Published in


Photo by Taisiia Shestopal on Unsplash

80 / 20 your risk management

This is a very short post which should work because it’s a very simple idea. Obviously, I’m a fan of simple ( this is KISS risk management after all) but, as with lots of simple ideas, the trick is sticking to the idea and seeing it through without getting distracted.

The idea is that you use the Pareto principle, or 80 / 20 rule, when you’re thinking about your risk management system. In short, the principle or rule is:

80% of X arises from 20% of Y

There are countless blog posts and books about the principle and you can get an outline here or read this book but that’s the basic concept.

So what does this rule look like in practice?

  • 80% of a firm’s profits come from 20% of its offerings
  • 80% of your work comes from 20% of your clients
  • 80% of a school’s disciplinary problems come from 20% of students
  • 80% mastery of a skill / subject / ability comes from learning 20% of the content

This doesn’t necessarily mean you ignore the non-profitable product lines, cut off those other customers or expel the troublemakers. There are reasons you might want to sell loss-leading products or keep a marquee client on the books. But the 80 / 20 rule helps you identify where to put your focus and what will get you the most bang-for your buck.

80 / 20 risk management

So how do you apply this for risk management?

  • 80% of your risks are likely to come from 20% of your threats
  • 80% of those risks can be tackled with 20% of your mitigation measures

Now, I would say that a big part of this is going to depend on the measurement system you’re using. This is where having a quantitate assessment system is very helpful but even with a qualitative system or a matrix, you’ll be able to spot the most significant (e.g the darkest reds). These will probably make up about 20% of the overall portfolio.

This is nothing starting and most organizations focus on their highest risks, sometimes to the detriment of others. So nothing earth-shattering there.

However, where the 80/20 rule really helps is where it comes to the mitigation measures. If you look at your risk mitigation plans, you will see that there are (or could be) mitigation measures that can deal with more than one threat. For example, having insurance might help offset the potential impact of both destruction from flooding and damage to equipment by an inattentive employee. A robust, diverse and flexible supply chain helps you deal with the collapse of a vital supplier and weatehr delays casues by regulatry changes.

So you should be able to find a few mitigation measures that have a disproportionate effect limiting your risk.

And when you’re overstretched, under-resourced and short of time and budget, getting 80% of your results from 20% of your activity will be a real game-changer. So why not give it a try.

Originally published at on January 11, 2021.



KISS risk is all about simplifying risk management

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrew Sheves

Andrew Sheves

I’m an analogue operator in a digital environment who thinks simplification = optimization. I build and share risk management tools at