All major risks must be identified using a combination of the risk register, internal and external losses and a prospective trend analysis.
Then, each scenario can be evaluated using the XOI method. For each scenario, the XOI method offers a structured approach to identify and evaluate:
- The exposure at risk, or X: is the resources exposed to the events under consideration (eg employees for fraud, buildings for disasters, operations for errors, products for legal risk, etc.)
- The occurrence of the scenario, that is, the probability that a particular exposed unit is hit by the risk
- The impact of the scenario, ie the cost of the scenario when it occurs. This includes the decomposition of cost factors (direct costs, additional costs, fines, etc.) and the identification of the circumstances driving the magnitude of this cost.