Step 3: Decide how much of a problem these are
To decide how much of a problem these are you first need to work out a rating system so you can compare different risks later (‘risk rating’). Ratings are normally based on the impact and likelihood of something happening.
For my impact rating scale I have used the face of the CEO if it happens.
😕 — downcast CEO, mildly annoying to customers
😠— ruffled CEO, annoying enough for customers to complain about
😡 —angry CEO, bad enough to stop customers using my app
🤬— fuming CEO, major disruption to customers or their financial well-being
For now I won’t base it on the numbers of customers impacted but as I grew my customer base this is something I would want to add.
For rating how likely something is to happen I will use a scale based on my chances of seeing the following animals in the next 24 hours.
🦄 Unlikely <10% chance
🦉Not very likely 10–50% chance
🐰 Fairly likely 50–90% chance
🐈 Highly likely >90% chance
(This scale is obviously 🇬🇧 specific, in other countries you may see 🦄 every day!)
Using this scale I can now rate my risks to decide how much of a problem they are. For simplicity I’ll just take the last example to look at, my unhappy employee 😤 stealing and selling customer data.
I think this would be a major issue for my customers as someone might use their data to access other accounts they have and cause them a lot of disruption. That’s a 🤬 or fuming CEO for impact.
Given I only have a couple of employees I don’t think this is very likely. That said, they are only taking equity at the moment so may be desperate for money and I have only known them for a short amount of time. That gets an 🦉or not very likely.
Normally you would now combine these two together to get an overall rating (‘inherent risk”). I’m going to leave this for the time being to avoid getting too complicated.