Most organizations don't have any process to collect data and use it to verify their risk measurement results. Maybe the H/M/L stuff could work if an ongoing process to make it reflect the expectations of the business in terms of risk and to tune the likelihood and impact values and bands according to what is observed in reality was in place.
I've never heard about any organization doing that, I'd really love to see the results if anyone is doing it out there.
No comments:
Post a Comment