Almost everybody makes a fundamental error when it comes to assessing a risk. It doesn’t matter whether they are using a heat map, a risk register or a risk profile. They show the level of risk as a point: the likelihood of a potential impact or consequence.

But 99 percent of the time, this is wrong. Because 99 percent of the time, there is a range of potential consequences, each with its own likelihood.

A Range of Potential Risks

Even if you ignore the fact that there are — more often than not — multiple consequences from an event, situation or decision, anybody trying to understand risk and its effect on objectives needs to stop presenting the level of risk as a single point.

This was brilliantly illustrated in the Ponemon Institute’s latest report on cyber. Its 2018 Cost of a Data Breach Study (sponsored by IBM) is an excellent read with a number of interesting findings.

The content relevant to this discussion is a graphic that shows the range of potential consequences from a cyber breach. The graphic shows the likelihoods of having anywhere from 10,000 to 100,000 records stolen. (The study separately discusses the cost of what they term a "mega breach," when more than a million records are stolen.)

Using their number for the average cost to the business (across all sectors and geographies) of the loss of a single data record, I created the graphic below. (The probabilities are for the next 24 month period.)

ponemon risk assessment graphic

As you can see, in their estimation a cyber breach can result in a loss anywhere from $1.5 million to $14.8 million. (The losses suffered by organizations in the medical sector are about triple that amount). These losses can extend to $350 million for the very few who have 50 million records stolen.

If the graphic above reflects reality, which point do you select to put on a heat map or risk profile?

If you want people to make intelligent and informed decisions relating to this risk, they have to understand the full picture. That picture starts with a chart that shows the range of potential consequences. Ideally, it shows how they might affect enterprise objectives.

Learning Opportunities

Webinar
Learn the implications of AI to your company though thought-provoking questions
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
An inspirational future of Employee Voice
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
Webinar
Skills needed to design, build, and run generative AI-based CX solutions
Jun
1
How organizations can design, build and run Generative AI into the Customer Experience
Discover how to drive enhanced CX through Generative AI
Webinar
Learn how to optimize your digital customer journey
Jun
6
The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve
The impact of emerging technologies like AI on social media
Webinar
What it takes to do personalization well
Jun
7
The Building Blocks of Personalization
This webinar will explore how personalization can create powerful ecommerce shopping experience.
Webinar
Discover the challenges that contact centers, AX, and CX face and how CAI-assisted applications can help solve them
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
Learn the implications of AI to your company though thought-provoking questions
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
An inspirational future of Employee Voice
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
Webinar
Learn the implications of AI to your company though thought-provoking questions
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
An inspirational future of Employee Voice
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
Webinar
Skills needed to design, build, and run generative AI-based CX solutions
Jun
1
How organizations can design, build and run Generative AI into the Customer Experience
Discover how to drive enhanced CX through Generative AI
Webinar
Learn the implications of AI to your company though thought-provoking questions
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.

What is an acceptable level of risk? It's definitely not an "amount," as preached by COSO. I prefer to talk about an acceptable likelihood of achieving your objectives.

Related Article: How Much Information Security Is Enough?

Where Do You Draw the Line?

But back to the graphic: Is the range of potential consequences and their likelihood acceptable? Are there any individual points in the range that are unacceptable?

Does it make sense to use techniques like Monte Carlo to replace a chart with a single number?

How do you provide actionable information that enables intelligent and informed business decisions?

I welcome your comments.

Related Article: Identifying, Assessing and Evaluating Risk Is the Easy Part

fa-solid fa-hand-paper Learn how you can join our contributor community.