Why prioritize risks
The financial, human, and technological capacities of each organization are limited and it is appropriate to focus only on risks that have a certain priority. For this reason, conducting a risk assessment and prioritizing is important.
How to prioritize risks
There are many ways and methods you can assess the importance and priority of individual risks. The importance of the risk is determined in the vast majority of several sub-factors. Either their multiplication, or using a risk matrix. To asses and prioritize risks, consider first and foremost the severity of the risk for your organization:
- How critical would the immediate impact be to organizational operations, mission, functions, image, reputation, assets or employees?
- How critical would the future impact be to organizational operations, mission, functions, image, reputation, assets or employees?
Prioritization using a matrix with 2 axes
- The risk matrix shows some two factors that together create zones - these are then assigned importance, priority.
- The most common way of prioritization is using two factors - impact and probability.
- Priority is not a simple multiplication of these two factors because, for example, a risk with a critical impact and a low probability may be critical for the business, while a risk with a moderate impact, although with a high probability, may not be critical.
Prioritization using vulnerability and threat assessment
- This is a method typically used in security
- Risk is the product of: vulnerability * threat * asset
The levels of risk
Usually, there are three to five categories used to rank the risks and express their consequences. These are based on the potential severity of the damage caused. The following are examples of various levels of risks.
3 levels of risk
- Low
- Moderate
- High
4 levels of risk
- Negligible
- Moderate
- Critical
- Catastrophic
5 levels of risk
- Tolerable
- Low
- Medium
- High
- Intolerable