Risk-Based Thinking Resource Center

Risk-Based Thinking Step 3

Evaluate and Prioritize Risks

Use the Likelihood and Impact ratings in the Evaluate and Prioritize phase.  Categorize risks into broad High, Moderate and Low threat or opportunity categories.

  • All High-Risk Indexes should be slated for an action plan.
  • Low Risk Index scenarios don’t warrant action; the potential threat represents an acceptable risk, or the opportunity does not have an adequate return for the time and effort required.

Generally, additional factors should be explored to determine if Moderate Risk Index scenarios should be acted upon.

Moderate Threat Risks:

While the disposition of “High” and “Low” Risk Indexes is fairly straight-forward, dealing with Moderate Risks is not. To determine if moderate downside risks should be mitigated, consider the impact level.

  • If the Impact of the risk receives a rating of “5,” that risk should probably be considered for action even if the Likelihood is low.
  • However, if the impact rating is less than 5 for a threat potential and strong detection controls are in place, mitigation of that specific risk is often not needed. But if detection controls do not exist, it is probably worth considering mitigation solutions as long as they are practical and feasible.
  • Before spending time developing a comprehensive action plan, assess whether the potential threat mitigation solution is practical and feasible. It is practical if it “makes sense” and feasible if it fits within the skill-set and resources of the organization.
  • If a potential solution is not both practical and feasible, it doesn’t make sense to invest time and resources on it.

Moderate Opportunity Risks:

  • Conduct a form of cost-benefit analysis to help determine if the potential opportunity is “worth” the time and resources to take action.
  • If the cost to tackle an opportunity is high and the consequence of not acting on the opportunity is low, it makes sense to pass up that opportunity