There is a subtle and unrelenting temptation when assessing risk to just jump right in and start exploring the possibilities and repercussions without first considering what we are trying to measure. Most managers in a business believe they are experts in Operational Risk and are more than eager to apply subjective reasoning and seat-of-the-pants guesses to determine which controls are appropriate. The identification and assessment of risk is a difficult and complicated task and the process is made far more difficult if we do not bring a high degree of discipline and training to the effort. We need a commonly accepted, objective methodology that guides us to set goals. Without such a methodology, your guess is as good as mine.
The solution to this dilemma rests in adopting a methodology that breaks down the primary components of Risk - Likelihood and Impact - into ever-smaller units to the point where eventually a relative point of objective measurement is achieved. The results can then be summarized to create the overall value for Risk. Hence, the emphasis on this use of the Simple Risk Model.