Almost everybody makes a fundamental error when it comes to assessing a risk (what might happen).
It doesn’t matter whether they are using a heat map, a risk register, or a risk profile.
They show the level of risk as a point: the likelihood of a potential impact or consequence.
But 99% of the time this is wrong.
99% of the time, there is a range of potential consequences, each with its own likelihood.
Even if you ignore the fact that there are more often than not multiple consequences from an event, situation, or decision, anybody trying to understand risk and its effect on objectives needs to stop presenting the level of risk as a point.
This was brilliantly illustrated in the Ponemon Institute’s latest report on cyber. Their 13th Cost of a Data Breach Study (sponsored by IBM) is an excellent read. It has a number of interesting findings that I will discuss in a separate blog.
The content that is relevant to this discussion is a graphic that shows the range of potential consequences from a cyber breach. Their graphic shows the likelihoods of having anywhere from 10,000 to 100,000 records stolen. (They separately discuss the cost of what they call a ‘mega breach’, when more than a million records are stolen.)
Using their number for the average cost to the business (across all sectors and geographies)…
