How likely, how bad (risk assessment)¶
Duration: 60-90 minutes
Materials: Asset and vulnerability cards, 2x2 grid (drawn on whiteboard or large paper), markers
The exercise¶
Assess each vulnerability-asset combination for likelihood and impact. Create a simple risk matrix to prioritise.
Step 1: Create your assessment grid (10 minutes)
Draw a 2x2 or 3x3 grid:
Low impact |
Medium impact |
High impact |
|
|---|---|---|---|
High likelihood |
Medium |
High |
Critical |
Medium likelihood |
Low |
Medium |
High |
Low likelihood |
Low |
Low |
Medium |
Step 2: Define your scales (15 minutes)
Make it concrete for your organisation.
Likelihood (How often could this happen?):
High: Could happen multiple times per year, easy to exploit, we’ve seen it before
Medium: Could happen once per year, requires some effort or conditions
Low: Unlikely in normal operations, requires significant effort or rare conditions
Impact (What happens if it does?):
High: Service outage > 1 day, major financial loss, regulatory penalties, safety risk, reputational damage
Medium: Service degradation, moderate financial impact, customer complaints, recovery effort required
Low: Minor inconvenience, minimal financial impact, quick recovery, limited scope
Adapt these to your context. Healthcare, finance, and manufacturing have different impact definitions.
Step 3: Assess each risk (30-40 minutes)
For each vulnerability-asset combination:
Discuss likelihood: How often could this realistically happen?
Discuss impact: What breaks if it does? Who’s affected? How long to recover?
Place the card on the grid
Note your reasoning (write on the card)
Work through systematically. Don’t overthink: gut feel informed by experience is fine.
Step 4: Validate the results (15 minutes)
Look at your grid:
Do the “Critical” and “High” risks make sense?
Are you surprised by anything in “Low”?
Missing any obvious risks?
Any grouped risks that should be separated?
Adjust positions based on discussion.
Step 5: Draw the line (10 minutes)
Decide your risk appetite:
Critical and High → Must address
Medium → Should address (prioritise based on resources)
Low → Accept or monitor
Mark this clearly on your grid.
Output¶
Risk matrix with all vulnerabilities positioned
Clear priority groupings (Critical, High, Medium, Low)
Reasoning documented for key assessments
Risk appetite line defined
Common pitfalls¶
“Everything’s high risk” → Force differentiation. Can’t address everything equally.
“Too optimistic about likelihood” → Check: has this happened in your sector?
“Underestimating impact” → Think cascading effects: what else breaks when this breaks?
“Ignoring low-likelihood, high-impact” → Rare but catastrophic risks need attention.