Let’s Talk Risk (Without Sending You to Sleep) - de.iterate

Risk management. The phrase alone is enough to make some people’s eyes glaze over. But here’s the truth: if you don’t understand your risks, you’re gambling with your business—and the odds aren’t in your favour.

We get it. ISO 27001 risk assessments aren’t exactly edge-of-your-seat stuff. But they are essential. Especially if you want to stay compliant, stay in business, and sleep soundly at night.

The trick? Breaking it down in a way that actually makes sense.

So let’s unpack the three key ingredients of risk in plain language (and with just enough personality to make sure you keep your eyes open).

1. Consequences: What’s the Worst that Could Happen?

Before you can assess a risk, you need to understand what it could actually do to your organisation. That’s what we mean by ‘consequences’.

Think of it like this: if the risk became reality, what kind of damage are we talking about?

In ISO 27001 terms, consequences can include:

• Financial: Fines, legal bills, cleanup costs. Think money going out the door.
• Operational: Systems down. Work halted. Deadlines missed.
• Reputational: Your name in the headlines for all the wrong reasons.
• Legal and Regulatory: Breaches of law, contracts, or industry codes.
• Health and Safety: Yes, even in digital risk, people’s safety can be impacted.

We usually sort these into levels like Low, Medium, High, and Extreme. If a risk could make your boardroom break into a cold sweat, it’s probably not ‘Low’.

Pro tip: Always rate based on the worst plausible outcome, not just what’s convenient to believe

2. Likelihood: How Likely is the Nightmare Scenario?

So, the consequence is ugly. But what are the chances it’ll actually happen?

That’s where likelihood comes in. You need to consider how exposed you are: technically, organisationally, and even culturally.

Here’s a typical ISO 27001-style scale:

• Low: It’s possible, but not likely. Once in a blue moon kind of thing.
• Medium: It might happen. Maybe once this year.
• High: It’s pretty likely. Maybe more than once.
• Extreme: It’s basically a ticking time bomb.

This is where historical data, industry benchmarks, and some plain old common sense come in handy. For example, if phishing emails hit your team weekly, you’re not in ‘Low’ territory.

Pro tip: If the risk has happened before, assume it’ll happen again unless something has changed.

3. Risk Level: The Love Child of Consequence + Likelihood

Once you’ve figured out the consequence and the likelihood, you combine them to get the inherent risk level.

This is the risk before you’ve applied any controls. Think of it as your raw exposure.

A simple matrix helps you figure it out:

So if you’re facing a highly likely event with high consequences, guess what? You’ve got yourself an Extreme Risk. And no, you shouldn’t sit on it.

Pro tip: Your highest consequence or likelihood should drive urgency. Don’t let a ‘Medium’ sneak under the radar if it could still break the business.

Why This All Matters

Risk management isn’t just a checkbox for audits. Done right, it helps you:

• Focus your time, energy and budget where it actually matters.
• Avoid fines, lawsuits, and reputational damage.
• Make smarter, faster decisions under pressure.
• Keep your business moving, even when things go sideways.

And most importantly: it helps you move from reacting to predicting.

Bottom Line?

Risk doesn’t need to be boring. But it does need to be understood.

So next time someone throws around terms like ‘inherent likelihood’ or ‘impact categories’, don’t panic. Just remember:

• Consequence = how bad
• Likelihood = how often
• Risk level = how worried you should be

And if you need help turning your risk assessments into action? That’s exactly what we built de.iterate for.