Upper Rating Probability ThresholdsBecause risk to business objectives comes from unexpected events outside of“business as usual”, we may desire more granularity in differentiating betweenPossible, Unlikely and Rare events than for Likely and Frequent.
31 Definition of consequence §Consequence refers to the extent to which a risk event might affect the enterprise. §Consequence assessment criteria may include financial, reputational, regulatory, health, safety, security, environmental, employee, customer, and operational impacts. §Organizations typically define consequence using a combination of these types of impact considerations to aid consistent application of risk assessment across different risk types.
32 Factors to consider in the design of the consequence scale §The scales used to represent the extent of consequences must be designed carefully. If not, then either the level of risk is not assessed properly or incorrect choices are made to accept or treat the risks. §For each outcome decide a meaningful measure (quantitative or qualitative) that reflects the degree of success in achieving the underlying objective. §Express the measure on a scale. These are then used to express consequences. –The graduation of the scales should reflect the nature of the objective and the tolerance for variation in that outcome. §To accommodate uncertainties in the measurement of consequence, consider expressing impacts as a range rather than a single value.
33 Necessary attributes of a consequence scale 1.The range of the scale includes the upper values that could possibly occur. It should at least represent a level considered extreme for the organization defined as an outcome where radical action would be taken that would involve closure or substantial change to the organization. 2.The lower end corresponds to the limit of materiality. 3.The granularity (i.e. the number of steps and the interval between steps) of the scale is: –finest at the point where the consequences from most events are expected to occur –precise enough to discriminate between acceptable and unacceptable levels of risk –useful in determining which treatments should be implemented. §Consequently ratings may not be evenly interpolated
34 Illustration of consequence scale Impactsconsidered bydifferentmeasures:•Financial loss•Reputationdamage•Regulatoryreporting•Safety•EmployeeEngagement
35 Choice of scale type affects ability to combine likelihood and severity Nominalis purely descriptive.Limited use as no mathematical orranking operation can be performed.Ordinal(eg. High, Medium, Low)permits ranking but adding risks isarbitrary and importantly, cannotquantitatively combine ordinal scalesof likelihood and consequence.Qualitative judgment needed.Ratiois a fixed interval scale with azero end point. Most useful becausemathematical operations (summing)and cross multiplying of likelihoodand consequence can occur.
36 Use of ordinal scales §Ordinal scales are used when quantitative measurement is unavailable or inaccurate and/or qualitative judgment is used to assess risk.