Description
Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk
RISK ASSESSMENT AND IDENTIFICATIONS, THE PIVOT OF RISK MANAGEMENT IN AN ORGANIZATION.
TABLE OF CONTENT 1. 2. 2.1 2.2 3. 4. 4.1 4.2 4.3 5. 5.1 Introduction Risk Definition Type of Risks Characteristics of Risks Risk Assessment and Identification Management Risk Risk Management Structure Risk Management Tools Function of Risk Management Conclusion Reference Bibliographical 1 2-3 2 3 4 5 6 6 7 7 7 8
1. INTRODUCTION
The purpose of this write-up is to provide a brief, readable guide to risk assessment and risk identification. Risk is widely recognized as precisely what it implies—a possibility. Within the context of risk analysis, it refers to the possibility of injury, harm, or other adverse and unwanted effects. Risks are commonplace in all of our lives. Risk analysis, risk assessment, and risk management are relatively new terms in public debate; however, they are practices with lengthy histories. According to historians, the first professional risk assessors were from ancient Babylon (3200 B.C.); they were a special sect of people who served as consultants offering advice on risky, uncertain, or difficult decisions in life—such as marriage proposals or selecting building sites. For more than a century now, risk assessment and risk management have been everyday activities of banking, insurance, and business operations in the world’s industrialized economies. Serious applications in human health and safety emerged in the early decades of this century; research on natural hazard risks and disaster management followed. Presently, risk analysis is being used to evaluate and manage the potential of unwanted circumstances in a large array of areas: industrial explosions; machine part and other mechanical and process failures; workplace injuries; injury or death from diseases, natural causes, lifestyles, and voluntarily pursued activities; the impacts of economic
development on ecosystems; and financial market transactions—among others.
.
RISK ASSESSMENT AND IDENTIFICATIONS, THE PIVOT OF RISK MANAGEMENT IN AN ORGANISATION.
RISK DEFINITION The vocabulary of risk management is defined in ISO Guide 73, "Risk management. Vocabulary". In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient
knowledge is applied to a situation, a knowledge risk materialises. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending while
maximizing the reduction of the negative effects of risks. TYPE OF RISKS 1. Technical Risks:- These are performance risk associated with the end items. From the perspective of the building organization the concern is that system will not perform as required 2. Supportability Risks: Is that an otherwise acceptable system will cost too much to operate and maintain over its like cycle in terms of time, personnel and material resources.
3.
Development Risk: A development effort always entails a measure of risk because such efforts always involve aspects that are new to the performing organization. The new aspects as a minimum are limited to “reach” aspect of the end item. For example, an experienced design and build team that is extending the performance range for a single parameter of a system probable has a minimal risk.
4.
Communications Risk: One of the first risk situations facing such a team is that it invariably requires additional staffing. When new people are hired some of the negative aspects are that the collective awareness of the nuances of the program is diluted, and people start making decisions with less than complete understanding of the nuance of the program, the company or the customer.
RISK MANAGEMENT RISK MANAGEMENT is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. Risks can come from uncertainty in financial markets, project failures, legal
liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.
RISK ASSESSMENT Risk assessments are conducted to estimate how much damage or injury can be expected from exposures to a given risk agent and to assist in judging whether these consequences are great enough to require increased management or regulation. Depending on the kind of hazard, the effects of primary concern might be workplace injuries; reproductive and genetic abnormalities; diseases such as cancer or other debilitating illnesses; or ecological effects such as species extinction, loss of habitat, and other kinds of ecosystem damage.
Risk assessments range widely in scope and complexity, depending on the application: from simple screening analyses to major analytical efforts that require years of effort and a substantial budget. Contemporary risk assessments ordinarily rely on many branches of science—on the methods and knowledge of disciplines such as toxicology, epidemiology, other health and environmental technical areas. The methods and sequence of steps involved in conducting a risk assessment vary with the kind of risk and its possible sciences, systems engineering, and related
consequences. A more specific discussion of these elements for several key risk assessment areas follows in a later section. In its most general form, however, the process consists of a source assessment, an exposure assessment, an effects assessment, and is normally concluded by an integrative risk characterization.
Source assessment seeks to identify and evaluate the sequences of events through which an exposure to a risk agent could arise. In risk assessments of engineering systems, for example, this can be a particularly extensive and detailed exercise—such as evaluating the possibility that a pump in a manufacturing operation might fail, leading through a series of steps to increased levels of toxic substances on the shop floor. Alternatively, this kind of analysis might be aimed at finished products, whose physical features along with typical use patterns could result in safety hazards.
Exposure assessment seeks to determine the number and kinds of people exposed to a risk agent, along with the magnitude, duration, and timing of their exposures. An example is estimating the fate and distribution of a toxic chemical released from a manufacturing facility and providing a description of the
characteristics of the exposure of human populations along the
path of the chemical. Depending on the needs of the analysis, the evaluation might focus on current, past, or future exposures.
Effects assessment determines the extent of adverse effects likely to result from given levels of exposure to a risk agent. For resource and efficiency reasons, this kind of analysis is usually conducted in stages. The initial analytical step is to determine if exposures to a risk agent at any level could cause adverse effects —for example, whether exposures to a particular industrial chemical could cause cancer or seriously impair nervous system function. Then, if such a conclusion is drawn, a more detailed study is conducted to determine what quantitative relationship (dose–response) exists between the level of exposure and the incidence of adverse effects.
Risk characterization is the concluding step of a risk assessment. This is an important integrative task, which involves assembling the prior analysis components into a bottom-line picture of the nature and extent of the risk. The principal topics include the kinds of health effects likely to arise, the risk’s potency (i.e., the severity of the adverse effects), the populations affected, the likelihood of exposure, and the risk’s ultimate magnitude (i.e., potency adjusted
for the likelihood of exposure). Risk characterizations are usually the principal means through which a risk assessment’s findings are communicated to risk managers, policy makers, journalists, and the public. In the past, risk characterizations have frequently consisted of brief descriptions of potential adverse effects and affected populations, along with a single numerical estimate of the level of risk that would summarize whether humans would experience any of the various forms of toxicity or other effects associated with the risk agent. (Often this figure has been in the form of a plausible upper bound on risk, deliberately prepared to provide a conservative estimate that minimizes the chance of underreporting the actual level of risk.) More recently, however, this “short form” approach to risk characterization has been criticized. It is now generally acknowledged that characterizations need to provide deeper insight into how risk estimates and findings are generated (including a discussion of the assumptions that underlie the calculations). In addition, characterizations should consider a range of plausible risk estimates (which could result from the use of plausible alternative assumptions or differing models of exposure and dose–response relationships) and should more clearly discuss
the uncertainties and limitations in the empirical data on which the risk assessment is based.
RISK IDENTIFICATION After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.
•
Source analysis. Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
•
Problem analysis. Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project
may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking a Boeing 747 during takeoff may make all people onboard immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:
•
Objectives-based risk identification. Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
•
Scenario-based risk identification. In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk
•
Taxonomy-based
risk
identification.
The
taxonomy
in
taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal
risks. Taxonomy-based risk identification in software industry can be found in CMU/SEI-93-TR-6.
•
Common-risk checking. In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation. An example of known risks in the software industry is the Common Vulnerability and Exposures list found at http://cve.mitre.org.
•
Risk
charting.
{Crockford, Cambridge,
N., UK,
"An
Introduction
to
Risk 2nd
Management,
Woodhead-Faulkner
edition1986 p. 18} This method combines the above approaches by listing Resources at risk, Threats to those resources Modifying Factors which may increase or decrease the risk and
Consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.
RISK MANAGEMENT STRUCTURE The basic structure recommended for risk management consists of a risk manager who is responsible for the definition, structure, implementation and co-ordination of a risk management approach consistent with the program system engineering, test, manufacturing and verification plans. The risk manager works on the staff of the program manager. The risk management job is comparable to that of configuration manager, data manager, program management (PMS) and other staff level positions that do not have a direct object product development role RISK MANAGEMENT TOOLS The primary function for the risk management tools are to assist in the assessment or risks, to assure that assessment address all pertinent aspects of the program and to provide specific means of overcoming the underlying bases for risks. The key to assessing risks is to identify any and all aspect of the program with some degree of newness. Ownership Risk Ownership risk is a concept of many dimensions and interpretations. The most important aspect of ownership is a clear mutual understanding of the responsibilities among partied to a contract and/or the responsibilities among parties to a co-operation venture.
5. CONCLUSION Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan. The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks.
Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
doc_611654606.doc
Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk
RISK ASSESSMENT AND IDENTIFICATIONS, THE PIVOT OF RISK MANAGEMENT IN AN ORGANIZATION.
TABLE OF CONTENT 1. 2. 2.1 2.2 3. 4. 4.1 4.2 4.3 5. 5.1 Introduction Risk Definition Type of Risks Characteristics of Risks Risk Assessment and Identification Management Risk Risk Management Structure Risk Management Tools Function of Risk Management Conclusion Reference Bibliographical 1 2-3 2 3 4 5 6 6 7 7 7 8
1. INTRODUCTION
The purpose of this write-up is to provide a brief, readable guide to risk assessment and risk identification. Risk is widely recognized as precisely what it implies—a possibility. Within the context of risk analysis, it refers to the possibility of injury, harm, or other adverse and unwanted effects. Risks are commonplace in all of our lives. Risk analysis, risk assessment, and risk management are relatively new terms in public debate; however, they are practices with lengthy histories. According to historians, the first professional risk assessors were from ancient Babylon (3200 B.C.); they were a special sect of people who served as consultants offering advice on risky, uncertain, or difficult decisions in life—such as marriage proposals or selecting building sites. For more than a century now, risk assessment and risk management have been everyday activities of banking, insurance, and business operations in the world’s industrialized economies. Serious applications in human health and safety emerged in the early decades of this century; research on natural hazard risks and disaster management followed. Presently, risk analysis is being used to evaluate and manage the potential of unwanted circumstances in a large array of areas: industrial explosions; machine part and other mechanical and process failures; workplace injuries; injury or death from diseases, natural causes, lifestyles, and voluntarily pursued activities; the impacts of economic
development on ecosystems; and financial market transactions—among others.
.
RISK ASSESSMENT AND IDENTIFICATIONS, THE PIVOT OF RISK MANAGEMENT IN AN ORGANISATION.
RISK DEFINITION The vocabulary of risk management is defined in ISO Guide 73, "Risk management. Vocabulary". In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient
knowledge is applied to a situation, a knowledge risk materialises. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending while
maximizing the reduction of the negative effects of risks. TYPE OF RISKS 1. Technical Risks:- These are performance risk associated with the end items. From the perspective of the building organization the concern is that system will not perform as required 2. Supportability Risks: Is that an otherwise acceptable system will cost too much to operate and maintain over its like cycle in terms of time, personnel and material resources.
3.
Development Risk: A development effort always entails a measure of risk because such efforts always involve aspects that are new to the performing organization. The new aspects as a minimum are limited to “reach” aspect of the end item. For example, an experienced design and build team that is extending the performance range for a single parameter of a system probable has a minimal risk.
4.
Communications Risk: One of the first risk situations facing such a team is that it invariably requires additional staffing. When new people are hired some of the negative aspects are that the collective awareness of the nuances of the program is diluted, and people start making decisions with less than complete understanding of the nuance of the program, the company or the customer.
RISK MANAGEMENT RISK MANAGEMENT is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. Risks can come from uncertainty in financial markets, project failures, legal
liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.
RISK ASSESSMENT Risk assessments are conducted to estimate how much damage or injury can be expected from exposures to a given risk agent and to assist in judging whether these consequences are great enough to require increased management or regulation. Depending on the kind of hazard, the effects of primary concern might be workplace injuries; reproductive and genetic abnormalities; diseases such as cancer or other debilitating illnesses; or ecological effects such as species extinction, loss of habitat, and other kinds of ecosystem damage.
Risk assessments range widely in scope and complexity, depending on the application: from simple screening analyses to major analytical efforts that require years of effort and a substantial budget. Contemporary risk assessments ordinarily rely on many branches of science—on the methods and knowledge of disciplines such as toxicology, epidemiology, other health and environmental technical areas. The methods and sequence of steps involved in conducting a risk assessment vary with the kind of risk and its possible sciences, systems engineering, and related
consequences. A more specific discussion of these elements for several key risk assessment areas follows in a later section. In its most general form, however, the process consists of a source assessment, an exposure assessment, an effects assessment, and is normally concluded by an integrative risk characterization.
Source assessment seeks to identify and evaluate the sequences of events through which an exposure to a risk agent could arise. In risk assessments of engineering systems, for example, this can be a particularly extensive and detailed exercise—such as evaluating the possibility that a pump in a manufacturing operation might fail, leading through a series of steps to increased levels of toxic substances on the shop floor. Alternatively, this kind of analysis might be aimed at finished products, whose physical features along with typical use patterns could result in safety hazards.
Exposure assessment seeks to determine the number and kinds of people exposed to a risk agent, along with the magnitude, duration, and timing of their exposures. An example is estimating the fate and distribution of a toxic chemical released from a manufacturing facility and providing a description of the
characteristics of the exposure of human populations along the
path of the chemical. Depending on the needs of the analysis, the evaluation might focus on current, past, or future exposures.
Effects assessment determines the extent of adverse effects likely to result from given levels of exposure to a risk agent. For resource and efficiency reasons, this kind of analysis is usually conducted in stages. The initial analytical step is to determine if exposures to a risk agent at any level could cause adverse effects —for example, whether exposures to a particular industrial chemical could cause cancer or seriously impair nervous system function. Then, if such a conclusion is drawn, a more detailed study is conducted to determine what quantitative relationship (dose–response) exists between the level of exposure and the incidence of adverse effects.
Risk characterization is the concluding step of a risk assessment. This is an important integrative task, which involves assembling the prior analysis components into a bottom-line picture of the nature and extent of the risk. The principal topics include the kinds of health effects likely to arise, the risk’s potency (i.e., the severity of the adverse effects), the populations affected, the likelihood of exposure, and the risk’s ultimate magnitude (i.e., potency adjusted
for the likelihood of exposure). Risk characterizations are usually the principal means through which a risk assessment’s findings are communicated to risk managers, policy makers, journalists, and the public. In the past, risk characterizations have frequently consisted of brief descriptions of potential adverse effects and affected populations, along with a single numerical estimate of the level of risk that would summarize whether humans would experience any of the various forms of toxicity or other effects associated with the risk agent. (Often this figure has been in the form of a plausible upper bound on risk, deliberately prepared to provide a conservative estimate that minimizes the chance of underreporting the actual level of risk.) More recently, however, this “short form” approach to risk characterization has been criticized. It is now generally acknowledged that characterizations need to provide deeper insight into how risk estimates and findings are generated (including a discussion of the assumptions that underlie the calculations). In addition, characterizations should consider a range of plausible risk estimates (which could result from the use of plausible alternative assumptions or differing models of exposure and dose–response relationships) and should more clearly discuss
the uncertainties and limitations in the empirical data on which the risk assessment is based.
RISK IDENTIFICATION After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.
•
Source analysis. Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
•
Problem analysis. Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project
may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking a Boeing 747 during takeoff may make all people onboard immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:
•
Objectives-based risk identification. Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
•
Scenario-based risk identification. In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk
•
Taxonomy-based
risk
identification.
The
taxonomy
in
taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal
risks. Taxonomy-based risk identification in software industry can be found in CMU/SEI-93-TR-6.
•
Common-risk checking. In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation. An example of known risks in the software industry is the Common Vulnerability and Exposures list found at http://cve.mitre.org.
•
Risk
charting.
{Crockford, Cambridge,
N., UK,
"An
Introduction
to
Risk 2nd
Management,
Woodhead-Faulkner
edition1986 p. 18} This method combines the above approaches by listing Resources at risk, Threats to those resources Modifying Factors which may increase or decrease the risk and
Consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.
RISK MANAGEMENT STRUCTURE The basic structure recommended for risk management consists of a risk manager who is responsible for the definition, structure, implementation and co-ordination of a risk management approach consistent with the program system engineering, test, manufacturing and verification plans. The risk manager works on the staff of the program manager. The risk management job is comparable to that of configuration manager, data manager, program management (PMS) and other staff level positions that do not have a direct object product development role RISK MANAGEMENT TOOLS The primary function for the risk management tools are to assist in the assessment or risks, to assure that assessment address all pertinent aspects of the program and to provide specific means of overcoming the underlying bases for risks. The key to assessing risks is to identify any and all aspect of the program with some degree of newness. Ownership Risk Ownership risk is a concept of many dimensions and interpretations. The most important aspect of ownership is a clear mutual understanding of the responsibilities among partied to a contract and/or the responsibilities among parties to a co-operation venture.
5. CONCLUSION Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan. The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks.
Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
doc_611654606.doc