Managing Inconsistency | RiskAnalys.is

Subscribe To Our Site

subscribe (rss)

subscribe (comments)

subscribe via email
Risk Analysis Resources

FAIR Lite Online

Basic Risk Assessment Guide (BRAG)
Pages
Archives
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- August 2009
- July 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
September 2010

M T W T F S S

« Aug

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30
Search
Network Affiliations

Managing Inconsistency
Filed by JonesJ | 3 comments

In the LinkedIn discussion mentioned earlier, some very legitimate concerns were raised regarding the inconsistency (variance) that can exist between risk analyses performed by different individuals. Because not everyone is watching that discussion (and probably many who were got tired of it and moved on) I thought I’d post my thoughts on the consistency problem here.

For the sake of clarity, “consistency” as discussed within this post equates to “the likelihood that two independent analyses of a specific risk scenario will result in similar outcomes”. In other words, analyst A’s results will look very much like analyst B’s.

In order to frame the problem, we should ask ourselves where inconsistency tends to come from. In my experience, there are four key sources of inconsistency within risk analyses:

1) The scenario is scoped differently — i.e., analyst A is operating from a different set of assumptions than analyst B (e.g., is including different threats, different assets, etc.). This, BTW, is a huge contributor to variance — in many cases it’s the single most significant contributor.

2) The analysts are operating from different analytic models — i.e., one analyst is using a model consisting of variables X, Y, and Z, while the other is using a model consisting of variables X, Y, and W. The models also may have different underlying formulas. The opportunity for inconsistency is especially problematic when analysts are using their own “mental models” for analysis, versus a structured model that can be explicitly referenced.

3) The analysts may have different experience levels and data sources — thus analyst A may estimate variable C to be between “5 and 10″, and analyst B’s estimate for the same variable may be between “40 and 100″.

4) Some people are lousy at estimating.

The first and second sources of inconsistency can be dramatically improved by ensuring that the analysts are singing from the same sheet of music — i.e., using the same model/method for analysis.

The third source of inconsistency can be significantly reduced (but not eliminated) by getting the right subject matter experts involved in the analysis. For example, as a security/risk geek I shouldn’t be estimating reputation damage. That’s the domain of business personnel. It also helps to have more than one person involved in the analysis to increase the experience and perspective the estimates are based on.

The fourth source of inconsistency can be significantly reduced (but not eliminated) through calibration training similar to what Douglas Hubbard presents in his book “How to Measure Anything”. You’d be surprised at how much improvement can be realized.

Bottom line — inconsistency in analyses is manageable to where the degree of variance is not significant relative to the decisions being made and the inherent uncertainty in the data.

Posted on June 1

3 comments

NeilHB Jun 1

Jack - Excellent content!

Firstly, I really like point 4 above - Fire them all!

Secondly, I think in the following paragraph you really hit the nail on the head when you note that analysts need to use the same model/method for analysis. I would like to add that using the same reference model is a proven human and scientific way of improvement. I am currently using reference models as a way of helping Social Workers avoid the extremely time consuming and oft wildly qualitative quagmire when assessing risk as a key action in safeguarding children.

Reference models (which themselves must be subject to regular scrutiny) can have two key components provided by Exposure Analysis (which stays relatively static) and Cover Analysis which involves the treatment of risk. By using these models it enables assessors to simply see how their findings from visits and expert reports, affect the levels of risk to which the child may be exposed.

This is simply a variation on all that you have previously worked on in FAIR and many others in the few worthwhile methodologies available. Regardless to say, if you get the components right then the models will adapt well!

Neil HB
Jack Jun 7

Thanks Neil.

You make an excellent point about the need for models to constantly undergo scrutiny. New thinking, new data, and our (hopefully continually improving) understanding of the evolving risk landscape all need to be leveraged to validate (or not) our models.

Cheers,
Jack

It’s Your Methods, Not Your Madness — Security Bloggers Network

Leave a reply