Current risk management practice relies on several popular tools, including risk matrices, which let managers set priorities based on “high”, “medium” and “low” ratings of loss likelihoods and severities; risk scoring formulas, widely used in applications from information security to credit scoring; and risk rankings, now being used to help defend our nation’s critical infrastructures against potential terrorist attacks. These methods are increasingly required by national and international risk management standards and guidance. Yet, they perform poorly in many practical settings, prescribing priorities and resource allocations that are less effective than purely random decision-making, or that inadvertently increase risks. This talk discusses limitations of these widely used methods, and how to achieve greater risk reductions at lower cost by replacing rating, scoring, and ranking methods with more quantitative optimization models. Examples from information security, enterprise risk management, and terrorism risk analyses illustrate the large benefits from changing risk comparison and decision methods.
SIRA Meeting, 2012-11-08