Risk Assessment: Likelihood & Impact

Risk Matrix: Likelihood and Impact

Every organization is unique, so the risks they each face are not the same. In order to make a plan of action to protect your business, you need to first understand where the threats against you are. Once you know those risks and gaps, you can start to identify the likelihood of them occurring and the impact they could have on your organization. 

Because of this, an information security risk assessment forms the cornerstone of any cybersecurity policy. Clear risk knowledge is crucial when making risk-based decisions for your company. Without full knowledge of where, how, and why a threat could occur, you won’t be able to stop it. That’s why understanding likelihood and impact for any given threat are both important factors in the risk assessment process. 

HBS’s consultants perform information security risk assessments using a clear four-step process based on a clear formula. Start thinking about your risks by reviewing the basic threat likelihood/impact formula below. 

Keep it Simple

You don’t need a complex system in order to improve or support your organization’s security environment. However, your organization’s leaders need tools that show them where to spend time and resources in order to reduce potential risks to the company. That’s how risk assessments can shed light on the key factors in this decision-making process. 

A better understanding of the system also helps out other members of your staff. Members of the IT department need to know what products and processes to put into place in order to limit potential risks. The more knowledge they have, the better they can work with leadership to determine and address security concerns. Sharing the risk assessment results with members of the IT team will help them understand where they’ll get the most from efforts to reduce risks. 

Formula to Determine Risk Likelihood and Impact 

The standard described in NIST SP 800-53 implies that a realistic assessment of risk requires an understanding of these areas: 

  • Threats to an organization 
  • Potential vulnerabilities within the organization 
  • Likelihood and impacts of successfully exploiting the vulnerabilities with those threats 

For handling the most basic level of risk assessment, risk managers can follow this simple formula: 

Risk = (Threat x Vulnerabilities) x Impact 

The first part of the formula (Threats x Vulnerabilities) identifies the likelihood of a risk. For example, if there’s a known security flaw in older versions of software you use, there’s the threat of hackers exploiting that particular vulnerability to compromise your system. But if you’ve applied the latest software patches that fix the problem, then the vulnerability cannot be exploited, and the threat has been eliminated. 

Impact measures how much disruption you’ll face if the threat actually occurs. Combining likelihood and impact produces a residual risk rating of Low, Medium or High. Each organization’s residual risk rating may differ based on the likelihood and impact that each control deficiency introduces. 

You could also represent this concept with a simple chart like this one: 

Risk Likelihood and Impact Matrix - HBS >> Heartland Business Systems

For example, let’s consider the risk of a hacker getting access to a folder containing all of your public-facing marketing materials. That event may have a medium likelihood, but it has a very low impact. Those materials are already publicly available on your website, etc., so unauthorized access to them does no harm. That risk gets a Low rating. 

But the formula changes if the risk is an employee in the Accounts Payable department clicking a phishing link. There’s at least a medium likelihood of one of those employees making this mistake. And the impact would be very high if a hacker got access to a user account that controls financial transactions. That risk gets a High rating. 

Keep in mind that a very High impact rating could make a risk a top priority, even if it has a low likelihood. If a breach could shut down a hospital’s life-support equipment, for example, that risk obviously deserves serious consideration on your priority list. 

If you’d like to read detailed guidelines on how to rate risks by various factors, consult NIST SP 800-30. 

Drilling Down on Specific Residual Risk 

Now that you know the formulas for determining likelihood and impact during a risk assessment, it’s time to focus on specific risks. 

  1. Inherent risk – This is the risk level and exposure your system faces without taking into account any mitigating measures or controls that are actively in place. Where is your system at its weakest when no other security measures are in place to protect them? Which risks deserve the highest rating based on their likelihood and potential impact?
  2. Residual risk – An area with a higher likelihood and impact of a threat on the organization, from an inherent risk level, may need additional controls to reduce the level of risk to an acceptable level. After you apply those controls, you are left with what we call “residual risk.” If the residual risk level after mitigating controls is still higher than you prefer, then additional risk management measures and techniques should be introduced.

Mitigating measures you may apply include:

  • Avoidance – Elimination of the cause of the risk. You could, for example, prevent employees from accessing certain parts of your system on mobile devices. 
  • Mitigation – Reduction of the probability of a risk’s occurrence or of its impact. Adding multifactor authentication, for example, greatly reduces the probability of a hacker getting into a user’s account. 
  • Transfer – Sharing of risk with partners, such as through insurance or other ventures. 
  • Acceptance – Formal acknowledgement of the presence of risk with a commitment to monitor it. 

Finding Help When You Need It 

Reading through how to determine likelihood and impact can help you understand first steps in your risk assessment process. But you’ll probably still need help from cybersecurity consultants to carry out a full assessment. These experts look over a number of key factors you may not have considered. 

Cybersecurity consultants analyze your organization’s structure, policies, standards, technology, architecture, controls, and more to determine the likelihood and impact of potential risks. They will also review your current controls and evaluate their effectiveness. 

For example, a financial management company turned to HBS when it realized that investors were choosing portfolio managers based, in part, on a company’s strength of cybersecurity. The management firm asked HBS consultants to take a deep dive into its administrative, physical and technical controls. HBS guided the company in developing a clear summary of its high and moderate risks along with recommendations for remediation. (You can read about the entire process in this case study.) 

Consultants also assess any gaps between your current security posture and where you want your organization to be. A core part of that process will be determining accountability and assigning risk ownership at the appropriate level and to the appropriate team. It’s important to have the right security measures in the right hands. 

End Goal: An Acceptable Level of Risk 

The end goal is to get to a level of risk that is satisfactory to your management team. It’s important to evaluate and be aware of the risk in your environment so you can implement appropriate controls to mitigate this risk and secure sensitive information. Evaluating risk means understanding the biggest factors of any security threat, likelihood and impact. 

If you’re looking for a security partner to address your risk assessment needs, please contact an HBS Consultant at any time for more details on ways you can secure your business.