Upper Rating Probability Thresholds
Because risk to business objectives comes from unexpected events outside of
“business as usual”, we may desire more granularity in differentiating between
Possible, Unlikely and Rare events than for Likely and Frequent.
31
Definition of consequence
§
Consequence refers to the extent to which a risk event
might affect the enterprise.
§
Consequence assessment criteria may include financial,
reputational, regulatory, health, safety, security,
environmental, employee, customer, and operational
impacts.
§
Organizations typically define consequence using a
combination of these types of impact considerations to
aid consistent application of risk assessment across
different risk types.
32
Factors to consider in the design of the consequence scale
§
The scales used to represent the extent of consequences
must be designed carefully
. If not, then either the level of
risk is not assessed properly or incorrect choices are
made to accept or treat the risks.
§
For each outcome decide a meaningful measure
(quantitative or qualitative) that reflects the degree of
success in achieving the underlying objective.
§
Express the measure on a scale. These are then used to
express consequences.
–
The graduation of the scales should reflect the nature of the
objective and the tolerance for variation in that outcome.
§
To accommodate uncertainties in the measurement of
consequence, consider expressing impacts as a range
rather than a single value.
33
Necessary attributes of a consequence scale
1.
The range of the scale includes the upper values that could
possibly occur. It should at least represent a level
considered extreme for the organization defined as an
outcome where radical action would be taken that would
involve closure or substantial change to the organization
.
2.
The lower end corresponds to the limit of materiality.
3.
The granularity (i.e. the number of steps and the interval
between steps) of the scale is:
–
finest at the point where the consequences from most events are
expected to occur
–
precise enough to discriminate between acceptable and
unacceptable levels of risk
–
useful in determining which treatments should be implemented.
§
Consequently ratings may not be evenly interpolated
34
Illustration of consequence scale
Impacts
considered by
different
measures:
•
Financial loss
•
Reputation
damage
•
Regulatory
reporting
•
Safety
•
Employee
Engagement
35
Choice of scale type affects ability to combine likelihood and severity
Nominal
is purely descriptive.
Limited use as no mathematical or
ranking operation can be performed.
Ordinal
(eg. High, Medium, Low)
permits ranking but adding risks is
arbitrary and importantly, cannot
quantitatively combine ordinal scales
of likelihood and consequence.
Qualitative judgment needed.
Ratio
is a fixed interval scale with a
zero end point. Most useful because
mathematical operations (summing)
and cross multiplying of likelihood
and consequence can occur.
36
Use of ordinal scales
§
Ordinal scales are used when quantitative measurement is
unavailable or inaccurate and/or qualitative judgment is used
to assess risk.
