Governance situations may not be the same if the range of outcome variability differs from one alternative to another. It is typical for governance decision alternatives to have different expected values, but even if two decision alternatives have approximately the same expected values, one may have a wider range of possible outcome variability than the other. Risk is inherent in the dispersion of possible outcomes about the mean of all such outcomes. To illustrate, suppose that governance decision alternatives A and B may each result in any of five possible outcomes with probabilities of occurrence. A common measure of risk associated with a decision alternative is the standard deviation (sigma) of the alternative’s possible outcomes,
s = [Sj=1,k (Vj – EV)2pj]1/2.
The justification for using the standard deviation as a measure of governance risk is the assumption that outcome probability distributions tend to be normally distributed about their means which can be illustrated by introducing smooth probability distribution curves.
If the assumption is valid, then the mean of the distribution plus and minus (one / two / three) standard deviations contains a percent of the outcomes in the distribution. The decision alternative with the wider range of outcome variability, i.e., greater standard deviation, is said to be the riskier of the two. If the expected values are equal, the lower-risk decision alternative would be preferred by most people.
However, when the expected values of two decision alternatives differ substantially, so also will their standard deviations be of different magnitudes, and will therefore not serve as a reliable basis for comparing risks. In such cases, the SharePoint administrator may compute a coefficient of variation, v, for each decision alternative, where v is the ratio of the standard deviation to its respective expected value, v = s / EV.
The governance alternative with the smaller coefficient of variation is the less-risky alternative. It is not uncommon for a decision alternative with a higher expected value of outcomes to also be riskier in the sense of having a wider range of outcome possibilities. In addition to assessing the riskiness of the decision alternatives, the SharePoint administrator must also be able to rationally make comparisons of the expected values of outcomes (or returns) in light of their comparative risks.
Since a SharePoint administrator might be willing to trade off risk for return (i.e., expected value), he must be able to decide whether the higher expected value of a decision alternative is adequate compensation for the additional risk that must be assumed. Theoretically, a preference function relating satisfaction (or utility) to any pair of desirable goods (or phenomena) may be constructed for a SharePoint administrator. Practically, the specification of such a preference function is difficult if not impossible to achieve. A functional notation representation of such a preference function might appear as
U = f(V,(1-s) / …),
where U is the amount of utility realized by the SharePoint administrator, V is the value of the return from a decision alternative, and sigma indicates the risk associated with the opportunity. The argument (1-sigma) is the complement of the amount of risk incurred, or the degree of certainty that a particular outcome within the range of all such possible outcomes will occur. Risk (degree of uncertainty) and return occupy the floor axes of the three-dimensional graph; utility is measured in the vertical dimension. The right-hand side of the utility surface can be identified because the degree of certainty reaches a maximum, i.e., the degree of risk approaches zero. But the left-hand end of the risk-certainty axis cannot be specified since risk may increase without bound. The utility surface may be “sliced” parallel to the floor and at any altitude of utility. These projections constitute so-called “indifference curves” for the two phenomena represented on the floor axes, i.e., return and degree of certainty. Any number of such indifference curves may be constructed by slicing the utility surface at any chosen utility altitudes.
May be certain that there is only one possible outcome, and thus that risk is minimal (or zero). Risk therefore increases from right to left along the horizontal axis, but the left end of the axis may not be specified in the sense that risk may increase with-out bound. Any point in the coordinate space of the map represents some combination of risk and return, and each point lies on some indifference curve, such as I2, for a certain level of utility. Any movement along I2 would leave the SharePoint administrator in a state of indifference. For example, the movement from point A to point B would result in an increase of risk (a “decrease of certainty”), for which the SharePoint administrator would have to be compensated by an increase of return in order to remain at the same level of utility. Or, at the higher return associated with point B, the SharePoint administrator would tolerate more risk (less certainty). The indifference curves for a more risk-averse SharePoint administrator would be more steeply upward sloped (right to left) because such a SharePoint administrator would require even greater return for each level of risk.
Only rarely does a SharePoint administrator have perfect knowledge of a decision environment, the possible alternative courses of action that may be taken, or the range of outcomes that may result from each choice. Where multiple outcomes are possible, a risky situation is said to exist if the SharePoint administrator can both identify all of the possible outcomes and meaningfully assess the probabilities of occurrence of each of the possible outcomes. An uncertain situation occurs if the SharePoint administrator either cannot identify some of the outcomes, or cannot meaningfully estimate the probabilities of their occurrence. The SharePoint administrator may attempt to deal with uncertainty by seeking additional information about outcomes or their probabilities of occurrence. But after all available information is acquired and there is a persisting aura of uncertainty, the decision still has to be made.
Decision theorists have suggested a number of decision rules for situations involving uncertainty, i.e., where outcomes cannot be identified or their probabilities of occurrence cannot be meaningfully assessed. The two that seem to be most useful are the maximin and the minimax regret decision rules. In the former, the objective is to identify the worst-case outcomes of all of the decision strategies under consideration, and then choose the one that yields the least-negative effects, i.e., the best of the worst-case scenarios. This is an extremely conservative approach that is most appropriate to the need to avoid ultimate failure of the enterprise. Its prime deficiency is that it considers only failure states, and does not take into account the possibilities of success.
The minimax regret rule requires that the SharePoint administrator perceive the best possible outcome of the decision strategies, and then compute the regret associated with all other strategies as the difference between each and the best of the alternate strategies. The strategy of choice then is the one that minimizes the regret that follows from failure to select the best outcome.
This series is a lot of parts that I am quasi-using pieces of for a academic research paper stance so bear with me if it gets too esoteric. Or read the other governance articles available within the SharePoint Security category within the main site (available through the parent menu).