To manage risk, we have to understand the risk we carry. In this video, you’ll learn about risk assessments, risk appetite, risk tolerance, and risk registers.
Determining levels of risk can vary widely on how many different variables are involved. One way to evaluate risk may be to create a qualitative risk assessment. This type of evaluation will look at individual risk factors and the different criteria for each one of those factors. You can often display a qualitative risk assessment in very broad terms. In our particular case, we’re going to use a traffic light grid to show a low, medium, or high risk in each of these categories.
We’ll start with legacy Windows clients. We may perform an assessment in our organization and find that we have a medium-level impact for that particular risk factor. Our annualized rate of occurrence we’ll mark in red to signify a high value. In this case, we may have a large number of legacy Windows clients that need to be updated. The cost of these controls would be marked as a medium and overall risk we can then set to be in the high level with the red marker.
We can perform additional qualitative analysis on these other risk factors, such as untrained staff. Maybe this has a very low impact, has a medium-level annualized rate of occurrence, a low cost of controls, which puts our overall risk somewhere in the medium level. And in our organization, we might have cases where we have devices that have no antivirus software running.
This may have a medium impact, have a large annualized rate of occurrence, a medium cost of controls, and we might set an overall risk value to be very high. This process of setting qualitative analysis can be done on any risk factor, across many different categories, and it’s designed to give us a high-level view of where we might focus our efforts to resolve these problems. There may be certain risks where we can calculate a specific value, we refer to these as a quantitative risk assessment.
This might start with an ARO. That stands for an Annualized Rate of Occurrence. This allows us to determine how often this risk will occur in a single year. So for example, an annualized rate of occurrence that a hurricane will hit will probably be lower in Montana than it is in Florida.
We might also want to assign an Asset Value to that risk, or AV. The asset value is the value of that asset to the organization. That doesn’t necessarily mean it’s the replacement cost, because that asset value could include the effect on company sales, any fines that you might receive when that particular risk is realized, and any other costs.
And another important value is the exposure factor. The Exposure Factor is abbreviated with EF. This is the percentage of the value that was lost due to that particular risk. So if we lose a quarter of that particular asset the exposure factor is 0.25. If we lose the entire asset, then the exposure factor is 1.0.
Now, we can start calculating a quantitative risk assessment based on some of those variables. We’ll start with the SLE, or Single-Loss Expectancy, which is the monetary loss we receive if one single event occurs. You can calculate this by taking the Asset Value, or AV, and multiplying it by the Exposure Factor, or EF.
Let’s take the example of laptops that are stolen. If we have a laptop stolen, the rough asset value is around $1,000, and since the entire asset is now missing, the exposure factor is a full 1.0. If we multiply that $1,000 value times the 1.0 exposure factor, we have a single loss expectancy of $1,000.
In our organization, we can estimate that there will be a number of laptops stolen in a single year. So to calculate the ALE, or Annualized Loss Expectancy, we would multiply the Annualized Rate Of occurrence, ARO, times the SLE, or Single-Loss Expectancy. So if we expect there will be seven laptops stolen in a year, that annualized rate of occurrence is 7, and we multiply that times the single-loss expectancy of $1,000, we have a total annualized loss expectancy of $7,000.
Obviously, this calculation takes into account the financial cost of this particular risk, but there may be other risks associated with this. For example, the data that’s on those laptops may be more valuable than the laptop itself. That’s why we have both a quantitative risk assessment and a qualitative risk assessment that we can evaluate.
We take into a number of different impacts of events that may occur in our risk calculations. The most important of these would be life. We want to be sure that everyone in the organization is safe. We can replace assets, but we can’t replace people, so we usually put life at the very top of our concerns.
We then also have to consider the impact to the property. This would be the buildings and the resources that we would commonly use in our organization. We should also consider the impact of safety. If there’s a risky event, what type of safety impact is this to the individuals and the company itself?
There’s also, of course, a financial impact. We discussed some of that with our quantitative analysis. You’ve probably seen already that our risk calculations tend to take into account likelihood and probability. The likelihood of a risk is a qualitative value. So we might consider a risk to be rare, possible, almost certain, or some other type of qualitative measurement.
Risk probability tends to be a quantitative number. So we can associate a statistic or a measurement to that specific risk. We can often base this on historical performance and, in some cases, the performance that we might expect into the future. We will often use these two terms interchangeably, and sometimes, we might even calculate a risk probability and then associate a likelihood based on that value.
Not all risk requires an organization to act. There may be a certain amount of risk that the organization is willing to take. We refer to that value as a risk appetite.
Some organizations will set a qualitative value on this appetite. We refer to this as a risk appetite posture. So they might look at a particular risk and say that they are conservative or neutral or expansionary to that particular risk type.
Another important value to consider is the risk tolerance. This is often a larger variance than the risk appetite. So we might have a risk appetite that is relatively low, and our risk tolerance might be just above that particular appetite value.
Here’s a practical example that differentiates between a risk appetite and a risk tolerance. If you’re driving on the roads, there is a speed limit for the highway. Your speed limit might be 55 miles an hour. That value has been set by the government, and they know that is the acceptable balance between safety and convenience. That means that you are not allowed to go over 55 miles an hour, and if you do, you’re violating the law.
So if we’re driving on the highway, and we exceed the speed limit, we could be ticketed. In practical terms, however, we don’t tend to be ticketed until we go well above the speed limit values. This means, if we’re not being ticketed, and we’re going over the speed limit, that our law enforcement has a higher risk tolerance than they have a risk appetite. This risk tolerance might also change depending on the situation. If there’s very bad weather, there may be a need to keep the speeds lower on the highway, and the risk tolerance of law enforcement may have a much lower speed limit in mind.
It’s not unusual for a project in an organization to have a list of the risks associated with implementing that particular project. This is usually documented in a risk register, and each individual risk is detailed so that everyone understands the risks associated with that project. The goal of the risk register is to document each of those individual risks, and if possible, provide some options or solutions to avoid that risk.
Each line in the risk register will contain a key risk indicator that details what those risks could be. For example, in this project, the project purpose and need is not well defined, the project design and deliverable definition is incomplete, and the project schedule is not clearly defined or understood. Each one of those would be a key risk indicator. For each of those key risk indicators we need to assign an owner who will manage or be responsible for that particular risk, and then we need to determine what the risk threshold will be for this project. We need to spend time and money to be able to resolve that particular risk, and we need to make sure that there is a balance between how much money we’ll spend on the risk and how much that risk would end up costing the company.