3.3 Risk aggregation
Now consider a simple example to explore what the term risk aggregation means. Take a look at the video below and see how the experts assess risk.
Transcript: Video 3 Risk aggregation
[Music playing]
Case 1: Business A, B and C all use the same IT system. The IT function believe there is a 50% chance that the IT system will fall over for one month next year and it will cost £100k to repair it if it breaks. What is the impact of the risk?
Answer: Based on the information provided, we have no way of knowing! What we need to understand is what the impact on each of the businesses is.
So we go and ask them and they say a one month outage would cost Business A £10m, Business B £5m, Business C £8m.
Answer: It depends where you sit. For IT it is £100k, for Business A it is £10m. But for the business as a whole it is £23.1m (10+5+8+0.1).
Because all of the impacts result from the same root causes (the failure of a common IT system) this is the total impact to the organisation. It is therefore very important to understand all of the impacts that flow from the same root cause to allow the impacts to be added up (aggregated).
Case 2: In some instances we may have several risks that lead to the same consequence. To avoid double counting (counting the risk twice) we bring the risks together by combining their likelihoods. Let’s look at a worked example.
Andrews Aerospace has three risks that could prevent them selling products to a major customer; Customer X.
Risk 1: An outage at the European factory would prevent products being made for Customer X. This has a probability of 5% and an impact of £20m.
Risk 2: Export licenses cannot be obtained for the Andrews products preventing them being sold to Customer X. This has a probability of 10% and an impact of £20m.
Risk 3: Customer X buys the product from one of the Andrews’ competitors. This has a probability of 15% and an impact of £20m. Note: The impact of the risk is £20m (the expected sales value to Customer X) for each of the risks.
Because the impact of each risk relates to the same portion of revenue we need to aggregate the probabilities, this is because once one risk has happened the impact of the other two risks is zero (as the sales to Customer X have already been lost). We do this as follows:
The probability that each of the individual risks don’t happen = 100 − probability that the individual risks happen. So the probability that risks don’t happen are:
Risk 1: 100% − 5% = 95%
Risk 2: 100% − 10% = 90%
Risk 3: 100% − 15% = 85%
Therefore the likelihood that none of the risks will happen is: 95% * 90% * 85% = 72.6%
Therefore the likelihood aggregated risk is 100 - 72.6 = 27.3%