Member-only story
Last year, I wrote a blog called Classifying Risks, on my LinkedIn blog and over the last few days I found some notes that might add to what I said then.
How does one work out the importance of a risk and how much to spend on mitigation. Some of this article repeats what was said in the previous article.
In order to evaluate the annual loss expectancy of a risk, an estimate of its likelihood and impact need to be made for each risk.
A detrimental event may cause loss through a loss of current and future business, a reputational loss, a payment of fines, an increased cost of compliance due to regulatory intervention or the payment of compensation to wronged parties.
Some risk impacts may be hard to estimate or evaluate and qualitative measures may need to be used as proxies for a true financial estimate. These may be capable of being converted back to financial value.
Most practioners group both probability and impact into classes. A trivial likelihood may be at less than 5% i.e. one would expect it to happen once in 20 years, whereas the more likely events will have higher probability estimates. I have also seen likelihood expressed as a forecast if when risk may occur, say less than 6 months, one to three months etc. An important feature of risk probability is that you have a history and can review if your…
