Quantifying AI Risk

"This is a significant risk" is not quantification. It is an opinion. Quantification converts opinion into numbers that can be compared, prioritized, and used to make resource allocation decisions. When the CFO asks "how much should we spend on AI risk mitigation?" the answer cannot be "enough." The answer must be derived from the quantified risk exposure — the expected cost of the risks you have identified, weighted by probability.

1. Impact Estimation For each identified risk, estimate the financial impact if it materializes. Include direct costs (fines, legal fees, remediation), indirect costs (lost revenue, customer churn, delayed projects), and intangible costs (brand damage, trust erosion). Be specific. "A data breach involving AI-processed PII would trigger notification obligations in 4 states, estimated legal and remediation cost: $200K-$500K." That is quantification.
2. Probability Assessment Estimate the likelihood that each risk materializes within a defined time horizon — typically one year. Use a scale that maps to ranges: very low (less than 5%), low (5-15%), moderate (15-40%), high (40-70%), very high (above 70%). Ground the estimate in evidence — historical data, industry benchmarks, system characteristics — not gut feel.
3. Expected Loss Calculation Multiply impact by probability to get expected annual loss. A $500K impact with a 20% probability produces an expected annual loss of $100K. This number drives the mitigation investment decision: spending $50K to reduce the probability from 20% to 5% is a rational investment. Spending $200K on the same reduction is not.
4. Portfolio View Aggregate expected annual loss across all identified risks to get the total risk exposure. This number is the business case for the entire risk management program. If total exposure is $2M annually and the risk management program costs $400K, the program justifies itself five times over.