a risk register needs numbers


Organizations often spend great efforts in Enterprise Risk Management. Risk register, risk governance, risk reporting … all is there.

Occasionally though, one very important aspect of effective ERM, appropriate risk quantification doesn’t quite get the attention it needs.

A risk register needs numbers!

In one of the most popular blogposts that I have written, I outlined the key ingredients of a good risk register. You also can watch this post on our YouTube channel.

A risk register without quantifying risks is like a thermometer without a scale.

‘Dr Risk, August 2021″

In other words, using a thermometer without a scale can tell you whether it’s getting warmer or colder, but not much more!

a useless thermometer
a thermometer without a scale is of not much use…

Quantifying risks, even for risk mature organizations is hard. It really is a challenge. IMHO a very exciting challenge, though!


  • Once a number is “out”, it is very easy for any audience to challenge the quantum.  Actually, it is much easier to challenge a statement like “the severity is expected to be 100k” versus a much less precise statement like “significant”. Hence, every arm-chair risk expert can have a view on a certain number. Challenges and different viewpoints are a very well-come approach, but challenging just for the sake of it, just because there is a number, doesn’t really add much to the conversation.
  • Some risks, let’s pick CYBER as an example, are very difficult to quantify. What is the likelihood that your organization is being attacked? And if there is an attack, what are the financial consequences of such an attack?
  • Furthermore, a number is a “discrete” statement. In reality though, the actual outcome is likely to vary from that singular value. Hence, this opens all doors to ‘told you that the 100k isn’t accurate’ ex-post arguments.

All of the above arguments have some validity. However, a thermometer fulfills its function only if there is a proper scale attached to it.

So, no matter how hard it is, I appeal to all risk professionals:

QUANTIFY your risks, likelihood and expected severity


Many ways lead to Rome: You can start with historic numbers, use scenarios, market benchmarks, simple and sophisticated models and/or even expert opinions.

Everything is better than relying on soft statements like “severe”. The term “severe” means many different things to different stakeholders. A risk that might be severe for one stakeholder, might be “benign” or “trivial” to another interested party. A number, benchmarked against the organization’s risk appetite is a much clearer and more tangible statement!

a proper thermometer has a scale


Quantification of risks is hard. Yet it is a key ingredient to efficient and effective ERM. A risk register needs numbers!

go out and quantify, then quantify some more, then validate and improve it!

We at Megrow have worked with numerous clients on their ERM-journey. Contact us via the links below in case you want to get some practical ideas about risk quantification.

In the meantime, enjoy what you are doing and stay safe!