How to Determine Risk Scores: Internal vs. External Risks
Gary Elens | October 13, 2018
As key indicators of any Enterprise Risk Management System, risk scores can help you identify and respond to the most pressing concerns affecting the health of your organization. In this blog post you'll learn what they are, how they're calculated, and how to use them most effectively.
When calibrated effectively, risk scores can help you identify and respond to risks in an appropriate fashion. Ultimately, they help support your company’s growth, reduce inefficiencies, and prevent reputational damage.
But how exactly are risk scores determined? Let’s take a closer look.
In this post we discuss:
1) Internal Risk Scores
2) External Risk Scores
3) How to Determine a Risk Score
4) Why It Is Important to Know Your Risk Score
5) How LogicGate Can Help
What Are Internal Risk Scores?
Just like it sounds, an internal risk score is an assessment of any risk factor that comes from within the company. Though they can be just as damaging as external risks, internal risks are often the most difficult to identify because they rely heavily upon the company's culture of risk.
As you may have experienced, mid-level management is often more aware of potential internal risks, but have trouble securing support from upper management to put adequate mitigation processes in place.
Common Internal Risks:
Human error, such as unintentional data leaks, union strikes, or ineffective management
Inadequate organizational structure and reporting responsibilities
Asset loss, including damage or destruction of company property or unforeseen costs of doing business
What are External Risk Scores?
External risk scores are assessments of anything and everything that could threaten your business from outside the company. These risks vary greatly and in some cases have few (if any) warning signs. It’s important to identify potential external risks so your organization has processes in place to react to and mitigate damage as soon as possible.
Common External Risks:
Natural Disasters—everything from hurricanes and flooding to droughts and earthquakes
Economic Change, including recessions and industry disruption
Political Factors: changes in governmental policies and regulations
Cyber Attacks, such as data theft by hackers, ransomware attacks, and the like
How Do You Determine a Risk Score?
In order to accurately calculate risk scores, two components must be taken into consideration: risk identification and risk analysis.
1) Risk Identification
Identifying potential risks is paramount to a successful project. Risk identification should not only be performed at the earliest stages of project development, it should also be reassessed throughout the project life cycle. In 2008, The Project Management Institute studied the Risk Management Process followed at Nokia Siemens Networks. Among other key findings, the report showed how “risk identification is one of the key topics in the regular project status and reporting meetings. Some risks may be readily apparent to the project team — known risks; others will take more rigor to uncover, but are still predictable.”
2) Risk Analysis
Once a risk has been identified, analysis helps you understand the threat it poses to your project or organization. This step explores the risk’s potential qualitative and quantitative impacts — which will help in creating processes to mitigate negative consequences. In other words, risk analysis is about calculating probability and likely outcomes.
The following are a few guidelines for calculating risk.
Risk= probability of event x magnitude of loss
Probability of Occurrence
High probability – (80 % ≤ x ≤ 100%)
Medium-high probability – (60 % ≤ x < 80%)
Medium-Low probability – (30 % ≤ x < 60%)
Low probability (0 % < x < 30%)
High – Catastrophic (Rating A – 100)
Medium – Critical (Rating B – 50)
Low – Marginal (Rating C – 10)
The risk score is the result of your analysis, calculated by multiplying the Risk Impact Rating by Risk Probability. It’s the quantifiable number that allows key personnel to quickly and confidently make decisions regarding risks. The following chart can help assign risk scores and determine severity and time-sensitivity.
Why Is Knowing Your Risk Score Important?
Accurate risk scores allow your organization to design an appropriate risk-response system, complete with processes and procedures to address any incident. Risk scores not only help to lower the probability of adverse incidents occurring, they can also help to limit the damage in the event something negative does occur. This leads to lower costs, greater likelihood of successful project outcomes, and increased customer satisfaction.
How LogicGate Can Help
LogicGate’s Enterprise Risk Management solution in Risk Cloud® is an agile and robust platform specifically tailored to your business. It’s designed to identify all risks that impact your organization, and uses dynamic models to automate risk scoring—a daunting task to perform manually. With LogicGate, stakeholders rate risk dimensions from impact to probability, and let the system’s customizable algorithm calculate weighted risk scores for use on dashboards and reports. Risk identification, analysis, and response is streamlined and automated with LogicGate’s ERM solution, which allows for confident and quick decision making concerning critical business issues. Suppose you are ready to start your risk quantification journey and want to learn more about how risk quantification can enhance your risk program. In that case, download our eBook, The Definitive Guide to Risk Quantification — also available as an audiobook — and request a demo of Risk Cloud Quantify™.
For more on Enterprise Risk Management, check out LogicGate's eBook below on How to Build Organizational Support for ERM.