions,” said le Roux, who believes that “too many organisations plot impacts against the likelihood and then use the combined factor to measure exposure for risk prioritisation.”
He said the same effect is obtained using heat maps to depict priorities. But these approaches ignore the non-linear characteristic of harm and the danger of ‘black swan events’, he noted.
“A black swan event is a highly unexpected event for a given observer that carries significant consequences. Most catastrophes fall in this category, but due to the low perceived likelihood, these are not given the attention warranted and fall in the ‘yellow part of the heat map’. Exposure calculations do the same thing: 5 X 1 = 1 X 5, but falling 5 metres once does not cause the same damage as falling one metre five times,” he explained.
Le Roux, an internal audit practitioner who dedicated decades to research on internal audit, is one of the regular trainers in the IIA conventions globally. He said, “The risk management terminology, ‘likelihood’ or ‘how often’, means the probability of the risk occurring over a defined time frame.”
Sundaresan Rajeswar, IIA Chapter board member, said: “The key learnings were current day challenges, measuring likelihood and reliability, and solutions and alternatives. The talk explored the problems with measuring likelihood and suggested and alternative avenues. It is a remarkable value add for day-to-day internal audit fieldwork.”
Le Roux believes that accurate risk measurements lie at the heart of good management decisions. Management should prioritise their energy and resources on areas based on their measured risk. But various problems with the current measuring approaches exist, le Roux also said.
“There are limitations, such as the agency problem (managers responsible for managing the likelihood of risk down are measuring their success). Uninformed managers also vote on risks, not on their own area of responsibility; high measures get averaged out on consolidation.
“There is a natural human tendency to overestimate the likelihood of fearful events and underestimate the likelihood of familiar events. Managers also confuse exposure to risk with knowledge of that risk,” le Roux stressed.
The traditional limitations to risk management also have an influence, le Roux said, adding that human judgment in decision-making “can be faulty.”
“Decisions on responding to risk and establishing controls must consider the relative costs and benefits. Breakdowns can occur because of human failures, such as simple errors or mistakes. Controls can be circumvented by the collusion of two or more people, and management can override enterprise risk management decisions.
“In addition to measurement limitations, the way likelihood is reported and represented also leads to diminished usefulness for management decisions,” said le Roux, who believes that “too many organisations plot impacts against the likelihood and then use the combined factor to measure exposure for risk prioritisation.”
He said the same effect is obtained using heat maps to depict priorities. But these approaches ignore the non-linear characteristic of harm and the danger of ‘black swan events’, he noted.
“A black swan event is a highly unexpected event for a given observer that carries significant consequences. Most catastrophes fall in this category, but due to the low perceived likelihood, these are not given the attention warranted and fall in the ‘yellow part of the heat map’. Exposure calculations do the same thing: 5 X 1 = 1 X 5, but falling 5 metres once does not cause the same damage as falling one metre five times,” he explained.
