Home / more articles - The author - Contact

Upgraphs Graphic
An illustration of upside risk management

by Matthew Leitch, 14 July 2003

Here's a simple illustration of how different risk management rules have different impacts on a business venture.

The business venture I've used is not a real one, but it is realistic. (If you want to examine the spreadsheet model click here.) The estimated net present value (NPV) of the venture, if everything goes according to plan, is 100m.

However, there are also 50 events that might happen and have an impact on the out-turn. Each event has a probability below 0.5, and most have a probability less than 0.1. That's why they are not anticipated in the plan. Each has some positive impact and some negative impact, giving a net impact. There is a bias towards negative impact.

You can see the pattern of risk events in this scatter plot.

Risks Scatter Graph

The next graph shows the impact of those 50 events as a probability distribution for the out-turn under various risk management rules. The distributions were created using 100,000 trials of Monte Carlo simulation with Excel as the spreadsheet and XLsim 2.0 from Analycorp as the simulation add-in.

Out-turn distributions

The black curve shows the impact with no risk management. As you can see it is very likely that the out-turn will be well below the planned 100m and this is because of the bias towards negative impacts and the fact that, although all the risks are less likely to happen than not, there are lots of them, so some at least occur almost every time the venture is attempted. I hope you agree that his looks fairly realistic.

The red curve illustrates conventional risk management. Only events with a negative net impact before any mitigation have been "risk managed". In this illustration I've assumed that the result of the management is a 20% reduction in probability of occurrence and a 10% reduction in negative impact, for each event.

The green curve illustrates an attempt to reduce the spread of out-turns by suppressing all risks, whether their impact is positive or negative. This is the typical rule in financial risk management though, oddly, it involves deliberately reducing the likelihood and impact of favourable events. In this illustration I have assumed that the impact of risk management is to reduce the probability of all events by 20% and to make the absolute value of the net impact smaller by up to 10% of the greater impact. (There are alternative rules but this one gives a result broadly comparable to the other rules in magnitude.)

As you can see the impact is not as helpful as simple reduction of downside risk, but still better than no management, because of the assumed bias towards negative risks.

Finally, the blue curve illustrates sensible management of both upside and downside risks. This produces the best impact on the project. For the illustration I have assumed that positive impacts are increased by 10%, negative impacts decreased by 10%, events with a net impact after mitigation that is still negative are 20% less likely, and other events are 20% more likely.

The impact of different rules can be summarised in terms of the mean out-turns and standard deviations:


Mean out-turn

Standard deviation

No risk management



Traditional risk management



Spread reduction



Full risk management



For an illustration like this the exact differences are not important. What matters is that the different rules have different effects on the distribution of out-turn, according to the pattern shown above.

The costs incurred by risk management actions include some certain costs (as opposed to costs only triggered when an event occurs) and these would tend to drag the average out-turn back towards the out-turn without risk management. This effect has not been shown.

About the author: Matthew Leitch's interests include risk and uncertainty management, cognitive psychology, mathematics, internal control systems, design, the Internet, and human knowledge. He is a Chartered Accountant with a BSc in psychology from University College London. Until very recently he worked as a consultant in risk management and systems for a leading professional services firm. He pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. However, this web site is not connected in any way with his former employer nor are the views expressed here connected with the views of that organisation.

Contact the author at: matthew@dynamicmanagement.me.uk

Words © 2003 Matthew Leitch

Home / more articles - The author - Contact