Develop the Ratings table/index
The ratings table consists of 3 columns.
And Detectability Rating
You typically have a scale from 1 to 5, 7 or 10 depending on the level of granularity that is needed in your organization
Anyone who has done a real BIA would get the Severity section almost immediately.
In short the trick here is to tie each escalating level of severity to some specific series of business impacts.
Brand/Reputation - TJX, Hannaford ... what else needs be said
Direct Financial Loss - Fraud, Equipment Damage, Theft, Embezzlement, Lost Sales ...
Indirect Financial Loss - Cost of Data Recreation, Lost FTO time, Lost future sales, Project Delays
Legal Liability - often part of direct and indirect but also includes, Legal costs, Fines, Cost of increased regulatory oversight ...
Compliance - The costs associated with failed compliance
Many more ... when you develop the ranking table do it with the business leads and let them define their concerns
Occurrence, and Detection Continued later
I will stress this one more time this is not a risk assessment it is a risk priority ranking. The risk guru's will definitely get the distinction right away but if you don't get it and you are doing this you will eventually run into the all powerful cost justification argument. It is powerful when dealing with audit and those pesky internal budget decisions.
Because it focuses primarily on priority it is faster, easier and more agile. Think 10 meetings vice 100 with 20 people instead of 200. (obviously adjust those for company size)