When we calculate risk, it’s important to define what risk actually is.
The formula for calculating risk is simple:
probability x severity = risk
For this reason, companies need to be able to assess both probability and severity. Unfortunately, organizations often focus on the events that are most likely to happen, leaving a hole in their preparedness. A company may expect shrinkage or internal threat, for example, but not an active shooter on site.
The problem there is that while shrinkage is more likely to happen, a shooter’s impact is much more severe, and if your security is unprepared to mitigate the threat posed by a shooter, your organization won’t be able to respond effectively to the event, or to easily get back to normal after the threat has passed.
To help organizations prepare for both likely and severe risks, we’ve added a Threat & Impact Assessment solution called the Dynamic Inherent Risk Assessment™.
Impact and Consequence: What is the difference?
How can the Threat & Impact Assessment feature help your business?
Our feature is based on scenario-based risk assessments — risk assessments directed toward a specific threat, concern, or hazard. Rather than assessing the vulnerabilities of an entire organization, a scenario-based assessment evaluates the risk of vulnerabilities related to a specific scenario happening.
Circadian Risk’s Dynamic Inherent Risk Assessment™ offers users a customizable list of currently 28 scenarios — including risks like theft, bombing, arson, civil disturbance, and vandalism — allowing organizations to rank each scenario by probability and severity for each site.
What is Scenario-based Assessment? Learn more.
An analyst can do this by ranking key variables on a scale of 1 to 5. An example of a key variable is “historical context.” If a threat has never happened before at a site, it would be ranked as a 1. If it happens often, it would be ranked as a 5. The higher the ranking of a scenario, the more likely, or severe, it will be for an organization, and the more priority it should receive.
By understanding the scenarios that are both likely and most impactful, your organization will be more proactive about preparing for every threat that might occur — even if some of those threats aren’t likely.
What other variable for probability and severity do you use to measure your own Inherent Risk? Post your comments on Linkedin