Assessing the level of any business risk is not nearly as simple as most appear to make it.
Just look at any risk register or heat map (or “risk profile” in COSO language, which is the same thing) and you will see a single point for each source of risk’s potential effect and likelihood. That is simply wrong, as there is almost always a range of potential effects from an event (such as a decision), and each point in that range has its own likelihood.
One of the problems I have with most risk assessments is that they seek to evaluate each source of risk in a silo, rather than considering the big picture.
I tackle this at some length in my new book (coming soon), Understanding the Business Risk that is Cyber.
One of the sections in the book is on something called the “tipping point”. This is an extract:
In the robotics example [a project discussed earlier in the book], the cyber risk was seen as reducing the likelihood of achieving objectives by 3%.
On its own, this might be acceptable.
But the cyber risk might take the likelihood of achieving objectives beyond the tipping point[1]. It is defined in Merriam-Webster as:
The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place
Perhaps the board is willing to accept a 10%…