There’s No Such Thing as Business Impact, Only Loss

Framing the Problem

If there’s one aspect of risk assessment that’s the most misunderstood, least defined, and most misaligned, it’s the subject of business impact.

Risk assessment methodologies are partly to blame. Three-letter acronyms like BIA - the good old Business Impact Assessment - have convinced many of us that impact is what really matters. But stop and think about it for a second. When we talk about impact, we’re really just describing the ripple effects of a breach - the disruption, the downtime, the mess we have to clean up afterwards. Impact comes and goes.

Loss is different. Loss sticks. It’s what the business actually feels when things don’t bounce back - the money that’s gone, the customers who don’t return, the time you can’t get back, the trust that takes years to rebuild.

And that’s the issue. Security teams spend a lot of time talking about impact, but the business only really hears loss. Impact sounds like a report. Loss sounds like reality.

So the first lesson here is simple: stop talking about impact - start talking about loss. One fades; the other leaves a mark.

The Fear of Talking About Loss

Why don’t we talk about loss more openly? Because it’s uncomfortable.We worry about sounding alarmist. We worry about the reaction we’ll get when we use words like loss or catastrophic. There’s a psychology at play here - a bias towards optimism. Leaders would rather talk about gain than loss. And as security professionals, we subconsciously comply with that bias to keep the conversation upbeat.

But here’s the truth: loss is negative - and that’s okay.Acknowledging potential loss is not fearmongering. It’s realism.

The problem is that most practitioners aren’t very good at framing loss. They use vague terms, dramatic adjectives, and generalised assumptions. That’s when security starts to lose credibility.

Lesson Two: Qualify It - Don’t Exaggerate It

Being vague about loss doesn’t work. If you tell a stakeholder that a breach could have a catastrophic impact, they’ll quietly roll their eyes. Why? Because it sounds like theatre, not analysis.

Instead, you have to qualify loss - with logic, evidence, and context.And that brings us to the hardest part: quantifying it.

Lesson Three: How to Quantify Loss (and Actually Mean It)

Let’s take a realistic example.

Imagine your organisation relies on a customer booking app - a digital platform that manages around 400 appointments a day. Each appointment generates an average of £4,000 in revenue.

If that app goes down for two days due to a cyber incident, you’re looking at roughly £3.2 million in lost revenue (400 appointments × £4,000 × 2 days).

Now, will every one of those customers disappear forever? No. But what does your data say about retention? If you know that 20% of disrupted customers don’t rebook, that’s a genuine, evidenced loss of around £640,000.

That’s not fearmongering. That’s a qualified, real-world estimate based on data and collaboration.

And that’s lesson number four: you can’t calculate credible loss without collaboration. Security alone can’t do it. You need input from operations, sales, finance - the people who know the numbers.

Shifting the Lens: From Impact to Loss

Most “business impact assessments” focus on the wrong end of the stick. They look at theoretical consequences instead of tangible outcomes.

If shifting from impact to loss is the first paradigm shift, the second is learning to think like the business, not like security.

The business doesn’t care about abstract impacts. It cares about measurable loss, recovery time, and reputation.

So with that in mind, here are 10 clear reasons - and the lessons that go with them - you should consider when assessing business impact (or rather, business loss).

10 Reasons (If You’re Truthful) Why You Get Business Impact Wrong

1. You’re lost in psychobabble about control failure, not business consequence.

The gap: Security impact statements often describe the failure of a system, not what that failure means for operations, customers, or revenue.

The antidote: Always trace the consequence, not just the cause. Describe what happens to the business - not the control.

2. You’re guessing.

The gap: “High, medium, low” ratings mean nothing without evidence. They’re placeholders for insight we didn’t gather.

The antidote: Anchor your loss scenarios to measurable variables - downtime cost, lost sales, customer churn - and evidence them with data.

3. You’re simply not asking.

The gap: Too many practitioners guess at loss without truly understanding how the business makes money, produces, or measures time. We rarely step outside the security bubble to find out what really drives value. It also demands courage.

The antidote: Learn how to ask skilled, disruptive, consequence-based questions - and do it properly through end-stakeholder interviews. Ask the business how it measures success, where money is made, and what delays or disruptions truly cost. Then build your assessment around those realities. That’s how you turn vague risk statements into credible business insight.

4. You’re calculating loss in a dark room.

The gap: Security teams often build impact assessments alone, detached from those who know the real numbers.

The antidote: Bring managers, operations, finance, and delivery leads into the room. Collaborative data is credible data. Do it properly through end-stakeholder interviews and watch your credibility rise.

5. You’re stopping at first-order effects.

The gap: Most assessments stop at immediate losses - the outage, the downtime, the missed transaction.

The antidote: Map the second- and third-order consequences - customer attrition, contractual penalties, and reputation erosion. This is where the true cost lies.

6. You’re ignoring strategic priorities.

The gap: Practitioners often don’t know what the business is trying to achieve.

The antidote: Take time to understand business goals and tie every loss estimate to them - growth, trust, market share, or continuity. If it doesn’t connect to strategy, it won’t resonate.

7. You’re speaking a foreign language - Securityish, an ancient hieroglyphic artform from 1990.

The gap: Practitioners default to jargon, frameworks, and acronyms that mean little to the business.

The antidote: Translate risk into business language - hours lost, customers affected, profit at risk. Speak in the currency that business stakeholders understand.

8. Your fear is in the way.

The gap: Too many practitioners actually fear bringing bad news to the business. They soften language, avoid difficult truths, and downplay potential loss to avoid uncomfortable reactions.

The antidote: Harness that fear - you’re doing the business a favour. Framing loss honestly isn’t alarmist, it’s responsible. Deliver difficult messages with confidence, clarity, and purpose - because leadership can only act on what it knows.

9. You’re ignoring bias.

The gap: Stakeholders often interpret loss based on what they want to hear - confirmation bias in its purest form.

The antidote: Challenge bias when you see it. When someone says “it’s never happened to us before,” that’s your cue to bring them back to reality. Educate leaders when they’re showing risky, ill-founded optimism.

10. You’re stopping short of the trade-off.

The gap: Practitioners still think it’s not their job to make the case for added security.

The antidote: Make the trade-off explicit: What are we willing to lose, and what are we willing to spend to prevent it? This is the real value of risk communication.

Final Thoughts

If business risk defines security’s purpose, then loss defines its relevance.The more clearly we can articulate loss - and ground it in business reality - the more seriously we’ll be taken at the table.

Security’s job isn’t to predict every impact. It’s to help the business see the true cost of loss before it happens - and make better choices as a result.

Join the Conversation

Learn how to align security to business risk and transform how your organisation communicates risk and loss.

Our next Next Generation Security Practitioner International Open Programme begins on 2 December 2025.

Author: Matt Kent is Director of Learning & Development at GRC-X, and formerly with the Information Security Forum. With a track record in pioneering GRC training and professional development, he regularly contributes as a thought leader, international congress speaker, and panelist on the future of security leadership.