ABSTRACT
Every risk event has both probability and impact. In most organizations, those values are established qualitatively rather than quantitatively. That creates problems because perceptions frequently differ as to what constitutes a “high” probability or a “moderate” impact. Driving those differences in perception is, in part, the lack of organizational standards or schemes to determine those values.
