You may think “impact” and “consequence” are the same thing, and you would not be alone: we often hear people using the words interchangeably. While both impact and consequence are the result of a security event, they're not the same thing.
So what’s the difference? The short answer is that “impact” describes an incident’s effect on your organization, while “consequence” describes an incident's effects on the outside world.
For the longer, more nuanced answer, read on.
Calculating risk: a quick review
Before we get into impact and consequence, we need to review probability and severity.
Security professionals are often tasked with assessing the risk of clients’ enterprises. One of the tools we use to do this is an equation:
Risk = Probability X Severity
In other words, a risk can be calculated by multiplying the likelihood of an incident by how bad that incident would be. Determining the probability of something happening can be complex. Some incidents may be easier than others. Weather-related incidents, for example, are easy to calculate because they’re common in certain areas of the country, while calculating the probability of an active shooter at one of your buildings is more complicated.
As security professionals, we’re generally most concerned with the low probability and high severity incidents. Probability is just one variable, however — you also must know how an incident like a tornado will affect a business.
While we might not be able to exactly predict what one tornado will do to a business, security professionals can perform an impact and consequence assessment. These assessments can help determine the severity of an event and help to calculate risk.
Read our detailed guide on calculating risk here.
So why do impact and consequence matter in calculating severity?
What is impact?
Impact is mostly about how an incident will affect your organization internally. When we assess impact, we look at the things that would be disrupted within your business, like:
Your company’s finances
The key aspect is to understand the overall impact to your own organization. An assessor will want to answer the question: “if an event were to happen at this location, how bad could it be?” For example, supply chain issues will slow down production within your organization. That’s impact.
This is one part of understanding severity. But what about the external world?
What is consequence?
While impact mostly describes how an incident would impact you internally, consequence describes the effects your company’s misfortune would have on others who are dependent on your company or affects a community.
This naturally includes your employees and your customers, but might also include the community near your facilities — if there’s an incident that causes pollution, or if you’re the only employer in the area — or any other group who is dependent on you. This group may also include the other companies in your supply chain, your vendors, your partners, and your distributors.
Anyone whose business is disrupted by the incident would be included in the consequences. For example, the supply chain slowdown means that everyone who is dependent on your product will be experiencing a shortage. If you’re the only steel producer in the country, a slowdown at your plant will have consequences for the whole market.
A key question to answer is: “Who is dependent upon my company's assets or services?”
Need help determining the severity of an event? Contact us now for a demo.
Why do you need to understand both impact and consequence?
Many times, when people are new to security risk, they speak about impact and consequence interchangeably, but to really understand severity and risk overall, it’s important to understand what impact and consequence are, what they mean, and how they’re measured.
When you understand them, you can make better decisions about your own appetite for risk. Since we generally are concerned with the low probability and high severity incidents, really calculating the effect of an incident will be critical to understanding risk and helping your organization make appropriate decisions to avoid, assume, or mitigate those risks.
Ready to talk to an expert about your security? Tell us what your security needs are.