Risk is a measure of the impact on your mission (or on your lifestyle) of a particular bad thing that could happen. There are two components that determine the severity of a risk:
- Likelihood or frequency of this bad thing occurring.
- Cost or other measure of stress caused when it does occur.
Based on the relative intensity of these two factors, risks are classified as High, Medium or Low.
Controls are things and actions that we add to our processes that reduce the likelihood that the potential bad thing will actually occur and/or reduce the resulting cost or other stress resulting when it does occur.
Some commonly used controls are:
- Having someone else check your work (like a proof reader);
- Getting a supervisor to watch what you do (like a beach or pool life guard);
- Wearing protective clothing (like safety shoes or a helmet);
- Attaching a safety rope or harness (when rock climbing or washing windows on a building).
Vulnerability is the residual level of risk that remains after a control is put in place.
To see how Risk, Controls, and Vulnerability interplay, take a levee on a river that floods 15’ every year. The Risk is your house being flooded. Since the river floods frequently, it is a High Risk. The Control is the levee. High vulnerability would be a 10’ levee and yearly floods of 15’. Low vulnerability would be a 20’ levee and yearly floods of 15’. You can’t change the risk – the river is going to flood - but you can heighten the levee. Thus, by strengthening the control you can lower the vulnerability.
