Proposed Residual Risk
Can you calculate residual risk? Quickly the discussion was turned into a conversation on how to calculate risk and trying to see if the calculated result makes sense. The typical way to assess risks in BWise is on two scales, the impact and the likelihood, we assumed that preventative controls reduce the likelihood and that detecting controls can only reduce the impact since the event already has occurred. I think that depends on the definition of the risk.
If we can calculate residual risk then what formula do we use? The Customer proposed to put a weight on the control that would represent a maximum percentage of the inherent risk that would be reduced. À different number of controls would in that case not be allowed to reduce more than 100 percent of the impact or likelihood. Next the rating of the control weight is measured, the control design and performance was rated this results in a percentage of the maximum reducing percentage. As you can see this begins to get complicated and it is all still very subjective.
When putting the end results up for discussion, we argued that the calculated residual value is really just an indication of what it could possibly be and could help the risk assessor to direct his qualitative opinion. The most important question is whether we would want the assessor to have this information if we know it influences his opinion and that the calculation in itself is very, well, subjective.