Risk Assessment & Compliance

With few exceptions, whether related to financial, physical, or technological resources, different types of risk can be calculated using the same universal formula. Risk can be defined by the following calculation:
Risk = asset value × threat × vulnerability


Elements of Risk
As you can see with the preceding equation, there are three elements of risk: asset value, threat, and vulnerability. Estimating these elements correctly is critical to assessing risk accurately.


Normally represented as a monetary value, assets can be defined as anything of worth to an organization that can be damaged, compromised, or destroyed by an accidental or deliberate action. In reality, an asset's worth is rarely the simple cost of replacement; therefore, to get an accurate measure of risk, an asset should be valued taking into account the bottom-line cost of its compromise.


A threat can be defined as a potential event that, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. Threats are generalized as a percentage, but two factors play into the severity of a threat: degree of loss and likelihood of occurrence.


Vulnerabilities can be defined as the absence or weakness of cumulative controls protecting a particular asset. Vulnerabilities are estimated as percentages based on the level of control weakness. We can calculate control deficiency (CD) by subtracting the effectiveness of the control by 1 or 100 percent.