Each risk should be analyzed and classified into categories that reflect the risks to the business by type.
A sample list is below:
Product Development and Safety
Product Quality and Availability
IT Systems
Information Management
Safeguarding Key Assets, Resources & Processes
Sales & Marketing Practices
Integrity of Directors & Employees
Non-Discrimination in Employment
Pensions
Financial Controls
Competition Law
Environmental Management
Employee Health & Safety
Litigation
A standard approach to risk quantification is shown below. This standard is based on two considerations:
The expected value or financial impact ($ impact) if the risk were to occur. This is always viewed from a business perspective, not a technology perspective.
The probability (P) or likelihood that a risk will occur.
Formula for Calculating Risk: Risk ($) = P x ($ Impact)
Risk quantification requires knowledge of the expected value of the business impact if the event occurs. The business units affected should determine the financial impact.
The target is the acceptable value of the measurement for this risk. Quantifying the norm provides a measure of how well the risk has been managed or mitigated at later stages within the risk management framework.
When considering the target level of risk, consider the risk reward equation (i.e., what is the acceptable level of risk that a company can accept in relation to the pursuit of the associated reward). This is the potential target level. If the current level of risk equals this target, then perhaps no mitigation is required and the company will accept this risk.