The following matrix shows an example of how three different risks are plotted on a matrix to reflect those risks' uncertainty.
For example, Risk C was assessed as having a roughly 10% likelihood of eventuating. We might have created the probability distribution using historical data, expert judgement, or a Monte Carlo Simulation.
The main point, however, is that the illustration shows that risk with a 10% likelihood of eventuating is considered most likely to generate losses equivalent to 40% to 50% of organizational equity. But it also shows a slight chance that this risk might also create a 95% loss event.
Using the x-axis to show potential consequences as a percentage of organizational equity is one way to express total loss percentages. Losing 100% (or more) of total equity would be an existential threat to the organization.
Risks that generate losses more significant than 100% of equity have equal 'consequence' ranking to 100% risks. A 500% loss event is the same outcome as a 100% or 125% loss event.
You could replace the x-axis with actual dollar amounts or equally by any risk considered as being existential. The consequence criteria for catastrophic outcomes could involve multiple deaths, massive damage to reputation, etc.
You can find a copy of the book over at Amazon in Kindle or print version if you'd like a free PDF copy, head to SECTARA and sign up for the Free Plan.
A couple of times a year, I make the Kindle version free so if you'd like a free Kindle version, just subscribe to my mailing list at JulianTalbot.com.
I also consult on a range of topics including enterprise security risk assessments, business leadership, risk management and technology startups. If you'd like a free consultation and advice on any of those topics just book a time via this link. No strings attached. Just good old-fashioned advice and expertise. Crazy if you don't.
Comments