so it just kind of introduced you to the ideas of
different types of risk assessments. Now, I just wanted to give you a few examples of how these will look.
So when we look at this this qualitative risk assessment
Now I know it has numbers. 1234512345 So you could really make the argument that this is a semi qualitative or semi quantitative,
But really, what we're getting at is thes ideas of very low, low, medium high.
So if I look at the way, you know, I personally call this a probability and impact matrix. You may see likelihood and severity, so likelihood and probability mean the same thing. Severity and impact or even consequence would be the same thing.
So ultimately, what we're getting here is this idea of prioritization of risk. We're getting a risk
So, for instance, if we were to look at these risks in red, for instance, those would be risks that have a very high probability, very high impact
these air risks, we can't leave alone, right? We've gotta actively mitigate so, you know, for those types of risks, I'm thinking we need risk reduction.
All right, when we get into the orange area, we may continue to reduce those risks.
we may transfer the risks and yellow. We may accept the risks. Injury in green. You know, these are just sort of ways of prioritizing were starting to think about our risk responses. We don't have anything written in stone yet,
but we're starting to think about what these types of assessments are going to meet
give me the facts, give me the dollar value. And that's really helpful because if you tell me my potential for losses, $10,000 will. Maybe I won't hedge so much. It's spending $500 to mitigate that loss, right? So really, when you're talking to senior management in the buck stops here, talk about the book
and tell them you know, in dollar value, here's the return on investment.
You can't do that with everything,
but when you could get a quantitative analysis, that's bad.
All right, so some terms asset value.
That's where we always start.
And then we talk about ideas like probability and impact.
Impact is usually expressed as exposure.
That's the percentage of loss,
the asset should this risk event materialize,
and that's hard to come up with, Right? This goes back to that idea that there's
always gonna be a little bit of a subjective
aspect, even to quantitative analysis, Right? We usually associate subjective with qualitative.
But you know, when you're trying to say in the event of a fire, I'm gonna lose 73% of my warehouse
You can get the best you can, but you can't be 100% sure of that.
All right. And then, if you jump down to annual rate of occurrence, that's probability.
How many times per year does this risk event happen?
value of the asset times the exposure
okay, $300,000 building, I'm gonna lose 20%.
Well, ultimately, that's gonna give me the single waltz expectancy.
Now, I don't want you to worry about these formulas If you've got a background in risk management,
If you have studied for the C. I S s P exam, you'll know these.
But the idea's probability times impact gives me lost.
when we're talking about these ideas, these air the formulas were looking to come up with.
And ultimately what we'd like to do is to get an annual loss expectancy and figure out well
how potential for loss per year. What am I spending per year on these risk events that materialize? And that way we're going to take it and compare it to the cost of the countermeasure.
Now, in the cost of the countermeasure, we always have to realize that that's,
with many controls. You're not just paying a front right. They often have recurring expenses like any virus software, you have to pay for nearly updates. So I think what it'll cost of ownership and then you want a positive return on our investment.
And then here's just a little example of a semi quantitative risk analysis.
So again, they're kind of assigning numeric values, but we're still
right? So we say Hi.
Um, you know, again, we're dressing,
probability and impact,
and one of the things your firm
way come down. We assess a risk is having a very
semi quantitative value probability comes in,
um, those tend to be
talk about was accepted to medication risks,
You know, if it costs too much.
Now the problem with that
What if we underestimated the risk?
What if we didn't identify
a risk event? What if our mitigation strategies don't work?
What if we underestimate that
we have one of those risks that we accepted
very big impact on my company.
whether we can qualitative quantitative for semi quantitative,
That's gonna justify our risk response
better way. Maybe if wording that question is
what keeps your company going
what keeps your company going when risk management fails