Use GridRank to estimate the likelihood of risk factors
Challenge: The first step in devising a strategy to mitigate risks is to employ a company-wide process to identify and estimate the likelihood (i.e. the probability of occurrence) of a potential risk factor.
Traditional method: A core piece of the traditional risk management process is the development of a “risk register.” The risk register is the first step in identifying all of the potential risks. Then, companies must determine which risk factors are most important to manage. Calculating the likelihood of each risk factor is hard and time-consuming, so a qualitative process is typically employed, called qualitative risk analysis (QRA) technique. Performing the QRA in the traditional fashion has some drawbacks and must be carefully managed. First, when soliciting input for a QRA, it’s typically done in a workshop or meeting. Here, the very strong and vocal opinions of certain individuals will often sway the opinions and votes of other attendees, resulting in an artificial consensus. Second, the group will typically rank each risk using a rubric, such as high, medium, or low. However, rubrics are problematic for several reasons, including you must first define what is meant by high, medium, and low which can be tricky in itself. But more importantly, rubrics are difficult to apply to multiple risks in a consistent manner. The other problem with rubrics is their lack of granularity. For example, what if the desired answer lies somewhere between high and medium? You’d have to pick one or the other, which leads to inaccuracy and frustration. We can use GridRank to build a better risk register.
Let us show you a better way using GridRank!
Create a risk register game
As an example, let’s examine IT security and some most common cyber risks that companies are facing. We’re going to put them into a game in GridRank and build the risk register. First, log in into GridRank with Game Master permissions and select Create a new game. In the window that appears (see below), select Weight Criteria from the Select Game drop-down. This tells GridRank that our game is one where the results of the game will be weighted values for each option (i.e. risk) in the game. Next, enter the name of the game and skip the Evaluation Factor for now. Finally, enter “Risk” into the Options Label field, because we are going to rank risks. Click Save.
Enter your evaluation factor
Evaluation factor is the factor that each player will use to weight each risk. In this Risk game, we will have only one factor — Likelihood, which is the probability of the risk occurring. Enter “Likelihood” for the Evaluation Factor Name. Click Save.
Enter your Risk Factors
Enter each of the risk factors that will be ranked in the game. Weight Criteria games only require the name to be entered. You can also select a color and upload an image for each risk factor. Remember to enter in all of the risks you plan to rank. Click Save.
Click here to play this actual game now. This game is actually a list of the most common cyber risks that companies are facing today. After you play, come back here and we’ll discuss the calculations that GridRank creates and how you can use them to develop the risk register.
Why is GridRank better?
When playing a game in GridRank, people submit input independently without the influences of others. Swaying opinions and votes is virtually impossible because when a player submits their input its done from their own GR account. Also, the risks in GridRank are weighted on an infinitely granular scale. How? When a player positions an option on the game board, the %Weight is based upon the actual position of the risk on the screen; then GR computes the %Weight of the risk to 3 decimals of precision. Finally, during the game players place the risks relative to each other, not to a rubric. Since there is no rubric, there’s nothing that needs to defined ahead of time. Because players rank the whole set risks in one window, ranking consistency is never an issue.
Results are fast and discussions are limited to Players with outlying scores
After all the players on the team have played their games, the Game Master goes into his dashboard and clicks on Done to view the results. If a player hasn’t played, there will be a red light next to his name. GridRank computes the results from all the submitted plays. The pie chart below shows a graphic result form the game. Below the pie chart is a table that GridRank also produces to show the final %Weight for each risk. We’ll use the data from this table to create the risk register. Note: At any point, the Game Master can go back into the game and look at the plays looking for outliers. Outliers typically indicate someone is in disagreement with the team or they didn’t fully understand the risk factor that was being ranked. The Game Master, at his discretion, can contact the player with the outlying score to ask for an explanation. Thus, that long-winded back and forth discussions are minimized because they take place between Game Master and only the individuals that have outlying opinions. Often, we find that outliers exist because the player didn’t fully understand the risk factor, and as a result of the conversation, the player usually goes back into GridRank and replays the options.
Analyzing the results from GridRank
In very quick order, the team is able to prioritize the most likely risk factors from the output of the game. These risk factors can then undergo additional analysis to identify their impact. Impact can be estimated by a number of techniques including traditional analysis or using GridRank for cost estimating.