In my many years of working in the field of risk management, I've come across a wide variety of ways that different organizations and people use to prioritize risks. These are commonly referred to as "Risk Scoring Methodologies". In SimpleRisk, we currently support six different risk scoring methodologies:
Anyone who has studied for the CISSP exam knows that the "textbook" definition of risk scoring is Risk = Likelihood x Impact. Typically, the Likelihood and Impact values are represented by ordinal numbers, which are mapped to some qualified value. We then use a matrix to represent the intersection of these values in order to obtain a final risk score. Some organizations will use a 3x3 matrix. Some may use a 10x10. Here at SimpleRisk, we've seen just about every combination you could imagine in-between, but the most common scenario is a matrix with five Likelihood values and five Impact
Today I had a really interesting conversation with a guy from Japan via LinkedIn. It started with him trying to sell me some website design services, but when he realized their services weren't a good fit, he asked me a question. He said "I checked a few websites - what is this risk management thing? If we have this web design studio, how do we calculate our risks?"
I've been avoiding sending out an e-mail about this since I know you all have already been inundated by e-mails from every other company, but I wanted to at least put something out there to let you know where SimpleRisk stands with respect to business continuity against this COVID-19 pandemic. As a security practitioner myself, our organization has been designed from the ground up with confidentiality, integrity, and availability in mind. All of our employees were already working remotely when this began, so we have a 0% risk of the effects of COVID-19 on our business due to employe