One of the errors that many make is thinking that the level of risk from an event (such as an earthquake, fire, supply chain disruption, interest rate change, currency fluctuation, etc.) is a single point. A single effect or consequence with a single likelihood.
Nope.
There is a range of potential effects and each point in the range has its own likelihood.
A fire might have a long-lasting effect on the availability of your data center, but it also could have minimal effect – and there are many points in between.
The chart below might represent the range of effects and their likelihoods.
I always suggest that decision-makers should see the range rather than trying to quantify the level of risk as a single value.
But practitioners may choose to do so, calculating the “value” as the area under the curve. (I am not going to go into the math involved – there are instructions on that on the web.)
I have issues with that, including:
- Some points in the range might be acceptable even though the calculated overall value is acceptable.
- Any action taken in response to the risk (to mitigate or take more of it) may have a different effect on different points in the range.
- Different “curves” may come out to the same value.
- What does the calculated value mean?
Now I freely admit that I don’t have an advanced…