Cost (also referred to as Impact, Financial Exposure, Criticality or Importance) is the amount of losses an organization would potentially suffer from a negative or harmful event. Cost is used to prioritize the risks confronting an organization and as a tool in allocating control resources to mitigate those risks.

For the purposes of the Simple Risk Model, Cost is based on the annualized loss expectancy ("ALE") method.

Why use the term "Cost" to represent the outcome of a negative event? Why focus just on money as a means of measuring risk? In the real world harmful events can cause a broad range of losses. An automobile accident can result in damage to the car, injury to people, time wasted by the owner repairing the car, expenses to repair the vehicle, emotional distress, loss of life, etc. The consequences of risk can be manageable and intangible, not just monetary. However, if we are to assess risk, we need an objective means of measuring it and money is the best source of measurement. For example, the potential exposure to the insurance company from the car accident is equally complex, but every exposure can be simplified down to one single element - monetary losses (the amount of money the company will need to pay in costs and expenses to fulfill its obligations under the insurance policy). Even subjective and intangible losses like emotional distress can be boiled down to dollars - the cost to the insurance company for medical/psychiatric treatment, compensation for lost time from work, legal fees, etc.

For this reason the assessment of operational risk measures the Cost component of the risk equation terms of monetary losses. And for this reason, when you conduct an operational risk assessment "follow the money". Do not become distracted by emotional or other subjective issues