In our last blog we learned that there are two classifications of of risk:  

the risks you take, where you have control and the risks you face which are caused by involuntary events. (Read "What does risk mean to you?")

Here we will discuss the risks you face.2 types of risk

Even as we are faced with risks from involuntary events in the environment or past strategic decisions, we do not have to roll over and play dead. We are NOT completely out of control. Let’s take a closer look at ‘the risks we face’ to understand how we can mitigate these risks by adopting smart controls (or treatments) that reduce the likelihood they influence us, or reduce the impact when they do influence us. In order to control risks we face we have to be able to do two things: identify risk and measure risk.

To evaluate any risk you need to be able to answer two questions which look at risk from two different viewpoints:

If the risk event occurs what losses will we face? and
How likely is that risk event hits or impacts my business?

In other words, the risk of an event is defined the likelihood that the event will occur times impact of the event.

Risk Event Examples
  • New government regulations
  • Mandatory company relocation
  • Country wide mandated retirement policy age change
  • Earthquake; Hurricane
  • Cyberattack

Like an artist painting a landscape, risk event(s) must be approached from each business’ perspective. What works or is good for one organization may not be good for another. Losses we face if a risk event occurs are a function of how much and how likely our organization’s objectives might be impacted. 

For example, let’s say we face the risk event of “new government regulations for privacy.” We need to estimate how likely and by how much key business objectives would be impacted to cause a loss to the organization for adoption of these new government regulations. Examples include – increased legal compliance, increased personnel costs, loss of revenue as customers balk at privacy disclosures, increased employee dissatisfaction, adoption of new sales requirements and increased IT engineering compliance costs. For each of these examples, we would measure the impact (how much) and the likelihood (probability of occurrence) for each instance.

For any objective, risk equals likelihood times impact!

In the next blog we will discuss how to assess loss across our total range of objectives.