What formula should I use to calculate inherent risk?

You’re online, searching for a formula to calculate physical risk, when you see an article titled “The Improved Formula for Calculated Risk.” It’s from a trusted source, and claims that this formula will determine your organization’s risk more precisely than the traditional equation.?

But then you scroll through your results and see another trusted source advertising “The New Equation for Determining Risk.” Who do you believe??

Recently it seems like every organization in the physical risk industry has been trying to improve on the equation for calculating inherent risk. But is it possible to build a better mousetrap? Should you use the new equations, and if so, which one??

This post will dig into methods of calculating risk, explaining how risk should be calculated, how risk should not be calculated, and why this is important.

The ‘new, improved’ formulas for calculating risk

The basic equation for calculating risk is simple:?

Risk = Probability x Severity

This formula is the very definition of risk. Your risk is determined by how probable an event is, and the severity of that event, should it happen.

We tend to run into trouble when security professionals deviate from this simple equation by adding to it. In many cases, the new equations aren’t really equations. Instead, they’re processes that are being expressed as an equation. This is confusing for everyone because a process and an equation aren’t the same thing, which means the equation doesn’t make sense or work.?

The Department of Homeland Security’s risk formula

Let’s take a look at an example. Below is the formula used by the U.S. Department of Homeland Security (DHS):

Risk = Threat x Vulnerability x Consequences

According to this formula, risk involves three key factors: threat, vulnerability and consequence. But this isn’t truly a formula to calculate risk.?

What DHS is trying to say in this formula is that, using their method, they go through a process of evaluating threats relative to an organization's vulnerabilities and existing capabilities, as well as how bad it would be if a threat were to occur. It’s essentially the same formula as the traditional risk formula, combined with the DHS process.?

This is a problem because it’s confusing — especially for people who are not security experts.

The real issue is these variables are calculated and how useful will the end result “Risk” be when comparing a location to another.??

The CARVER Matrix

The CARVER Matrix is another formula often used in security. CARVER ranks threats based on six factors: criticality, accessibility, recoverability, vulnerability, effect, and recognizability.

Developed for the military, CARVER is intended to provide a means to attack a target by conducting a quick assessment of inherent risk by one expert, rather than an in-depth assessment. For this reason, the CARVER matrix generates a very subjective risk score. Subjectivity is a problem when it comes to risk scores in general. Scores may seem like a good measuring stick for risk, but what are they based on??

But again with the subjectivity, how useful will the end result “Risk” be when comparing one site to another, and will the different people get the same results???

We don’t need new risk formulas, we need better solutions

More isn’t always better, especially when it comes to using an equation to determine risk.?

Risk is risk. No matter which formula you choose to use, it all comes down to understanding the basic principle that risk is just a factor of probability and severity. You might use different processes to determine your risk, but the variables never change. Using a physical security assessment platform can help with this — as long as the platform isn’t using subjective metrics to determine risk.

People need to stop focusing on trying to create a better equation, and concentrate on creating a better process.

If you want to understand Circadian Risk’s process for determining risk, contact us today to speak with an expert.