The impact is more important than the probability that the risk may happen. This is akin to probability versus harm done in a suicide attempt. In that case the more lethal the means (example a gun versus taking pills) the more tragic the end result will be. Women in general have a higher probability of suicidal ideation (but the means are often less lethal) compared to men whose suicidal ideation probability is less but the means used are often more lethal (example a firearm).

Dear Mr. Sekulovic! This question is so essential that eveyone should be concerened with it. In most cases I do listen to my instinct but here I opted for looking for research (evidence) on the Internet. Please see the cases I found enclosed. here are events of low probability with high disasterous impact. Based on the materials found I argue that one must consider the combined outcome of probability and impact based on simulation models. In scenarios where items trigger or reinforces each other are the ones to look for:

Mark H. Warner (2020). "Visualizing Risk Impact and Probability" in The Project Management Blueprint. Available at: https://www.theprojectmanagementblueprint.com/blog/risk-management/risk-exposure-equals-probability-times-impact

MITRE (2020). "Risk Impact Assessment and Prioritization" Systems Engineering Guide, MITRE Corporation, Available at: https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-impact-assessment-and-prioritization

Yours sincerely, Bulcsu Szekely

Dear Mr. Srini Vasan and Mr. Bulcsu Szekely

Thank you very much for your valuable answers!

The probability of occurrence and the impact on the project are two important elements that work together to measure the degree of risk.

You can return to the next search in more detail:

https://www.emerald.com/insight/content/doi/10.1108/IJESM-03-2019-0011/full/html

Dear Mr. Mukhtar A. Kassem

Thank you for your answer! Yes, both of them are important, but one is more important than other, and that's - impact. When we come to risks with high impact, probability can be low, but when they materialize, those risks can literally shut down the organisation.

Hi All,

The issue is rather complicated, Bothe terms are essential to undrstand the consequences associated with an event. A possible combination rule is the expectation. This rule is suspect when probabilities (as likelihoods) are very small but the consewuences are very large. So, for example, (1*10^6)*(1*10^6) = 1.0. if the million measures deaths and the likelyhood is 1/1,000,000 the exectation is crrect but nor really useful when making choises. Bottom line: use the entire distribution functio for the consequences. If you think the the consequences are more important you shoud use a theoretical argument to explain why you selection is preferable. Risk atrices suffer from theoretical issues, See LA Cox jr in Risk Analysis (200).

best,

Paolo

I think we need to calculate the amount of information that is contained in some events (the values of various factors), about the occurrence of other events that are captured by these factors. There is a software system (my development, open source software) that provides this.

Article OPEN PERSONAL INTELLECTUAL TECHNOLOGY FOR DEVELOPMENT AND AP...

Dear Mr. Paolo F Ricci and Mr. Eugene Veniaminovich Lutsenko

Thank you very much for valuable responses!

It is well known that prevention is better than rehabilitation, that's why prevention is the first line of defence. In risk management, our efforts must focus on to avoid the risk to be materialised. In that sense reducing the Probability is of outmost importance. Second line of defense is to reduce the Impact of the materialised risk. Examles of that are:

• We first take measures to prevent a landslide or a flood (reduce the probability). If this is impossible then we take measures to reduce impacts and losses.
• We first take control measures to prevent a fraud. Measures to handle concequenses follows.

In risk management as well as in health & safety management, according to international standards, prevention measures are those measures that are first taken to avoid the hazard source, that is to eliminate or reduce the probability. Measures to mitigate the impact are second, third etc lines of defence when eliminating the source of hazard is unavoidable.

However, in cases of low probability - high impacts risks (emergent risks) when human lives or the existence of the company is in danger then measures to reduce impact are of high priority.

Mr. Theodore Vlachos, I agree completely!

Totally agree with you. what if probability is more than its severity, in this case incident will occur frequently with lower impact, and this will also change the value of overall risk(quantitative).

Risk analysis is more an art than a solid science. There is a lot of subjectivity in the process. The answer to your question is: it depends. The most important factor should be the acceptability of the risk. However, because the risk is a mix of two components: probability and consequence, then you should consider the acceptability of each of them separately as well as the acceptability of both of them (the risk). That's what happens with nuclear energy. In term of human lives and material damage nuclear energy still have lower consequences in comparison with fossil energies (land and sea spills, refinery explosions, cargo explosions and so on) but for several reasons the consequences of nuclear accident are unacceptables. If you calculate the risk for nuclear you will probably find low to medium, still this is unacceptable. Mainly because the consequence is not socially acceptable.

If either factor would differ from the other then surely there would have been a weighting involved in the classical way of computing risk R = I*L (impact times likelihood). Perhaps a more relevant question in this context is whether controls exert an effect on impact over likelihood - or vice versa or not at all?

Yes, impact definitely!

As Yaniel Torres outlined above, the risk appetite will influence the control selection to get from the inherent to the residual risk level. The question of importance, with respect to likelihood or impact, is decided by the type of controls that are ultimately implemented to protect the asset. These controls may reduce likelihood or impact or both. Note that, when likelihood is zero, the risk will be zero, irrespective of its assumed impact. Does that case not illustrate that likelihood can be more important than impact?

You are right, both are important, but impact is more.