CHAPTER 9:
RISK LEVEL
The risk level is a function of impact and likelihood (probability). The final step in the risk assessment exercise is to assess the risk level for each impact.
Three levels of risk assessment are usually adequate: low, medium and high. Where the likely impact is low and the probability is also low, then the risk level could be considered very low. Where the impact is at least high and the probability is also at least high, then the risk level might (depending on the design of the risk matrix) be either high or very high. These relationships are set out in the table below.
Figure 4: The risk scale
Every organization has to decide for itself what it wants to set as the thresholds for categorising each potential impact and from time to time it may be helpful to have four or more risk levels (including one such as minimal) in order to better prioritise actions.
The table must have objective criteria applied to each band, which will enable different people in different parts of the organization to use it on a consistent basis.
The usual way of doing this is to allocate specific ranges to each band. For instance, the impact bands might be:
c From £1m to £5m (anything in excess of £5m is rejected)
b From £100,000 to £999,999
a From zero to £99,999
The likelihood bands might be:
i Less than once every year (very infrequent)
ii Between once a month and once a year (often)
iii More than once a month (very often)
These bands enable different people, in different parts of the organization, to assess risks in a similar way.
There will possibly be challenges to resolve in terms of boundary estimations and these, together with a number of other subtleties, are discussed in Chapter 12 of Information Security Risk Management.