Having identified risks the next step is to consider how likely they are to happen and what would the impact be if they did happen. Risks should be considered under a range of scenarios e.g. losing a production machine for 1 hour may not have a big impact but losing it for 3 days could be catastrophic.
The usual methodology to do an assessment is to use an Impact/Likelihood matrix. The matrix can use a scoring system which also uses colours to highlight priorities based on weighted scores. This could look like this with the Likelihood of an event occurring being expressed in terms of frequency:
Using this scoring methodology the following is an illustration of the scoring applied to an event. In this example the event is not thought likely to occur (predicted to occur once in every 5-10 years) but would have a big impact if it did.
Risks that have both High Impact and High Likelihood should be priorities for action. Risk Treatment may reduce the score of the risk and this may change its colour. See Risk Treatment.
The approach is known as Business Impact Analysis (BIA). BIA can be defined as the process of reviewing and defining the risk that a system or process presents to business operations when or if it fails. The BIA may define the potential cost of an event to allow it to be compared against the cost of mitigation. The costs are usually financial, but can also be measured in non-monetary terms.
So far we have looked at:
- Methods to identify risks
- A method to score the likelihood of an event occurring and the impact it would have on the business
Next we need to consider the response to the information generated.
This step involves Evaluation to establish and document the business’s risk tolerance and appetite. By so doing a business will be able to identify risks to accept and engage with, those to transfer out of the business and risk exposures to stop or terminate. This activity is subjective and different businesses will make different choices.
For some accepted risks a business may nonetheless take action to either reduce the likelihood of an event occurring and/or its impact should it occur. This is called Risk Treatment and is looked at after Evaluation.