Forecasting sales isn’t just taught in the halls of academia — it’s a standard part of business plans and real-world management. And it isn’t done in the high/medium/low terms common in risk management, either. From simple formulas (unit sales x profit per unit = forecasted profit) to the most complex, sales forecasting is done using numbers.
If the business world is so comfortable quantitatively forecasting positive outcomes, why is the practice of quantitatively forecasting negative outcomes facing such headwinds to widespread adoption?
First, we’ve allowed the flawed “probability/likelihood x impact = risk” model to hold sway in our industry for too long.
Quantifying risk exposure involves understanding how many times a bad thing will happen over a given timeframe — frequency, not probability or likelihood — and how much money the organization will lose each time it does. This is analogous to the simple sales forecasting model stated above:
number of loss events x loss per event = forecasted loss
number of units sold x profit per unit = forecasted profit
Second, we’ve somehow convinced ourselves that it’s okay to talk about dollars of future loss, a quantity, in meaningless qualitative terms.
Imagine presenting a CEO with a report that says, “the number of units we think we’ll sell is rated as medium, the profit per unit is rated as high, therefore our forecasted profit is rated as high.” You would get laughed out of the building, and rightfully so! Talking about quantities using subjectively-interpreted qualitative labels hinders effective decision-making — should the company move forward with the launch of this product based on its high forecasted profit rating? It’s ludicrous to think that any organization makes resource allocation decisions this way, yet we’ve grown to accept it in risk management.
Instead, let’s use numbers to talk about things that are quantities — imagine that! Just like making an estimate of the number of units sold, you can make an estimate of the number of times a given loss event will occur. In both cases you’re going to refer to the best data you can find and talk to subject matter experts to inform your estimate.
While we may be working with less readily available data when forecasting loss than when we’re forecasting sales, the basic structure is the same. Your organization has to embrace quantitatively forecasting loss to the same extent as you quantitatively forecast sales, revenue, or profits if you want to most effectively use your limited resources to increase the organization’s value.
Fight your fear of forecasting losses by:
FAIR (Factor Analysis of Information Risk) is the only internationally recognized standard for operational and cyber risk quantification. Gartner, the influential technology consulting firm, has named “risk quantification and analytics” to its “list of "critical capabilities" for integrated risk management (IRM). To learn more about FAIR and risk quantification, join the 3,000 risk professionals who are members of the FAIR Institute.