Last week I wrote about how traditional risk “scoring” doesn’t translate easily to the way probability is best described, which is a probability density curve. Those are things like bell curves (maybe skewed) or other charts that describe a full range of possible outcomes.

I wanted to translate from one to the other because I want to make it easy for organistions that do traditional risk “scoring” to move to something more useful.

So if that’s not a promising course of action, what’s the next easiest thing we can do? Given that risk scoring involves simply estimating two numbers (and multiplying them together) the next easiest thing might be if we can use two other numbers instead.

And here’s the proposal:

There are just two numbers to assess our uncertainty against, and they’re both a percentage. Let’s consider our example from last time—the risk of a ransomware attack in the next 12 months. We just need to assess (i) the likelihood of up to £50,000 of damage and (ii) the likelihood of over £50,000 of damage. By using the figures 70% and 30% (for example) we’ve instantly created a real (if rough) probability density curve.

Already this is more specific than the typical “high likelihood, medium impact” kind of scoring, and no more complicated. In fact, it’s arguably a little bit simpler.

It also lends itself to a pretty chart, without the pseudoscience of a risk heat map:

There are reasons to have concerns, but those things are easily fixed. The threshold of £50,000 is a bit arbitrary; no problem, we can choose another. Using just two impact bands is a little limiting; no problem, we can add more bands, such as £0 to £50k, then £50k to £200k, then over £200k. Or anything we like. Unlike traditional risk “scoring” we’re never missing information, but we can improve its roughness.

Or perhaps someone doesn’t like the idea that this doesn’t tell us what we should act on; after all, a risk heat map might tell us that we “must treat” any risk that scores above, say, 10. But that’s actually failure of risk scoring, because not only is that 10 threshold arbitrary, but this criterion doesn’t link risk with reward. In reality we have to look at our assessment of any uncertainty, put it in context, and use our intelligence.

I hope to be able to use this two-percentage approach in future. If you know if it’s already being used I’d love to hear about it.