Considering risk is a major part of organisations. The simplistic model of listing possible events, their likelihood of occurring, and their impact is an ‘oldie but a goodie’ framework.
Risk is all about discussions and perspective. Different perspective. Searching for and debating what is right and wrong can often be a form of hiding from doing the work. Often it can be most effective to have a diverse group of people rank the likelihood and impact. And then consolidate looking at the range of viewpoints, not individual viewpoints. The outliers make the discussion interesting. The outliers ‘see’ something the rest of us don’t and therefore it is critical to listen to them.
Often the impact considered is the the impact to the organisation. Usually the legal and information security teams are wanting to protect the organisation. This is good and necessary.
However, in our responsible data and technology work the framework needs more columns. We still need to consider the risk and impact to our organisations, but we need to move beyond also. We need to consider the risk and impact to those we seek to serve. For example, a certain type of data breach might be low likelihood and even low impact on our organisation. But it may be devastating to those we seek to serve as it exposes them.
Adding the column can completely change the discussion. There is still unlikely to be a right and wrong. That is not the point. Awareness and thinking beyond ourselves is.
Do the work, look at its effects – both in the short and long term. Look beyond yourself and our organisation. Yes, it won’t be perfect, but it rarely needs to be.