How Do You Establish the Level of Risk?

What is the level of a single source of risk?

Let's start with what might appear at first glance to be a simple situation: You are about to drive 30 miles from your home to the airport.

You might have an accident.

The consequences of a car accident range from a tap on the bumpers to death — and many points in between. In other words, the level of risk is a range or distribution of multiple potential effects. 

Each point, each effect in the range, has its own likelihood. You could plot all the possibilities on a chart to show the curve of effects and likelihoods.

How Do You Establish the Level of Risk?

Some people will take the worst possible outcome and its likelihood, quantify it, and call that the level of risk. Others will try to find an average outcome and quantify that as the level of risk. A few will put all of the above into a Monte Carlo simulation and come up with a single quantification of the range.

None of those reflect the level of risk.

As you look at the range of effects and their likelihoods, you might decide that the likelihood of death is so tiny that you will accept it. But you don’t like the likelihood of ending up in jail or a massive lawsuit, let alone the possibility of a months’ long coma.

In other words, some of the points in the range might be acceptable while others are not.

You want to change the shape of the curve.

Some experts get around the problem by splitting the various effects into different sources of risk. The possibility of death might be one, while missing your flight could be another.

But is that practical when there are so many possibilities?

Now consider the fact that the likelihoods of most if not all of these effects are changing pretty much all the time.

• They change as you get closer to your destination or pass known trouble spots.
• They change as weather conditions change.
• They change as traffic patterns change.
• They change if there are accidents ahead of you.
• They change if you see reckless drivers or several cars racing each other.
• They change as you get tired or feel an urgent need to find a restroom!

So the level of risk is also not static and is not well represented by a point-in-time heat map or risk register.

Let’s take another, more business-oriented example.

Your closest competitor has announced a new generation of its product, saying that it is now "fully integrated with AI."

It is still early days, but you recognize that your own new generation product is at least three months away.

The possibilities include:

• Their product could prove to be such a leap forward that you will lose 80% of your market share. Twenty percent will be patient and loyal to your brand, waiting to see how your product will compare.
• Their product is good but not great. Maybe 15% of your customers will switch.
• Their product proves to be far less than spectacular, especially as your customers realize (with your help) that freely available AI products can be readily integrated with yours — and that the added functionality is not sufficient to justify switching vendors.
• Their product fails to launch properly, and the vendor has to delay until bugs are fixed. The vendor clearly didn’t do sufficient analysis of the risks the AI adds.
• The competitor launches the new product aggressively but loses market share when it fails.
• … and the many points in between.

The level of risk is a range again, and it is again changing with time.

Does it make sense to try to treat either of these sources of risk as something you can quantify and get a meaningful single value result? Does a single number or qualitative expression tell you what you need to know?

I am going to fly in the face of traditional wisdom and say “no.”

Related Article: Why Are We Wasting Time on the Term 'Risk Culture'?

Learning Opportunities

Conference

Sep

16

HR Tech Conference Las Vegas 2025

Register

Conference

Oct

27

Gartner HR Symposium/Xpo Orlando 2025

Register

Conference

Nov

17

KMWorld Washington 2025

Register

Webinar

On demand

AI in Customer Service: Faster Resolutions, Happier Customers

Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.

Watch Now

Webinar

On demand

Accelerating Healthcare Ops with AI

Sign up to see how your peers are putting AI to work — and making it stick.

Watch Now

Webinar

On demand

From Nice-to-Have to Non-Negotiable: Prove the Value of Your EX Stack

Transform your tech stack: prove its value, secure your future.

Watch Now

Conference

Sep

16

HR Tech Conference Las Vegas 2025

Register

Conference

Oct

27

Gartner HR Symposium/Xpo Orlando 2025

Register

Conference

Nov

17

KMWorld Washington 2025

Register

View all

Present Risk Level as a Range

What would I do?

If management or the board want to discuss the level of a risk, I would share the full distribution. That way management can see all the points and assess which, if any, need to be addressed.

They can then make an informed and intelligent decision on what to do. If a decision-maker needs to consider a risk in the context of their decision, we would look at the whole distribution, but focus on those points that the decision-maker is most concerned with.

I would focus on the effect on enterprise objectives when talking to the board and top management and on the objectives of the decision-maker when talking to them, but with full knowledge of the potential effect on enterprise objectives.

If I had to help management develop a list of significant risks, maybe for the regulators or SEC reporting, I would suggest they focus on the points in the range that represent a serious threat to the achievement of enterprise objectives. It is possible that we would aggregate those points that are unacceptable.

Related Article: Do CFOs Understand Risk Management?

Learn how you can join our contributor community.