How likely, how bad: risk assessment¶
Duration: 60 to 90 minutes
Materials: asset and vulnerability cards from previous exercises, a 2x2 or 3x3 grid drawn on a whiteboard or large paper, markers
The exercise¶
Assess each vulnerability-asset combination for likelihood and impact. The goal is a prioritised picture of where the organisation’s exposure is most serious.
This is where the political layer becomes most visible. Likelihood and impact ratings are not objective measurements. They are judgements made by people in a room, and those judgements are shaped by the political dynamics of the room: whose assessments carry more weight, who is reluctant to name a high-impact finding that would implicate their area, who has an interest in a risk being rated lower than it is because they would be responsible for addressing it.
A facilitator who is not attending to these dynamics will produce a risk matrix that reflects the room’s political landscape as much as the organisation’s actual exposure. Naming this openly, without blame, is part of running the exercise well.
Step 1: Create the assessment grid (10 minutes)
Draw a grid with likelihood on one axis and impact on the other. A 3x3 grid (high/medium/low on each axis) is usually sufficient. The resulting risk levels:
Low impact |
Medium impact |
High impact |
|
|---|---|---|---|
High likelihood |
Medium |
High |
Critical |
Medium likelihood |
Low |
Medium |
High |
Low likelihood |
Low |
Low |
Medium |
Step 2: Define the scales concretely (15 minutes)
Generic definitions produce inconsistent ratings. Define likelihood and impact in terms specific to your organisation.
Likelihood: high means this could happen multiple times per year, requires limited effort or access, and is consistent with what comparable organisations have experienced. Medium means it could happen once per year and requires some effort or particular conditions. Low means it is unlikely in normal circumstances and requires significant effort or rare conditions.
Impact: high means service outage exceeding one day, significant financial loss, regulatory exposure, safety implications, or serious reputational damage. Medium means service degradation, moderate financial impact, customer complaints, and a meaningful recovery effort. Low means minor inconvenience with quick recovery and limited scope.
Adapt these to your context. The right definitions for a healthcare provider are different from those for a software company.
Step 3: Assess each risk (30 to 40 minutes)
For each vulnerability-asset combination, discuss likelihood and impact and place the card on the grid. Write the reasoning on the card: not just the rating but why the group placed it there. The reasoning is what makes the assessment credible and what allows it to be revisited intelligently later.
When the group disagrees on a rating, explore the disagreement rather than averaging. Disagreement often indicates either different information about the actual situation or different assumptions about what is realistic. Both are worth surfacing.
Step 4: Validate and draw the line (25 minutes)
Look at the completed grid. Do the critical and high ratings make sense collectively? Are there findings in the low category that feel underrated on reflection? Are any obvious risks missing?
Decide on the risk appetite line: which levels require action and which will be accepted or monitored. This is a decision with political content. Make it explicitly, with the people who have the authority to make it, rather than leaving it implicit.
What the exercise is testing¶
A group that rates everything as high risk is avoiding the discomfort of prioritisation. A group that rates everything as low risk is managing the discomfort of acknowledging serious exposure. Neither produces a useful output.
The rating conversation is also a test of whether the group’s models of likelihood are calibrated against reality. Likelihood ratings that consistently diverge from what is actually observed in the threat landscape and in comparable organisations are model failures. The facilitator can bring external reference points into the conversation: what is the actual frequency of this class of attack in your sector?