Skip to content

Page045

Impact

The “Risk = Threat × Vulnerability” equation sometimes uses an added variable called impact: “Risk = Threat × Vulnerability × Impact.” Impact is the severity of the damage, sometimes expressed in dollars. Risk = Threat × Vulnerability × Cost is sometimes used for that reason. A synonym for impact is consequences.

Let’s use the “impact” formula using the same earthquake risk example for buildings in Boston. A company has two buildings in the same office park that are virtually identical. One building is full of people and equipment; the other is empty (awaiting future growth). The risk of damage from an earthquake to both is 8, using “Risk = Threat × Vulnerability.” The impact from a large earthquake is 2 for the empty building (potential loss of the building), and 5 for the full building (potential loss of human life). Here is the risk calculated using “Risk = Threat × Vulnerability × Impact”:

  • Empty Building Risk: 2 (threat) × 4 (vulnerability) × 2 (impact) = 16
  • Full Building Risk: 2 (threat) × 4 (vulnerability) × 5 (impact) = 40

Exam Warning

Loss of human life has near-infinite impact on the exam. When calculating risk using the “Risk = Threat × Vulnerability × Impact” formula, any risk involving loss of human life is extremely high, and must be mitigated.

Risk Analysis Matrix

The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have. Australia/New Zealand ISO 31000:2009 Risk Management—Principles and Guidelines (AS/NZS ISO 31000: 2009, see https://infostore.saiglobal.com/store/Details.aspx?ProductID=1378670) describes the Risk Analysis Matrix, shown in Table 2.4.

Table 2.4 Risk Analysis Matrix.

The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (see section “Quantitative and Qualitative Risk Analysis”) based on likelihood (from “rare” to “almost certain”) and consequences (or impact), from “insignificant” to “catastrophic.” The resulting scores are Low (L), Medium (M), High (H), and Extreme Risk (E). Low risks are handled via normal processes; medium risks require management notification; high risks require senior management notification, and extreme risks require immediate action including a detailed mitigation plan (and senior management notification).

The goal of the matrix is to identify high likelihood/high consequence risks (upper right quadrant of Table 2.4) and drive them down to low likelihood/low consequence risks (lower left quadrant of Table 2.4).