The question being posed is both utilitarian and philosophical. From a philosophical perspective the answer is NO, simply because organizations "don't know what they don't know" and thus only known threats could ever be considered. From a utilitarian perspective the answer is also a resounding NO, because it is simply not economically feasible to attempt to quantify ALL risks. The excercise becomes exponentially more complex and expensive as more and more factors are considered.

Businesses are in the business of taking calculated risks in order to make prudent/informed decisions that materialize as profits. Businesses leaders are faced with the challenge of  perpetual decision making and ultimate responsibility for outcomes both known and unknown. All efforts to quantify threats/risk serve only the purpose of reducing the potential for lo$$ and are not conducted for the purpose of achieving mathematical precision.

One of the key challenges facing leaders is the prioritization of tasks & resources, this is difficult to do without having a complete list. At best any single excercise to identify and perform threat/risk analysis is a point-in-time snapshot. Since resources are limited analysis should be performed only up to the break even point, beyond which exists the point of diminishing returns. This is the point at which further analysis will yield information of diminishng value and ultimately lead to the escalation of opportunity costs. In order for business organizations to obtain maximum value from any  threat/risk analysis a clear scope must be outlined along with reasonable parameters.

Businesses, industries, technology, processes and practices are constantly evolving. As organizations adapt to keep pace with clients, competitors and regulations so do the threats and risks. The organization will derive greater value from generating a clear focused list of well defined and relevant threats assessed and weighed over time. Ultimately, just like with physical excercise threat/risk analysis is a process NOT an event!

Identifying risk as early stage will be benefit for the all lover cost effectiveness and successfulness of the risk management. Identifying risk also helps to determine the boundaries in which the risk assessment will be done or particularly concerned on.

If we don’t carefully identify the risk at beginning of the risk assessment result that we have later don’t have complete set of documentation due diligence of the organization. More over risks that we identify on the process might not be as bad as risk we thought and the risk we left out without notice might jeopardize the entire accomplishment of the project .Finally the whole point of identifying the risk is to be cost effective on our risk management project .

  Risk Assessment is defined as analyzing all risk pertaining to the company. When analyzing risk we can go to one of two extremes. Another more practical solution is to analyze the validity of the risk and determine if it should be reported on.

One extreme would be to analyzing every risk. We could document and attempt to mitigate all risks. These would include not only risks with potential, but those with little probability of occurring. An example of such risk would be a typhoon in Kansas. While anything is possible, this has little to no chance of occurring. With this method we risk inundating the reader with information which may not need to be addressed and mitigated.

The other extreme would be to only categorize those risks that only have a high probability of occurring. This may seem like a good idea because we leave the reader with only risk that needs to be addressed and how to mitigate the threat. However, leaving such pertinent information out may make our superiors think we were lax in our risk assessment and lead to lawsuit for lack of due diligence.

A balance between the two would the best way to report risk. Discretion needs to be used when deciding what to report. We should list all risks and rank their probability of occurring. With this list we can choose a cut off line, then report and attempt to mitigate only those risks we deem worthy. The risks we choose not to report on can be listed in a separate section with their listed probability. The person constructing the risk analysis needs to judge what risk is probable and ensure that risk is brought to the attention of management.

We can see the danger of being too far in one direction or the other. As in the case of most issues, a balance between the two is the best solution. It provides the reader only with pertinent information, but also demonstrates due diligence, because we listed all risks in a separate section with probability.

It is important to go through the exercise of attempting to identify every reasonable risk that may affect an organization.   Given that risk assessments are subjective by nature, it is impossible to identify “EVERY” threat.  Also, whether or not something is truly a threat is up for interpretation by the parties involved. 

One could theoretically come up with an infinite number of threats, but most organizations can’t afford to waste time thinking up an endless list of “what if’s”.  Instead, it makes sense for stake holders and other members involved in the assessment process to do their due diligence and generate an exhaustive list of possible threats that not only may have a real impact on the organization, but a list of threats that could be realized in the foreseeable future based on historical events or prophetic insight.

You made a great point when you said, “Circumstances where the possibility of human threats exist, whether deliberate or unintentional, should be thoroughly investigated and identified.”  I don’t think some people realize how big a threat the people in the organization really are.

Maybe hasty decision making and selfish acts should be on the list of threats to identify.  Failing to invest the necessary amount of time and money into a complete and thorough risk assessment might be another risk to consider.  The human factor in my humble opinion probably generates the largest window of risk possibilities that could have a real and regular impact on the company’s public image and bottom line.  Someone has probably already written a book on the pitfalls of having humans manage an organization.  Don’t get me wrong though.  The human factor isn’t all bad… is it?

Jeff,

      I believe that our points of view reflect more similarities than differences. For example I agree that "...This does not mean you should mention ridiculous ideas like key personnel being abducted my aliens".

       From my perspective, there would be little business value in spending an inordinate amount of time listing risks only to end up complicating the process of prioritizing and quantifying. The process of determining value cannot be considered in a vacuum. I choose to focus on the feasibility of compiling a "complete" list and determining the value that such a list would bring to the process. In thinking through the overall risk assessment project one phase affects the other.I believe that although risk identification and risk quantification can be mutually exclusive, one is a pre-requisite to the other. In order to prioritize and choose which risks to consider a fairly comprehensive list of relevant threats must be compiled. Fairly comprehensive is a long way from "complete", and the key word would be "relevant".

     Risks and Threats are circumstantial and relational the eventual list could be exponentially large due to permutations and combinations applied in "what if" scenarios. In order to avoid having to hire or retain an actuary, businesses should keep it simple. I honestly do not believe that a truly complete list can ever be compiled so I arrived at the conclusion that it was best to narrow the focus to the most obvious and relevant threats in order to cover as much ground as possible.

The idea of being cost effective is definitely a major reason for identifying threats.  The assets of any business should be protected in order to accomplish the expected goals and tasks.  For this reason it is important to take the time to identify threats to avoid unnessary spending.