Risk Quantification 101: Communicate Risk in Dollars and Cents

LogicGate | November 11, 2021

In the most recent LogicGate webinar, our very own Mark Tattersall discussed risk quantification with a special guest, Protiviti's George Quinlan. This deep dive ran through key topics and points necessary for all GRC professionals who want to take the red pill and enter the risk quantification matrix. Here are some highlights!

The Words You Use When Describing Risk Matter

Back in the 70s, the CIA looked at how analysts wrote risk reports that had life or death consequences tied to them. One of the things they looked at was how people evaluated words like maybe, possibly, a chance that, etc. If the term maybe was used in a report how likely or unlikely did they think it would happen as a percentage? It turned out that people rated it anywhere between zero and 100%—that’s a big range! Just as one person may label something as a low risk, it may be a medium risk to another person. Who is right? These examples point clearly to how everybody uses and interprets subjective words very differently.

Any disconnect and misunderstandings when communicating risk start with the language and terms that you're using. We see this type of non-quantified miscommunication today when GRC practitioners write risk reports or communicate to leadership. GRC teams must determine and thoroughly define the terms mentioned above and words like risk, threats, and assets for their organization to help ensure understanding. Because when there’s understanding and consensus, you’re able to use risk as a strategic advantage.

And while historically risk quantification has been brought up in relation to cybersecurity, that’s not the only space it benefits! You don't have to think about risk quantification and models like Open FAIR™ for solely IT and cybersecurity risks. These methods and processes can be applied to strategic, operational, and general business risks as well. Pretty incredible, huh?

The journey to risk quantification can be daunting at first, and organizations need to walk before they run. To gain access to more tips on how to start your risk quantification journey, listen to the full webinar available here.

Further Reading


GRC Insights Delivered to your Inbox

GRC Insights Delivered to your Inbox