Do you have the risk tools you need? I am not talking about software.

As a practitioner, you may feel you have the tools, techniques, and processes to identify, analyze, and assess risks.

But are you analyzing them as a single point of effect/impact and its likelihood, or do you have the tools to identify and evaluate a range/distribution of possible impacts/consequences, each of which has its own likelihood?

Let’s say that you do, in fact, have the tools and can identify the range and assess whether it is desirable (a better word than acceptable) given other options and the potential for reward.

But are you putting a value on the level of risk that makes sense to the decision-maker? Can they compare it to the possible reward for taking the risk? Can they compare it to the cost of changing the level of risk?

If they have to decide whether to invest in cyber defenses, trade compliance, or marketing, do you have the tools to make that a meaningful decision? In other words, are all of these sources of risk expressed in the same terms?

Let’s say you have all that.

But…

How often do decisions have to be made that only have one source of risk or opportunity? How often are investment decisions made based on a…