Catherine Boerner (cboerner@boernerconsultingllc.com) is President of Boerner Consulting, LLC, in New Berlin, WI.
If you have gone through the exercise of trying to determine the likelihood and impact of a risk, you know how subjective and frustrating it can be. To be honest, if too much time is spent, I think those involved may tend to miss the whole point of the exercise. When you look at different resources, explanations, and definitions, you may just get more confused. In order to simplify the process, I like to focus in on following concepts.
The likelihood scoring is determined primarily based upon the number and robustness of existing controls in place to mitigate a threat. Generally, the higher the degree of awareness and the more controls in place, the lower the likelihood for the threat to occur or the impact to be felt.
The likelihood of impact addresses the probability (or possibility) that the threat event will result in an adverse impact, regardless of the magnitude of harm that can be expected.[1] In the context of the HIPAA Security Rule it requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI.[2]
An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. The likelihood of that impact is the key.
So basically, the impact may be high if the building is destroyed by fire, but the likelihood of impact that the fire will result in a high adverse impact (regardless of the magnitude of harm that can be expected), may be lower because of the number and robustness of controls in place (e.g., back-ups of data, strong disaster recovery plan).
The tables below demonstrate one example of ways to define and score likelihood and impact within a risk assessment. Regardless, this is a difficult exercise and, in my opinion, the only way to make it valuable is to try to simplify it and really focus on improving controls to make a difference in preventing the obvious risks to the organization.
Likelihood | |
---|---|
0 |
No interruption in business would occur |
1 |
Limited interruption in business, significant controls in place to prevent harm |
2 |
Moderate interruption in business, many controls in place to prevent harm |
3 |
Significant interruption in business, few controls in place to prevent harm |
4 |
Catastrophic interruption is business, no controls in place to prevent harm |
Impact | |
0 |
Not applicable |
1 |
Limited event, focused level |
2 |
Moderate event, department level |
3 |
Significant event, network level |
4 |
Catastrophic event, corporate level |