It's like Al Rosen says, but you can "make" it a calculation.
Depending on the techniques you use (I use
FMEA) you can ascribe a value to the different risk elements.
To facilitate the (FMEA) risk assessment an estimate is needed of the
• Severity of the Effect (S) of a failure mode
• Likeliness of Occurrence (O) of a failure Cause
• Chance that the Effect or Failure mode is not Detected by means of current controls in place (Df)
These estimates are translated into a numerical value by means of a standardized approach. (I use a 1 to 5 rating for each)
The Risk (RPN) is subsequently quantified as follows
RPN = SEVERITY x OCCURRENCE x DETECTION Failure
RPN = S x O x Df
This risk product number (RPN) is now a numeric representation of the calculated risk.
If this number is above a preset cutoff point (I use 15) I oblige myself to take risk mitigation measures.
Then I calculate again what the RPN is when the risk mitigating measures are implemented.
This can be seen as the "calculated" Overall Residual Risk.
It's one of many way's to make something this subjective and almost abstract, tangible by means of numbers.
Hope it helps.
(just my 50 ct's)
Best regards,
Jerome