AFERM EXPERTS SAY...

Risk is typically considered a function of probability/likelihood of an event occurring, and the impact/consequence of that impact if the event does occur.  The scoring of the risk is thus a function of the combination of those two factors.  This is often graphically displayed on a “heat map”, in which one axis is likelihood/probability and the other impact/consequence. The axes may be numbered (e.g., 1-5) or have descriptions (e.g., Rare, remote, moderate, likely, very likely for probability and insignificant, minor, significant, major, critical for impact).  The intersection of a specific risk’s likelihood and impact is its risk rating.  These ratings can be quantitative (often the product of the numbers associated with the impact and probability ratings) or qualitative (e.g., low, medium, high, critical).  There is no single accepted approach to how many levels are designated for probability, impact or risk rating.

Keep in mind that risk treatment is not always mitigation.  Mitigation literally means to reduce, and that term is generally used in risk management to mean reduction in the likelihood or impact of a risk, and thus the overall level of risk after treatment. However, other treatment options include accepting the risk as it is, avoiding the risk, or transferring the risk to another party.  In any event, the risk after treatment is scored in the same fashion as evaluation of the risk before treatment.  Depending on the nature of the risk, this may be very quantifiable with significant precision.  In other cases, the estimation of a risk before and after treatment may be very subjective.  In the latter case, it is often advisable to gather a number of subject matter experts to discuss the risk and seek to achieve consensus on the level of risk before and after treatment.  In all cases, the level of claimed reduction in a risk after treatment should be justified as well as practical.