1- Risk Velocity: It refers to the time from the event occurrence until receiving the impact. For instance, if you are assessing the risk for nonconformance to a tax reporting regulation, a “high” risk velocity would be a situation in which you receive a prompt penalty.
2- Internal Control: It refers to how effective is the underlying process controlled by the organization. For instance, having a proper control environment for tax reporting would decrease the risk to receive a tax fine. Some companies may vary this element by including the number and severity of previous audit issues.
3- Process Documentation: It refers to having a policies and procedures in place. For instance, having proper policies to report taxes on time would decrease the risk of receiving tax penalties.
4- Preparedness: It refers to how effective be the company to react once the event occurs (eg. contingency plans). I have seen cases about this variable; however, it seems to be already included into the impact assessment.
5- Aggregation: it refers to how insolated a risk may occur. Some risks may aggregate to have a greater impact than their individual impacts. For instance, receiving a tax fine may increase the risk of having a tax inspection.
6- Volatility: it refers to the stability of a risk in time (to occur or to be measured). For instance, a volatile tax regulations would increase the risk of receiving a tax penalty. Some risks cannot be properly measured, and then their volatility variables are also high.
The internal control environment, the process documentation and the preparedness are only related to a particular company. Other variables can be shared by several companies or an industry.
Clarifications:
A- I summarized my statement that impact is related to financial losses. It is usually the case, but not always. In a way, other impacts (eg. reputational, HSE, etc) could be translated into a financial loss after they have been measured.
B- In theory, some of those variables (especially the internal controls) are related to both impact and frequency. However, a third dimension including those variables could be added as long as the same factor is not taken twice. For instance, you can display the conventional risk map in 2 variables and coloring a third variable to emphasize an increased risk. The following example would clarify this point:
