Security professionals are often tasked with assessing the risk of clients’ enterprises. One of the tools we use to do this is an equation:
Risk = Probability X Severity
In other words, a risk can be calculated by multiplying the likelihood of an incident by how bad that incident would be. Determining the probability of something happening can be complex. Some incidents may be easier than others. Weather-related incidents, for example, are easy to calculate because they’re common in certain areas of the country, while calculating the probability of an active shooter at one of your buildings is more complicated. As security professionals, we’re generally most concerned with the low probability and high severity incidents. Probability is just one variable, however — you also must know how an incident like a tornado will affect a business.
While we might not be able to exactly predict what one tornado will do to a business, security professionals can perform an impact and consequence assessment. These assessments can help determine the severity of an event and help to calculate risk.
Ask the Expert: How Can I Plan for Continuity During the Coronavirus Shutdown?
What is Impact?
Impact is mostly about how an incident will affect your organization internally. When we assess impact, we look at the things that would be disrupted within your business, like:
- Your brand
- Your company’s finances
The key aspect is to understand the overall impact to your own organization. An assessor will want to answer the question: “if an event were to happen at this location, how bad could it be?”
This is one part of understanding severity. But what about the external world?
What is consequence?
While impact mostly describes how an incident would impact you internally, consequence describes the effects your company’s misfortune would have on others who are dependent on your company or affects a community.
This naturally includes your employees and your customers, but might also include the community near your facilities — if there’s an incident that causes pollution, or if you’re the only employer in the area — or any other group who is dependent on you. This group may also include the other companies in your supply chain, such as your vendors, your partners, and your distributors.
Anyone whose business is disrupted by the incident would be included in the consequences. For example, if you’re the only steel producer in the country, a tornado hitting your plant would have an impact on the country’s steel supply.
A key question to answer is: “Who is dependent upon my company's assets or services?”
Probability vs Foreseeability: Why Security Professionals Need to Know the Difference
Why do you need to understand both impact and consequence?
Many times, when people are new to security risk, they speak about impact and consequence interchangeably, but to really understand severity and risk overall, it’s important to understand what impact and consequence are, what they mean, and how they’re measured.
When you understand them, you can make better decisions about your own appetite for risk. Since we generally are concerned with the low probability and high severity incidents, really calculating the effect of an incident will be critical to understanding risk and helping your organization make appropriate decisions to avoid, assume, or mitigate those risks.
What other variables do you use to determine the severity of risk? Contact us and share your variables.