2.3 Likelihood and consequence scales

Risk assessment relies heavily on likelihood and consequence scales to evaluate potential threats. These tools help organizations quantify and prioritize risks, enabling more informed decision-making.

Likelihood scales measure the probability of an event occurring, while consequence scales gauge its potential impact. By combining these assessments, risk managers can determine which risks pose the greatest threats and allocate resources accordingly.

Likelihood scales

• Likelihood scales are used to assess the probability or frequency of a risk event occurring
• Selecting the appropriate likelihood scale is critical for accurately characterizing risks in a given context
• Likelihood scales can be qualitative, semi-quantitative, or fully quantitative depending on the level of precision required

Defining likelihood

Top images from around the web for Defining likelihood

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

• 

  Risk-storming View original

  Is this image relevant?

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

1 of 3

Top images from around the web for Defining likelihood

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

• 

  Risk-storming View original

  Is this image relevant?

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

• 

  Probability-impact assessment - Praxis Framework View original

  Is this image relevant?

1 of 3

• Likelihood refers to the chance that a risk event will occur within a specified timeframe
• Involves considering both the probability of the event happening and the frequency with which it may occur
• Likelihood assessments are based on historical data, expert judgment, or statistical modeling

Qualitative likelihood scales

• Use descriptive words or phrases to characterize the chance of a risk event occurring (very unlikely, unlikely, possible, likely, very likely)
• Provide a quick and simple way to prioritize risks without requiring precise numerical estimates
• Work well for screening level risk assessments or when data is limited

Semi-quantitative likelihood scales

• Assign numerical values or ranges to each likelihood level (1-3 low, 4-6 medium, 7-9 high)
• Enable comparisons between risks and can be used to calculate risk scores when combined with consequence scales
• Offer a balance between the simplicity of qualitative scales and the precision of fully quantitative scales

Fully quantitative likelihood scales

• Express likelihood as a specific probability or frequency (10% chance per year, 1 in 100 year event)
• Require significant data and statistical analysis to develop robust estimates of event likelihood
• Appropriate for high-stakes decisions or when very precise risk characterization is needed

Selecting appropriate likelihood scales

• Consider the quality and quantity of available data on risk event probability or frequency
• Evaluate the level of precision required for effective risk-based decision making in the given context
• Ensure the scale aligns with organizational risk appetite and regulatory requirements

Consequence scales

• Consequence scales characterize the severity of impacts if a risk event were to occur
• Developing clear consequence scales is essential for understanding risk significance and prioritizing risk management efforts
• Like likelihood scales, consequence scales can be qualitative, semi-quantitative, or fully quantitative

Defining consequence

• Consequence refers to the outcome or impact of a risk event across various dimensions (financial, safety, reputational, environmental, etc.)
• Evaluating consequence involves considering the magnitude of impacts as well as the sensitivity and adaptability of affected systems
• Consequence can be measured in absolute terms (dollars lost, injuries suffered) or in relative terms (% of budget, % of population affected)

Qualitative consequence scales

• Use descriptive categories to characterize the severity of risk event impacts (low, moderate, high, extreme)
• Enable rapid risk ranking and prioritization without extensive quantitative analysis
• Most appropriate when consequences are difficult to quantify or when a high-level assessment is sufficient

Semi-quantitative consequence scales

• Define numerical ranges for each level of consequence severity (1-3 minor impacts, 4-6 moderate impacts, 7-9 major impacts)
• Support more granular differentiation of risks than qualitative scales while still allowing for expert judgment
• Can be used to generate risk scores and enable comparison across different types of impacts

Fully quantitative consequence scales

• Quantify the specific impacts of a risk event in metrics relevant to each consequence dimension ($1M in financial losses, 10 days of lost production, 50 customers affected)
• Provide the highest level of precision in risk assessment but require robust data and analysis to generate defensible impact estimates
• Used for risks that could significantly impact organizational performance or when detailed cost-benefit analysis is needed to inform risk treatment options

Selecting appropriate consequence scales

• Determine which consequence dimensions are most relevant to the organization's objectives and stakeholders
• Identify available data sources and analytic capabilities to support quantification of impacts
• Ensure the scale provides sufficient granularity to differentiate between risks while still being practical to implement

Combining likelihood and consequence

• The level of risk is determined by considering both the likelihood and consequence of a risk event
• Combining likelihood and consequence assessments enables evaluation of risk significance and prioritization of risk management efforts
• Several methods exist for integrating likelihood and consequence, each with strengths and limitations

Risk matrices

• A risk matrix plots likelihood and consequence on perpendicular axes, with the intersection indicating the overall risk level
• Risks in the upper right (high likelihood, high consequence) are the highest priority, while risks in the lower left (low likelihood, low consequence) are the lowest priority
• Provides a simple visual representation of risk but can obscure nuances in likelihood and consequence assessments

Calculating risk scores

• Risk scores are calculated by multiplying the likelihood and consequence values assigned to each risk
• Enables cardinal ranking of risks based on their relative significance
• Care must be taken to ensure the likelihood and consequence scales are compatible and that the risk scores adequately differentiate between risks

Risk score interpretation

• The meaning of a risk score depends on the scales used and the organizational context
• Thresholds can be set to indicate which scores require active risk management, which require monitoring, and which are acceptable
• Comparing risk scores across different types of risk requires normalizing the scales to a common denominator

Limitations of risk matrices

• Risk matrices can oversimplify complex risks and create artificial boundaries between risk levels
• They may not adequately account for low likelihood, high consequence events or risks with multiple consequence dimensions
• Focusing solely on the highest scoring risks may lead to overlooking lower scoring risks that still require attention

Customizing scales

• Likelihood and consequence scales can be tailored to the specific needs and context of an organization
• Customization enables the scales to better align with organizational objectives, capabilities, and stakeholder perspectives
• Developing customized scales requires careful consideration of several key factors

Tailoring to specific contexts

• Identify the key risk drivers and impact areas that are most relevant to the organization's industry, size, and strategic priorities
• Align the scales with the organization's risk appetite and tolerance statements
• Consider the temporal and geographic scope of the risks being assessed and adjust the scales accordingly

Stakeholder input in scale development

• Engage stakeholders from across the organization to understand their perspectives on likelihood and consequence
• Seek input from subject matter experts to ensure the scales reflect the best available knowledge and data
• Communicate the rationale behind the scales and seek feedback to refine the approach

Validating customized scales

• Test the scales using a range of scenarios to ensure they generate meaningful and consistent results
• Compare the results of the customized scales to other risk assessment approaches to validate their utility
• Solicit independent review of the scales by external experts or benchmarking against industry peers

Evolving scales over time

• Regularly review and update the scales as new information becomes available or as organizational priorities shift
• Incorporate lessons learned from applying the scales in practice to identify areas for improvement
• Maintain version control and documentation of changes to the scales over time

Communicating scale meaning

• Effectively communicating the meaning and proper application of likelihood and consequence scales is critical for their successful use
• Clear communication ensures that all stakeholders have a shared understanding of risk and can effectively contribute to risk management efforts
• Several strategies can be employed to enhance scale communication

Defining scale terminology

• Provide clear definitions for each level of likelihood and consequence, using language that is accessible to all stakeholders
• Use examples to illustrate the types of events or impacts that would fall into each category
• Develop a glossary of risk assessment terms and make it readily available to all scale users

Linking scales to objectives

• Demonstrate how the scales align with and support the achievement of organizational objectives
• Use the scales to facilitate discussions about risk appetite and tolerance in relation to key performance indicators
• Highlight how the scales enable risk-informed decision making and resource allocation

Visualizing scale information

• Use visual aids such as risk matrices, heat maps, and risk dashboards to convey scale information in an intuitive format
• Employ color coding, icons, and other visual cues to highlight key risk thresholds and priorities
• Tailor visualizations to the needs and preferences of different stakeholder groups

Training on scale application

• Provide training to all staff involved in risk assessment on the proper use and interpretation of the scales
• Use case studies and hands-on exercises to build competency in applying the scales to real-world scenarios
• Offer refresher training and support resources to reinforce scale understanding over time

Integrating with other risk tools

• Likelihood and consequence scales are most effective when integrated with other risk assessment and management tools
• Integration enables a more comprehensive and coordinated approach to risk management across the organization
• Several common risk tools can be enhanced through the use of well-designed likelihood and consequence scales

Feeding scales into risk registers

• Use likelihood and consequence assessments to prioritize risks for inclusion in the risk register
• Regularly update risk register entries based on changes in likelihood or consequence as indicated by the scales
• Align risk treatment strategies and resource allocation with the risk levels determined by the scales

Scales in bow-tie analysis

• Apply likelihood scales to the threat side of the bow-tie to characterize the probability of risk events
• Use consequence scales on the impact side of the bow-tie to assess the severity of risk outcomes
• Employ the scales to evaluate the effectiveness of existing controls and identify areas requiring additional treatment

Using scales in decision trees

• Incorporate likelihood assessments into decision tree probabilities to characterize the chance of different risk scenarios occurring
• Apply consequence scales to the outcomes of each decision tree branch to quantify the impacts of alternative actions
• Calculate the expected value of each decision option based on the likelihood and consequence values

Scales and Monte Carlo simulation

• Use likelihood scales to define the probability distributions for key risk variables in Monte Carlo models
• Assign consequence values to the potential outcomes of each simulation run based on the relevant consequence scales
• Analyze the distribution of simulation results to identify the likelihood and consequence of different risk scenarios and inform decision making under uncertainty