A Universal Grammar for Managing Organizational Risk


The foundational premise for universal grammar (“UG”) discussed in this article can be used to calculate any kind of risk: compliance, organizational, market, individual, etc. We did not invent the UG, we deduced it from NIST (the organization that provides cybersecurity and other best practices to all U.S. government agencies).[1] This NIST publication describes a methodology for conducting cybersecurity risk assessments using threats, vulnerabilities, and impact to the organization (or in the generalized case as presented here, to the individual). NIST does not present this as a UG for calculating a Risk, we adopted that term as shorthand for the wider applicability of the NIST methodology (“Methodology”).

The Methodology postulates that a Risk can be calculated using the following mathematical equation. The probability that a particular threat (“T”) will exploit a vulnerability (“V”) times the impact (“I”) to the entity (organization or individual for purposes of this article) (“Entity”) that would result by said exploitation. So, the equation can be loosely expressed as Risk = (T x V) x I). The following is a graphical representation that we have often used in articles.

Even though the value of a Risk is expressed as a mathematical formula, NIST does not recommend quantifying risk, but rather giving Risks a subjective value of High, Medium, or Low, based upon the subject matter expertise of the person conducting a risk assessment. We agree, that for this purpose no quantification is necessary, in fact, NIST acknowledges that it has been attempted and failed miserably. However, when comparing Risk across organizational silos, at a minimum some best guess quantification is required, otherwise, risk managers have no way of effectively comparing risks, and therefore no way of allocating the capital necessary to mitigate the Risk.

Finally, entire PhD dissertations have been written on this topic, and we do not pretend that this article is anything but an anecdotal thought piece. We did look at some literature in this space and will cite it where applicable. One thing that appears certain, there is no singular definition of how a Risk should be calculated anywhere, across all industries, including banking and finance, where some of the most complicated quantifications of risks takes place.[2]

Likewise, the literature reveals that risk calculations are universally performed in silos, where the subject matter experts (“SMEs”) reside and then are filtered up the organization, eventually to the level of a CXO.[3] Finally, even in the latter industries risk quantification was not determinative, at best it served as input to final decision makers that applied their own experience, subject matter expertise, and gut feel for making decisions, largely concerning the capital allocation required to address the most severe risks.[4]

How We Arrived at the UG

When we launched Expresso® in 2016 (our SaaS compliance software) we decided to treat each compliance regime as a loadable module (an “object” in object-oriented software terms). This was not because we immediately recognized the applicability of the UG to other compliance regimes, rather it was an intuitive way to approach it based on being veterans of the tech industry. It appeared that most of our competitors had adopted, in some form, the NIST methodology and we could not find a better model anywhere that was so widely supported (i.e., the decision to use NIST was a “no-brainer”).

After the HITECH Act was promulgated, the healthcare industry’s focus was on producing risk assessments for the HIPAA Security Rule (“SR”), to demonstrate at least partial compliance for what was arguably considered the most important part of the SR. For the HIPAA Privacy Rule (“PR”), the competition produced what is generally termed a “gap analysis.” We provided a PR Checklist that covered every requirement in the PR. Our Checklist had the following attributes: (1) a description of the requirement; (2) a clickable reference to the actual law; (2) a policy statement for that requirement; (3) suggested processes that underpinned the policy; and (4) suggested tracking mechanisms to track process results. In short, every element needed to satisfy the Compliance Equation®  for each requirement. Gaps were determined by applying the Compliance Equation® to all PR requirements.

Over time, customers began asking if Expresso® could support additional compliance regimes (e.g., CCPA). After performing a “deep dive” into CCPA, we realized that the only difference we could discern between a security regime like the SR, and privacy regimes like PR and CCPA, was that in the latter the Threat part of the NIST Risk Equation was the consumer’s right. The Vulnerability part of the equation was whether the organization could satisfy that right. Other than that, the NIST Risk Equation is applied in total. Therefore, our challenge was to identify the rights and vulnerabilities of the CCPA and put the regime into a UG “load module.” Because Expresso® already understood how to work with UG, there were no changes needed to our software. A “gap analysis” is nothing more than a risk assessment with a different name. After the hard work of placing the CCPA in the form of UG, Expresso® worked flawlessly as expected. We then applied the same process to the PR with similar results.

It was then that we realized that any compliance regime could be placed in the UG, assuming counsel had the expertise to accomplish the task. Therefore, the obvious conclusion was that Expresso® could operate on any compliance regime and could seamlessly be used across compliance silos.

The UG’s Global Applicability

It was not until recently that we had the epiphany that perhaps the UG could be used to calculate any Risk, whether compliance-related or not. We could not think of a single-use case for organizations or individuals where it did not apply. Our initial research confirmed that no universal Risk calculation existed.[5] In fact, this issue has plagued Risk Managers for decades now.[6] As we alluded to above, we don’t believe that every compliance officer, for example, must acquire quant skills; however, without some quantification, crude as it may initially be, executives have no basis to compare risk. For example, how do you compare two subjective “High” Risks across compliance regimes without some quantification of the impact to the organization?

Banks use sophisticated calculations, outside of the compliance space, from distinct risk silos, as input to decision-makers.[7] For example, to calculate capital cushion, market risk, credit risk, insurance risk, and operational risk.[i] None of these silos appear to use a common definition of Risk. We should pause here to consider that Risk Management for Banks is mission-critical, yet the problem persists.

What’s the So What?

The exponential increasing costs of not having a UG for calculating a Risk affect all entities, across organizations and across industries. It slows down the Risk communication processes significantly, and this slow-down leads to additional costs and risks that are impossible to factor in. If you have ever missed a market opportunity due to slow decision-making, then you understand that the market is now functioning in an exponentially compressed time frame. In the past, we have referred to this phenomenon as “competing on Internet time.” Time-to-market may be emerging as the most critical differentiator between winners and losers, as economist like to say, “assuming all other things are equal” (e.g., quality, capitalization, etc.).


We will leave it as an exercise to our readers to discover use cases where the UG would not apply to any entity. We hope that use cases will be brought forward so that we can expand the conversation on this topic. This mission-critical in the compliance space and across industries. We would also appreciate additional reference material that you can point us to.

[1] See NIST Special Publication 800-30 Rev1.

[2] See generally Risk management and calculative cultures Anette Mikes Harvard Business School.

[3] Id.

[4] Id.

[5] Id.; see also https://riskacademy.blog/is-your-risk-manager-a-user-or-a-generator-what-about-you/

[6] Id.

[7] Id.