Case: Application of the Parametrized Risk Analysis Methodology 2.0Parametrized Risk Analysis 2.0
Parametrized Risk Analysis 2.0
A Parametrized Risk Analysis 2.0 2.0 is a methodology developed initially for the practice of consulting with the purpose of maintaining uniformity in the work to be developed and, therefore, maintaining the quality standards desired, but with the passage of time was adopted as a practice to support the implementation and maintenance of Enterprise Risk Management (ERM) practice in organizations. Such acceptability occurs due to the alignment of this methodology with established practices, such as: ISO 31.000, COSO, COSO ERM etc…
The main feature of this methodology is to focus not only on risk measurement tools in terms of impact and probability, but mainly on identifying and measuring (through on-site risk audits) the effectiveness of existing protection systems to mitigate these scratchs.
The methodology basically consists of the direct application of parameter lists in the field works by the crash numbers. numbers . The main difference consists in the fact that the list of parameters is used in 5 classification levels where five refers to the lowest level and one refers to best practice in the market instead of Go / No Go or of Go / No Go or Yes questionnaires / No. Moreover, for each question there is a numerical rational behind similar to an FMEA that defines specific “weights” for each parameter. In this way the degree of accuracy of the evaluation is much more realistic.
Another feature of Parametrized Risk Analysis 2.0 is its ease of application due to the degree of detail of the parameters in question, as can be seen in the following table:
It is noted how easy it is to apply it by those who will develop the fieldwork. This simplicity in its reading allows a uniform application and reduces the need for professionals with a higher level of experience such as numbersto perform fieldwork, thus reducing the cost of consulting or auditing.
The application of the parameters generates theProtection Systems Vulnerability Index (IV)), allowing the consultant (or the risk manager) to assess if their protection systems are adequate to the risks of the evaluated organization.
A Parametrized Risk Analysis 2.0 can be applied to the most varied fields of activity, requiring only a process of “Knowledge Elicitation” by specialists in the area for the definition of Parameterized Risk Analysis Tables that will be used later in the works of field.
This process consists of successive “brainstorming sessions” with specialists in the field and consultation of existing manuals, standards and good practices for setting parameters and preparing your field worksheets (as shown above).
The main advantage of this methodology is to allow a correct balance between the effectiveness level of the existing protection systems (defined byVulnerability Index – IV found in risk audits) in contrast to the measurement of risks in terms of impact and probability (defined in the Risks Matrix). This innovative approach allows the risk manager to obtain a more comprehensive perception, seeing that the main problem is not the existence of a certain risk perse, but rather the inadequacy of a certain protection system to mitigate this risk in itself, the existence of an imbalance between the level of risk and the level of effectiveness of the protection system to mitigate it.
The Parametrized Risk Analysis Methodology 2.0 thas as main characteristic to allow a correct balance between the level of risk and the level of vulnerability of the protection systems. In other words, it allows you to define adequate protection systems for the inherent risks of the business or the operation on screen, generating the maximum of rationality and optimization of investments in protection systems.
In order to have a correct idea of the main tool and characteristic of this methodology, we will demonstrate its application very briefly in a practical and real case Another purpose of this case is to provide an overview of the methodology before describing it step by step throughout the book. In this way, the reader can get a sense of its scope and applicability.
Case:Definition of the optimal level of investments in protection systems according to the critical business risks (in a Logistics Distribution Center project)
The purpose of this case is to demonstrate the use of the Parametrized Risk Analysis 2.0 methodology to define risk scenarios according to the business risk and the degree of investments in the protection system used to reduce the level of vulnerability and mitigation of critical risks , that is, to help define an ideal point between level of risk, level of vulnerability and investment in protection systems.
Introduction of the caseof the Logistics Distribution Center project
The demand in question arose from the need for an investment fund to calculate the ideal costs to be spent on the design of a Logistics Distribution Center. Part of some of the most significant costs was related to investments in protection systems. There were 2 clear concerns on the part of investors: to have adequate and adequate protection mechanisms to mitigate the key critical business risks and to invest in protection systems in the most optimal way possible, thus avoiding unnecessary costs for the project.
The Distribution Center has an area of 80,000 square meters, with no compartmentalization in the layout, with a 12m right foot, docks with external levelers, 8 ton / m² resistance flooring and a sprinkler system covering the whole complex, according to the layout below:
The general premises for the implementation of this project include:
1. Ordinance with individual accesses
2. Fully segregated conference area
3. Paved patios
4. Comfort area for drivers with bathroom and locker rooms
5. Pit stop area and forklift maintenance area (large and small) with oil separation and containment box
6. Common area with cafeteria, outpatient and games room
8. Office area
In this case we will check the need to survey the best risk management solution for this Green Field project (project starting from scratch). We will look at a cost-benefit analysis between costs in protection systems and the degree of business risk For this, we need a balance between the level of vulnerability (Level of Effectiveness of Protection Systems) and the level of risk of the business.
The first step was to get the correct understanding of the business or operation. For this purpose, interviews were conducted with the main managers and investors Based on this understanding, a list was prepared and validated with the main critical risks that would affect the business / operation. This Critical Risk List served as the basis for defining which protection systems should be installed to mitigate and control each of these risks.
After understanding the business and its critical success factors, its critical risks are defined. Critical risks are those risks that affect some critical success factor, the mission of the company or its strategic objectives In this case the following Critical Risks were defined for the plant in question:
· Work accident
· Damage to the environment
Critical risks guide the protection systems that will be evaluated at the time of the risk analysis, is if the critical fire hazard has been identifisd, it is necessary for the fire-fighting system to be audited by a Parametrized Protection Systems Vulnerability. Check list Protection Systems Vulnerability Analysis System.
For each of these critical risks, there are one or more dedicated or shared protection systems for their mitigation and / or control, as well as one or more standards that define the best practices in the market, as shown in the table below:
Once the critical risk and its protection system have been defined, the adequacy of the risk must be assessed. In other words, assess the level of vulnerabilities in the protection system in question.
For the definition of vulnerabilities, an audit is performed based on a list of parameters that allows the identification of vulnerabilities in the protection systems related to:
- Material resources
- Intellectual capital
- Rules and Procedures
- Organizational culture
- Management Capacity
These 5 pillars are evaluated in the form of risk audits using Parametric Check Lists. Check lists Parametric are Check lists based on solid standards or good practices, consolidated in the market, as previously described. In this way it is possible to evaluate the protection systems and obtain the Vulnerability Index (IV), allowing the evaluator to have an idea of the level of effectiveness of the evaluated system in relation to the best practice in the market, as exemplified below:
In this case, since the site does not exist physically, because it is a project that will still be deployed ( Green Field ), it is necessary to assume a value of Vulnerability Index (IV) based on the protection systems that will be used in the project. For this, a scenario simulation was conducted for the future project, where the Parameterized Vulnerability Analysis Checklists (as described above) were used to calculate the Vulnerability Index (IV) considering the level of basic protection (level 5 of the IV), intermediate level (IV level 3) and best practice in the market (IV level 1). Because the project was not implemented, the checklists were used based on hypothetical scenarios. Thus, three hypothetical scenarios were generated: less effectiveness of protection systems (greater level of vulnerability possible), moderate effectiveness of protection systems (level of intermediate vulnerability) and greater effectiveness of protection systems (lower level of vulnerability possible), implying different protection systems with different costs. In this case, we will present 2 of the 3 scenarios calculated for 2 specific protection systems (patrimonial safety system and fire system) linked to 2 risks (risk of invasion and fire risk, respectively).
The comparison of scenarios, in which the scenario of greater vulnerability, the intermediate scenario of vulnerability and the scenario of lower vulnerability were verified Vulnerability Indices (IV), allowing to generate three risk matrices, have a clear idea of the cause and effect relationship between the level of installed protection systems and the estimation of the probability of such risks materializing as a result of the efficiency of these protection systems.
Based on expert opinion, we can soon simulate scenarios by changing the Vulnerability Index (IV) of the formula. It should be remembered that the only variable that depends exclusively on the manager is the effectiveness level of the Protection Systems, which is materialized by the Vulnerability Index (IV). Only management can define how much it is willing to invest in protection systems and what level of risk is aligned with its risk appetite. In other words, if we assume that a particular project will apply the Vulnerability Index (IV) = “3”, we will have to apply the level 3 protection systems found in the parameter tables hypothetically, as shown in the table below:
For didactic purposes, we chose only the invasion risk and the protection systems used to mitigate this risk and performed a step-by-step analysis. It should be remembered that it is necessary to repeat the same analysis for all other risks raised.
For the level of vulnerability adopted in the parameter table we will have a protection system with characteristics correlated to what was defined in this table.
In the case of a project not yet implemented, without the existence of the building and its protection systems, it is necessary to simulate the probable risk scenarios and the protection systems to be used In this way, we can have an idea of the level of vulnerability to be adopted and its respective project cost.
Basically, we will follow the normal steps of the methodology. However, the physical non-existence of protection systems will oblige us to define scenarios to define the levels of risk and vulnerability. In other words, we will make a simulation using the audit questionnaires, where we will adopt markings according to the desired level of vulnerability.
For this project, the experts were asked to choose three Parameters check boxes, as described below:
Check which were the systems needed to have a basic level of effectiveness, but according to the minimum legal parameters. (High Vulnerability Index)
Identify the systems needed to have a moderate level of effectiveness. (Moderate Vulnerability Index)
Identify the systems needed to have a high level of effectiveness, in line with best market practices. (Low Vulnerability Index)
As exemplified below:
In this example, we have the choice of the hypothetical scenario with the highest level of vulnerability: IV = 5 (lower effectiveness level of protection systems), which implies only installing the most basic mitigation systems and adopting the most basic norms. A similar procedure was used to calculate other scenarios by investing more in protection systems and therefore obtaining other IV results (IV between 1.0 and 2.0).
NOTE: In order to define the best relationship between level of vulnerability, level of risk and investment required in the systems of protection in the execution of the Case, 3 scenarios of IV were chosen according to the opinion of the specialists who generated 3 risk scenarios. As a matter of practicality in the preparation of this work, only 2 of these 3 were chosen, generating 2 scenarios of possible risks. The methodology allows generating “N” scenarios of risks linked to “N” IV simulations.
The easiest way to define the best option for protection systems to be adopted in the project is to define several risk scenarios based on the simulated Vulnerability Indexes (IV). In reality, the risk manager will seek the best balance between the acceptable level of risk and the level of vulnerability of the protection systems, seeking an adequate balance between both and within budgetary constraints.
Assuming that the critical risks will be the same for the project, regardless of the level of efficiency of the protection systems adopted. Therefore, the only variable that depends exclusively on the risk manager is the variable Vulnerability Index (which defines the level of effectiveness of protection systems). The other variables of the formula that estimate the probability will not undergo any change, as shown in the formula below:
For the calculation of Probability Estimation, we have the possibility to simulate different levels of effectiveness of protection systems, based on the opinion of the specialists who generated different Vulnerability Indices (IV). For example, taking into account that the manager decides to adopt the most basic level possible: protection systems that generate Vulnerability Index (IV) between 4.0 and 5.0, this will generate a IV from the case of adopting systems that have lower Vulnerability Index (IV). This results from the substitution of these IVs in the Probability Estimates (EP) formula, generating different EPs, as shown below: EP = HO x Ep x AS x At x (or Pp or AG) x IV x 100 5 N
For this case, the following results are obtained for Impact Quantification (calculations of both formulas will be detailed throughout the work):
It is easy to see how the investment in the level of effectiveness of the protection systems allows to reduce the estimation of probability of occurrence of a certain risk. Thus, the methodology provides managers with a robust tool for decision making as it compares how the effectiveness level of protection systems affect the probability estimate and therefore influence the degree of expected loss / loss.
Normally, the risk shift within the matrix is due to the improvement in the level of effectiveness of the protection systems through specific projects directed to the mitigation of a certain risk or by the implementation of diverse actions to mitigate these risks.
The methodology described in this work provides a consistent Road Map so that the manager can seek a better balance between the level of risk and the level of effectiveness of the protection systems in a logical, practical and effective way, taking into account the costs of each scenario.
It is one of the few methodologies in the market that makes it possible to establish a clear cause and effect relationship between the effectiveness of protection systems and the consequences of risks in terms of impact and probability estimation. it is possible to have a vision of how much to invest. Such reasoning can serve as a basis for insurance premium negotiations with insurers as it provides the risk manager with a very robust tool for risk analysis and management.
It also serves for the risk manager to be able to have parameters of comparison between the level of risk and vulnerability of the various sites of your company. This overview of the conditions of the various sites allows a more pragmatic approach to investing in the protection systems for each business unit and in a robust rationale.