In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.| jacobian.org
When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!| jacobian.org
In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.| jacobian.org
Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?| jacobian.org
So you’ve identified a risk — now what do you do about it? Here’s a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.| jacobian.org