Four Ways to Make Sure your Risk Metrics Work

Risk metrics seem to be getting a bad rap these days.

• Too subjective.
• Too easy to manipulate.
• Too simplistic.

And sometimes, all of these can be true, but using metrics and numeric scales can be highly effective. I’d argue that a sound evaluation system will eliminate these problems if used correctly.

How?

1 — Align values with clearly understandable terminology. E.G. 1 = very low, 5 = Critical.

2 — Have descriptions of what each rating might look like. For example, you could use bands based on the number of days your supply chain could be disrupted. In turn, you match these bands to how severe the effects would be on your operations. **The key here is that you’re using existing business metrics as the guide, not made-up numbers.**

3 — Build the model before you use it, not ‘on the day’. That way, you won’t be building something for that particular situation. Instead, you can have a standard method you’ve agreed on beforehand, making it less susceptible to manipulation to fit the current conditions.

4 — Finally, remember you’re not measuring risk empirically. Instead, you’re using the metrics to standardize the way you describe them and to give you a way to put them into priority order.

If we keep these concepts in mind, we can build simple, functional systems to help us evaluate our risks and to respond appropriately.

I’ve applied these concepts to my SITREPS model, and so far, the model is performing as it should, providing magnitude and directional insights into risk movements as threat conditions change.

But that’s just me. What’s your experience using these tools? Helpful? Misleading? Don’t use them?