Generic consequence scale: how I understand it

What to read first: Risk impact scale vs. achievement of objectives

Seen it all: This page assumes you know risk terms and concepts. It includes references to standards.

Here’s an example based on Sobel & Reding (2012), Figure 5.5 (for a commercial organisation).

Impact category

Impact level

Insignificant

Minor

Moderate

Major

Catastrophic

Financial

< $1m

$1m-$10m

$10m-$50m

> $50m

> $1b

Reputation

No noticeable impact.

Modest damage that requires some expenditure of resources to remediate.

Damage that makes it challenging to achieve at least one objective in the short term.

Significant damage that makes it difficult to achieve one or more business objectives.

Irreparable damage that threatens the organisation’s viability.

Safety

Minor injuries that result in no lost time.

Physical harm that may cause short-term absence from the workplace.

Physical harm that may cause extended absence from the workplace.

Life threatening injuries to employees, visitors, or innocent people in the community.

Fatality(ies) of employees, visitors, or innocent people in the community.

The words in this example are taken verbatim from Sobel & Reding. Please be kind to Sobel & Reding by understanding that this table is an example, which does not claim to be fit for real-world application. I know you can see problems in the detail, such as vague adjectives without objective measures, but they are not relevant to the core question in this post. It is more relevant that the three impact categories in the example are meant to be extended, but do not include anything that represents directly the core mission of the enterprise. Sobel & Reding do a commendably deep dive into objectives in Chapter 2, but I don’t see the link with the impact table.

There is at least one issue within this table that is directly relevant to the core question in this post. Within the Reputation row (Minor column) there is a suggestion of damage remediation. If the damage is fixed, does it have any real consequence at all? Is not the real consequence just the remediation cost? Similarly, if business objectives are ultimately achieved, but with difficulty (Reputation row, Major column), what is the real consequence? These questions show that the ‘impacts’ are just that, short term or incremental knocks, and not the ultimate effect on organisation objectives.

In the conventional approach, there is a matrix of impact types and impact levels. Each potential impact has an effect on your objectives. The impacts fall within generic types of ‘impact’, such as financial, reputation, safety, etc. The impact types and levels are not stated in terms of the objectives. The ‘impact’ metaphor implies that the consequence is reached when the risk event has run its course. Risks are typically understood as uncontrollable events that will interrupt an otherwise pre-determined path to achieving the objective. Choosing the wrong strategy is generally not recognised as a risk. (These details can be changed without replacing the generic consequence scale approach.)

Impacts at the same level are considered to be equally good or bad, even if they are of very different types (e.g. financial and safety).

You will see some sort of generic consequence scale in almost every ‘example’ and ‘illustration’ of risk assessment. Along with the example of a scale, you will usually see a lookup table for levels of likelihood and impact that produce a level of risk. That one will catch your eye, because of its lurid colour coding. Here’s a typical example (not from Sobel & Reding). [Like Alexei Sidorenko (LinkedIn), along with Thomas, Bradvold and Bickel (2013), I’m not a fan of this type of matrix. That conversation can wait for a later post, after we’ve finished the deep dive into consequence measures.]

Consequence
1. In-
significant
2.
Minor
3.
Moderate
4.
Major
5. Cata-
strophic
A (almost certain) High High Extreme Extreme Extreme
B (likely) Medium High High Extreme Extreme
C (moderate) Low Medium High Extreme Extreme
D (unlikely) Low Low Medium High Extreme
E (rare) Low Low Medium High High

The generic scale method is detailed in credible sources such as Sobel & Reding (2012). Other authoritative sources are less committed to it, and do not explain it with such clarity and authority. ISO 31000 itself does not mention this kind of scale at all.

References

Sobel, Paul and Reding, Kurt (2012) Enterprise risk management: achieving and sustaining success. Altamonte Springs, Florida: Institute of Internal Auditors Research Foundation (IIARF). This book is a major source for the CRMA Study Guide, available from the same IIARF bookstore.

Thomas, Bradvold and Bickel (2013) The Risk of using Risk Matrices SPE Economics and Management 6. Reference supplied by Alexei Sidorenko by comment on LinkedIn (thanks Alexei). There is one important detail in the article with which I disagree: it gives the impression that ‘risk matrices’ (lookup on likelihood and consequence) are part of ISO 31000. In fact ‘risk matrices’ are not mentioned in ISO 31000 and, in my opinion, represent an unhelpful hangover from risk management practices before ISO 31000:2009.

Parent articles

Risk impact scale vs. achievement of objectives

Seen it all: This post assumes you know risk terms and concepts. It includes references to standards.

Leave a Reply

Your email address will not be published. Required fields are marked *