# Understanding your risks: Probability, vulnerability, and impact

Risk is a combination of a potential hazard and its probability of happening, what effects it may have, i.e. its impact, and your specific vulnerability.  For profiling your risks, it helps to think in mathematical terms, but do not fret over detail.

Think of the probability of a hazard, your vulnerability and the potential impact to each to be simply high, medium, or low.   I suggest assigning a number of 5 to high, 3 to medium, and 1 to low.  Let us look at hazard, impact and vulnerability.

Hazards come in three main categories

1. Natural Hazards;  Extreme weather, earthquakes, volcanic eruptions and, yes, diseases.
2. Technological Hazards; Fire, chemical spills, power outages, cyber attacks.
3. Man Made Hazards; War, terrorism, violence.

People have a tendency to start a laundry list of potential hazards when they think of emergency preparation. I would start thinking about just a few hazards.  You will see that getting some knowledge and perspective on the basics will stand you in good stead if you feel the need to indulge your paranoia and fret about all potential hazards.

Vulnerability is different for different people.  A family in a desert area may consider themselves more vulnerable than others in the area due to distance from fire-fighters, or closer proximity to dry woodlands.  A health care services firm may consider themselves more vulnerable to a cyber attack than does a construction firm.

Impact is variable also.  An ice storm may have more impact to a community with exposed power lines than one with fewer trees or with buried cables.  A power outage will have a grave impact in a region, but not to the same degree to every business.

You want to profile your risks by the level of threat to either your business or your family. That will give you a valid target to lower those risks.

Let us look at three risks that may present for a small local distribution business in, for an example, suburban Connecticut.  Again, for simplicity we can look at just three hazards; a major snowstorm, a cyber attack, and violence against its employees.  Here is how they may quantify these risks and so prioritize how they will plan for and mitigate them.  We will use high/5, medium/3, and low/1.

Snow storm: This is a high probability of happening; each year has major snows, so the hazard is high.  Their business is vulnerable to weather events, but their drivers are experienced in dealing with weather events, so they think their vulnerability is low.  The area is used to dealing with snow, but the past few years have shown the roads are not cleared as quickly as they once were, so the impact of major snow is perceived as medium. Hazard = 5, vulnerability = 1, impact = 3.

Cyber Attack: The business has been subject to hackers in the past, and denial of service attacks are common, so the probability here is high.  They are vulnerable, as all their driver assignments and reporting are handled electronically, so they rate vulnerability as high. Impact will be substantial, but they have been able to handle past attacks, so they rate this medium.  Hazard = 5,  vulnerability = 5, impact = 3.

Violence: Safety of their people is paramount, and if they lose the trust of their people the business will suffer.  The impact to the business is high, but they work in a very safe area with great police protection, and they have trained their people to avoid such situations.  They rate both the vulnerability and probability of this to be low.  Hazard = 1,  vulnerability = 1, impact = 5.

Risk Profile

For each risk, multiply the three factors.  Here is the score for this company and the prioritization;

1) Cyber Attack: 75, 2) Snow Storm: 15, 3) Violence: 5.

This process, done objectively, delivers a priority of risks to address.

Actuaries spend their entire careers making these calculations more refined, but for businesses and families looking to prepare effectively, such detail seems more than needed.

Families that do this type of profile usually have a pretty mundane list.  Weather events, fires, and illness usually are top priorities.

Care should be taken to avoid what happened after 9/11.  Then, people keyed on low probability but highly charged emotional risks like terrorist attacks.  Natural hazards like hurricanes and diseases did not capture attention or funding, and it is those mundane risks that have hurt us the most.

Next Steps

The distribution business example illustrates a process for identification and prioritization of risk. I would recommend more risks be profiled, but not more than six to eight.  We will show that if you are working on a good prioritization of a few risks, what you do will be directly applicable to the hundreds of risks you may be able to list.  It is not worth the emotional energy to address an exhaustive list of risks individually .

With your risks prioritized, now you can start to address them.  Before you go out and start buying things and hoarding supplies, realize that prevention and mitigation can be both cheaper and more effective.

Next posts will give you some basics on prevention and mitigation.