To follow up on metrics, Amrit pointed out in the comments that we can’t use totally imaginary numbers.

There’s some myth out there that assumes risk models can track directly to ROI models. I’ll save the full rant for later, but here’s a little math.

Back in science days we talk about significant digits. Basically, every number has a certain number of significant digits. 22.1 has 3, while 22.11 has 4 significant digits. When multiplying or whatever, you use the least number of significant digits in the result. Since one number has greater precision than the other, the result can’t be any more precise than the least precise number. (I’m a history major, work with me).

We like to multiply in risk assessments a lot, but most of those numbers are guesses. So here are my two formulae for risk management:

A number of no significant digits X another number of no significant digits = a number of no significants

To put it another way:

A guess X a guess = a wild-assed guess

Amrit’s right- fake numbers are bad if you treat them as numbers. The math just don’t work. When I suggest you use structured qualitative metrics I don’t mean you should treat them like they are anything other than imaginary numbers. They’re still valuable, but you’d better not drop them into some BS ROI formula.