Risk assessment [Part 2]: How to assess risks in practice?

In my previous blog post I talked about risk measurement system, which I will now present you in practice. I am sure this approach will make it easier to evaluate the risks in your every day work.

I often say to our clients that the system is merely a tool, which is why it cannot capture all aspects and anticipate all possible scenarios. Therefore, I always suggest to use common sense and also leave some room for maneuverer.

Now that we have discussed the good principles of setting up a risk measurement system, we are ready to give an example that works for most companies.

The system is an extension of the typical “Likelihood-Impact” matrix. The added dimensions make it possible to assess most of the risk characteristics in a coherent way. For instance, one cannot define likelihoods for many risks at all (foreign exchange rate risk, interest rate risk), and thus they cannot be estimated at all in the “Likelihood-Impact” manner.

All the losses are defined in terms of lost profit within 1-year period, and the frequency is defined in terms of years (once every x years).


This value tells you how many times you can expect that a certain risk will occur over a period. If a certain risk cannot realize repeatedly, one can substitute frequency with likelihood during a time period.

Typical loss

When there is a risk realization, a range of damage is possible from very small to very high losses. For example, a computer virus in most cases leads to only a few hours of work failure, which is a typical loss. This is a relatively common phenomenon and damage from such event falls under a typical loss.

Mathematically one should define this as the average loss per realization.

Worst case loss

Loss in the worst-case scenario is the damage that occurs when an extremely high and extremely rare realization. Linking, to the example typical loss example – in the worst-case scenario, the virus infects a computer that manages certain critical systems in the company. This can lead to the loss of the most important computer tools and systems, which in turn implies the shutdown of all activities and huge losses.

Mathematically the worst-case loss should be based on certain percentile of losses, similar to Value at risk.


Persistency can take values from “no persistence”, which means that the company feels the negative effects of the risk only in the year in which the risk is realized, to a completely persistent one, which means that after the realization of the risk the company feels negative effects in all subsequent years. Persistency is used to evaluate the net present value (NPV) of future losses which measures to total firm value loss in one year.

‘Social’ impact in the worst case

This aspect of the risk measurement system is meant account for impacts that cannot meaningfully be compared to financial damages. This impact scale is not quantitative in nature, but one should aim to set specific impact categories that are objective. For instance, this risk scale could be set to capture the potential impact on employee health, ranging from minor injuries to death or even death of multiple employees.


As there are multiple distinct dimensions of what makes a risk ‘serious’ we have numerous perspectives of how to rank risks. How much importance is given to each way of measuring depends on the organization, and the intended usage of risk estimates. 

Below are presented 4 ways to estimate the risk severity that are based on the above-mentioned risk dimensions.

Short term [Liquidity horizon]

Long term [Solvency horizon]

Average based measures

Expected profit loss due to risk

What does it mean: Indicates how much on average per year, specified risk reduces the profit?

How its calculated: Frequency X Typical loss

Why is it relevant: This is the starting point to benchmark running risk mitigation cost. If risk mitigation on annual bases costs less than it reduces the expected costs of risk, then it certainly makes sense to mitigate the risk.

Expected loss in company value due to risks

What does it mean: Adding the effect of persistency of risk effects allows us to estimated how much the value of the company is expected (on average) to decrease due to assessed risk.

How its calculated: Frequency X Typical loss X Present value factor based on the persistency

Why is it relevant: this is most meaningful way to benchmark does it makes sense to make certain capital investments to mitigate risk. If the investment value is lower than the expected loss in company value, then investment adds value to the company.

Worst case-based measures

Worst case profit loss 

What does it mean:

How its calculated:

Why is it relevant: This is important in evaluating whether the company can operate normally (service debt, etc.) even if the risk has the worst-case impact.

Worst case value loss

What does it mean: Estimates how much the economic value (not accounting) decreases in one year due to the risk?

How its calculated: Worst case loss X present value factor

Why is it relevant: This is important in determining whether the company has enough capital to withstand the effects of the risk realizing.


Find present value factor calculator on the following link.

Until next time, when we will examine how to combine and analyse the risk in order to get the best results, I invite you to check our latest posts:

– How to manage risks systematically?

– How to identify risks?

– How to define “a risk”?


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.