New Variables in Risk Measurement

It is widely accepted that risk is calculated by multiplying the impact of an event by its probability of occurrence. Impact is related to financial losses, and probability is estimated by the likelihood to occur. However, most companies have added new variables to that risk assessment. In this post, I will share some other alternatives to improve this formula.

1- Risk Velocity: It refers to the time from the event occurrence until receiving the impact. For instance, if you are assessing the risk for nonconformance to a tax reporting regulation, a “high” risk velocity would be a situation in which you receive a prompt penalty.

2- Internal Control: It refers to how effective is the underlying process controlled by the organization. For instance, having a proper control environment for tax reporting would decrease the risk to receive a tax fine. Some companies may vary this element by including the number and severity of previous audit issues.

3- Process Documentation: It refers to having a policies and procedures in place. For instance, having proper policies to report taxes on time would decrease the risk of receiving tax penalties.

4- Preparedness: It refers to how effective be the company to react once the event occurs (eg. contingency plans). I have seen cases about this variable; however, it seems to be already included into the impact assessment.

5- Aggregation: it refers to how insolated a risk may occur. Some risks may aggregate to have a greater impact than their individual impacts. For instance, receiving a tax fine may increase the risk of having a tax inspection.

6- Volatility: it refers to the stability of a risk in time (to occur or to be measured). For instance, a volatile tax regulations would increase the risk of receiving a tax penalty. Some risks cannot be properly measured, and then their volatility variables are also high.

The internal control environment, the process documentation and the preparedness are only related to a particular company. Other variables can be shared by several companies or an industry.

Clarifications:
A- I summarized my statement that impact is related to financial losses. It is usually the case, but not always. In a way, other impacts (eg. reputational, HSE, etc) could be translated into a financial loss after they have been measured.
B- In theory, some of those variables (especially the internal controls) are related to both impact and frequency. However, a third dimension including those variables could be added as long as the same factor is not taken twice. For instance, you can display the conventional risk map in 2 variables and coloring a third variable to emphasize an increased risk. The following example would clarify this point: