Subjective ranking

• With no historical data, setting priorities can’t

be done objectively – use rankings
• Order the risks by the likelihood that the risk
will become reality and number the risks using
“1” for the least likely risk and work up to the
most likely risk
• Also order the risks by the impact should the
risk become a reality and number the smallest
impact with “1” and work up
1
 Simple ranking does not work
• Ranking probabilities and impacts this way can
be done rather easily and accurately
• Figuring out how to compute the exposure is
something else – when you don’t know the
actual underlying values, it is hard to see how
to compute the product (exposure)
• Using the probability and impact rankings to
compute a kind of “exposure” does not work in
all cases
2
 Ranking-based counterexample
Probability Impact Exposure Rankp Ranki Rankprod

1 0.90 60 54.0 6 3 18
2 0.85 20 17.0 5 1 5
3 0.80 160 128.0 4 4 16

4 0.20 200 40.0 3 6 18

5 0.15 180 27.0 2 5 10
6 0.10 40 4.0 1 2 2

The highest exposure is not first or even second place when using the
product of this simple ranking method – an exposure computed from simple
rankings does not always work

3
 Non-linear data-1
• In this example, the problem was the lack of a
linear distribution of the probabilities
– The top three were clustered around 0.85 and the
lower three around 0.15
– There was a big gap between 0.80 and 0.20
• There was a similar issue with the impacts
– The top three were clustered around 180 and the
lower three clustered around 40
– There was a big gap between 60 and 160
4
Probability
Non-linear data-2
Data Impact Data
0.90 x 200 x
0.85 x 180 x
0.80 x 160 x
0.75 140
0.70 120
0.65 100
0.60 80
0.55 60 x
0.50 40 x
0.45 20 x
0.40
0.35
0.30
0.25
0.20 x
0.15 x
0.10 x

5
 Non-linear data-3
• Is our insight into these risks enough to
recognize the gaps, even if we do not know
the actual values?
• If we can spread out the data to be close to
linear, even if we are not able to give an
accurate numeric value, we are in a position to
compute a better exposure for prioritization
purposes

6
Probability Rankp
Non-linear data-2
Data Impact Ranki Data
0.90 17 x 200 10 x
0.85 16 x 180 9 x
0.80 15 x 160 8 x
0.75 14 140 7
0.70 13 120 6
0.65 12 100 5
0.60 11 80 4
0.55 10 60 3 x
0.50 9 40 2 x
0.45 8 20 1 x
0.40 7
0.35 6
0.30 5
0.25 4
0.20 3 x
0.15 2 x
0.10 1 x

7
 Improved ranking
Probability Impact Exposure Rankp Ranki Rankprod

1 0.90 60 54.0 17 3 51
2 0.85 20 17.0 16 1 16
3 0.80 160 128.0 15 8 120

4 0.20 200 40.0 3 10 30

5 0.15 180 27.0 2 9 18
6 0.10 40 4.0 1 2 2

Now the prioritization based on true exposure is the same as the

prioritization based on product of the ranking values

8
 Establishing priorities
• The best case is where the team has a great
deal of carefully gathered historical data on
which to base estimates of probability and
impact
• Without historical data, try to use rankings,
but be sure to try to linearise the rankings
• Compute the product of the probability and
the impact, producing an “exposure” and use
it to prioritize the risks
9