Assessments without metrics

“Without data, you’re just another person with an opinion.”

W. Edwards Deming, US academic and father of the continuous quality improvement movement in the US.

A big part of the risk assessment process is the risk assessment, and a large part of that is usually the risk analysis. The problems is that this involves metrics and math which people often find challenging for two reasons.

Firstly, the math can be fuzzy and complicated to follow.

Secondly, there aren’t any apparent metrics to use, especially for non-technical risk.

I won’t dwell on the first point as this is usually a symptom of a system that’s too complicated. You can quickly solve this by keeping things simple, which I’ve talked about here and here. A robust risk assessment doesn’t need advanced, theoretical math. (And beware any system where the math seems inconsistent, or no-one really understands it. That’s an unreliable system waiting to implode.)

However, what do you do when it seems that you don’t have the metrics you need to complete an assessment?

Over the years, many people have said something to me along the lines of ‘we don’t have metrics to use for our assessment. We aren’t technical‘.

That may seem true, but every organization will have objectives. So the trick is to work backwards from your objectives and think about the data you track to measure progress and success.

Metrics, metrics everywhere

Although you might not have failure rates or LTI (loss time incident) statistics, that doesn’t mean that you don’t have things you can measure. Moreover, you’re probably already measuring lots of things. After all, how else do you measure success?

  • Sales?
  • Graduations
  • Customer satisfaction?
  • Workplace accidents?
  • Uptime?
  • The number of refund requests?

These are all metrics that an organization might track. So even if you started off thinking ‘we don’t have metrics’, you probably do.

How do you use these in a risk assessment?

The first thing is to remember that you don’t measure risk as an absolute value: it’s not a percentage or a unit of measure. Rather, you’re conducting a comparative process to put risks into order and prioritize these for action – it’s a thermometer. As long as you are using the same scale to assess each factor, you’ll be able to complete an assessment.

Once you have your factors, you can drop these into your methodology to get your risk ratings and subsequently put these into order.

But what kind of factors? Here are a few examples showing where you put these in the risk = threat * vulnerability * impact formula.

  • Delays shipping a product (impact)
  • Time a factory might be closed (impact)
  • Sales performance increase / decrease (impact)
  • Number of recorded accidents (threat)
  • Number of refunds/product returns (impact)
  • Number of days with inclement weather (threat)
  • Days interrupted due to inclement weather (impact)
  • Number of firewall attacks identified (threat)
  • Number of firewall breaches identified (vulnerability)
  • Downtime/data lost through breaches (impact)

Correlate these with the appropriate values, descriptions, and color codes to complete the assessment. Remember, this doesn’t need to be complicated to give you some useable data, it’s imperative that you avoid complexity.

Remember, even though your data is relevant and applicable to your business, it’s still a small data set and vulnerable to subjectivity. If you try to make the process too complicated, you are building on top of a relatively weak platform. Even large, comprehensive data sets, such as market history, don’t guarantee accurate results.

So please keep it simple. Avoid giving the impression of absolute certainty by getting into single dollar amounts where, in reality, the nearest $100 or even $1000 might be more realistic.

Finally, avoid weighting factors. Weighting – where you attribute more value to certain factors automatically – is very subjective and puts the cart before the horse by prejudging your assessment.

Think about it. You need to determine the most significant risk to apply a weighting for the risk assessment. But to determine the most significant risk, you have to conduct a risk assessment…

You see where this gets messy.



As always, KISS

Instead, KISS – keep it stupid simple. Use a standard set of descriptions, values, and colors, whatever works for you. Then apply it evenly to get the most objective results possible.

That way, you can overcome the perceived lack of metrics, conduct your risk assessment, and support your organization’s objectives.

Don’t just have opinions: have data.

Photo by Nick Hillier on Unsplash

What do you think? Leave a Reply