Scientifically Optimized Risk Control Selections

As can be seen in the ‘bow-tie’ diagram of a risk event above, controls to reduce risk can be applied to: (1) reduce the likelihoods of risk sources, (2) reduce the likelihood of a risk event given specific sources, and (3) reduce or mitigate the consequence of a risk event on one or more objectives. After obtaining scientifically valid ratio scale measures of risk components (as discussed in measurement methods for ratio scale likelihoods and measurement methods for objective importance) we can then make scientifically valid estimates of the reduction in risk from the application of specific controls as follows.

Effective risk management involves deciding which controls, or sets/portfolios of controls to apply, subject to resource limitations. Only if we know the amount of risk reduction for any single control or combination of controls, can we make intelligent decisions about which controls to implement and at what costs. In addition to having ratio scale estimates of the likelihoods of sources, the likelihoods of risk events given sources, and the importance of objectives, we also need estimates of the effectiveness of each of the controls. Finally, computing risks given any set of controls must take into account the many to many relationships existing between sources, events, objectives, and controls as well as non-linearities in risk reductions due to the many to many relationships.

Given the above, the selection of controls is straightforward, although certainly not trivial due to many to many relationships and interrelationships of risk events, sources, objectives and controls.