How is risk prioritization carried out?

A classic risk prioritization methodology includes five steps:

1. Defining the scope: defining the scope & collecting recent and historical risk information to inform the analysis.
2. Threat identification: identifying the main threats that have significantly affected that sector in the past and/or are likely to occur in the future.
3. Likelihood assessment: determining the period & frequency at which each major threat is likely to occur.
4. Impact assessment: estimating the likely impact of each threat on several areas.
5. Threat risk ranking: bringing together the information collected in steps 3 & 4 and quantifying the seriousness of the selected identified risk(s).

In the field of security, risk analysis is structured as a three-stage process:

1. Risk identification – investigating “source of risk, areas of impacts, events and their causes and potential consequences” (NATO, 2019: 143).
2. Risk analysis – develops an understanding of risk considering “the causes and sources of risk, their consequences and the likelihood that those consequences can occur” as well as “factors that affect consequences” (NATO, 2019: 144).
3. Risk evaluation – “comparing the level of risk found during the analysis process with risk criteria established when the context was considered” (NATO, 2019: 144).

Therefore, risk prioritization would occur in the second and third stage of the process. Once this process is completed, security risks are assessed using a combination of tools, the most frequent being:

• a color-coded risk matrix or heat map (x axis = likelihood, y axis = impact), where likelihood and impact are both graded on a 5-point scale from Very High to Very Low; and
• a probability impact graph, which plots each risk “in terms of its impact and likelihood, within environmental or thematic areas […] allow[ing] the most severe risks to be highlighted and trends forecasted” (NATO, 2019:145–146).

However, depending on the methods and data employed, there are multiple techniques which can be used for risk prioritization. Most of these, fall into one of three categories: qualitative, semi-quantitative, and quantitative methods (Ji et all, 2024), and include risk ratio method, scoring method, decision trees, multi criteria decision analysis, expert judgement, etc.

Risk prioritisation methodologies have also a number of shortcomings, such as:

• Difficult to assess impact of various variables. Numerous factors (e.g., financial loss, organisational/state reputation, public opinion, effects on humans) influence priority and should be included in the organisational risk strategy. A risk that directly impacts the mission is likely to be of high priority, but many other considerations – such as organisational/state reputation – might move a particular type of risk to the top of the list or at least change the order of risk prioritization.
• Risk prioritization often fails to consider the wider consequences. A good practice in this respect is the World Economic Forum global risks report which highlights the potential for systemic dependencies to result in cascading failures between interconnected infrastructures increasing the potential consequences of damage to one system (World Economic Forum, 2021).