Risk scoring is where many risk management programs go wrong. Inconsistent application, vague definitions, and subjective interpretation turn what should be a prioritization tool into meaningless numbers. This guide shows you how to score likelihood and impact consistently, with practical examples you can apply immediately.
What Likelihood Really Means
Likelihood is the probability that a risk event will occur within a defined time period (typically one year). It's not about whether something could happen—almost anything could happen—it's about how probable occurrence actually is.
Factors That Influence Likelihood
- Historical frequency: How often has this happened before?
- Industry benchmarks: How often does this happen in similar organizations?
- Control environment: What controls reduce probability?
- External factors: Are conditions changing that affect probability?
- Expert judgment: What do subject matter experts believe?
Standard 5-Point Likelihood Scale
| Rating | Label | Description | Probability |
|---|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances | < 5% |
| 2 | Unlikely | Could occur but not expected | 5-20% |
| 3 | Possible | Might occur at some point | 20-50% |
| 4 | Likely | Will probably occur | 50-80% |
| 5 | Almost Certain | Expected to occur | > 80% |
What Impact Really Means
Impact is the consequence or effect on the organization if the risk event occurs. Unlike likelihood, impact should be assessed across multiple dimensions—a risk might have moderate financial impact but severe reputational impact.
Common Impact Dimensions
- Financial: Direct costs, revenue loss, fines
- Operational: Service disruption, productivity loss
- Reputational: Brand damage, customer trust, media coverage
- Regulatory: Compliance violations, license risks
- Safety: Employee or public harm (critical in some industries)
Standard 5-Point Impact Scale
| Rating | Label | Financial Example | Operational Example |
|---|---|---|---|
| 1 | Negligible | < $10K | Minor inconvenience, no disruption |
| 2 | Minor | $10K - $100K | Brief disruption, easily recovered |
| 3 | Moderate | $100K - $1M | Significant disruption, days to recover |
| 4 | Major | $1M - $10M | Extended disruption, weeks to recover |
| 5 | Catastrophic | > $10M | Critical failure, months to recover |
Calibrate to Your Organization
These thresholds are examples. A $1M impact is "Major" for a $50M company but "Minor" for a $5B enterprise. Calibrate scales to your organization's risk appetite and materiality thresholds.
3×3 vs 5×5 Matrices
3×3 Matrix
Best for: Smaller organizations, rapid assessments, early-stage risk programs
- Simple to understand and apply
- Less debate about borderline scores
- Fewer categories to define
- May lack granularity for complex portfolios
5×5 Matrix
Best for: Larger organizations, mature risk programs, regulatory environments
- More granularity for prioritization
- Better differentiation between risks
- Aligns with many industry standards
- Requires more precise definitions to avoid confusion
The Math Difference
A 5×5 matrix produces scores from 1-25, creating distinct risk bands:
- Critical: 20-25
- High: 12-19
- Medium: 6-11
- Low: 1-5
A 3×3 matrix produces scores from 1-9, with less differentiation between risk levels.
Scoring Examples
Cybersecurity: Ransomware Attack
Risk: Ransomware encrypts critical systems, halting operations
Likelihood: 3 (Possible) — Industry sees frequent attacks; organization has security controls but isn't immune
Impact: 4 (Major) — Week+ of disruption, $2-5M recovery costs, customer trust damage
Risk Score: 12 (High)
Operational: Key Supplier Failure
Risk: Primary supplier becomes unable to deliver critical components
Likelihood: 2 (Unlikely) — Supplier is financially stable; minor disruptions possible
Impact: 4 (Major) — Production halt for 4-6 weeks, customer order delays
Risk Score: 8 (Medium)
Compliance: Data Privacy Breach
Risk: Customer data exposed due to security failure
Likelihood: 3 (Possible) — Multiple data sources, some legacy systems
Impact: 5 (Catastrophic) — Regulatory fines, class action risk, severe reputation damage
Risk Score: 15 (High)
Common Scoring Pitfalls
1. Anchoring Bias
Assessors are influenced by initial information or previous scores. If last year's score was "3," there's psychological pressure to score similarly.
Solution: Assess each risk fresh, based on current conditions, not historical scores.
2. Central Tendency
Assessors avoid extreme scores (1s and 5s), clustering everything in the middle. This destroys the prioritization value of scoring.
Solution: Challenge scores of 3. Ask: "Why not 2 or 4?" Force deliberate choices.
3. Optimism Bias
"It won't happen to us" leads to systematically understated likelihood scores.
Solution: Use external benchmarks and historical data. Reference industry incident rates.
4. Impact Confusion
Mixing up impact to the organization versus impact to a specific project or department.
Solution: Always score impact at the enterprise level. What's the total consequence to the organization?
5. Inconsistent Interpretation
Different assessors interpret the same scale differently, making scores incomparable.
Solution: Detailed scale definitions with examples. Training on consistent application. Calibration exercises.
Governance Considerations
Who Should Score Risks?
Risk owners should provide initial scores, but independent challenge is essential:
- First line: Business units score their own risks (they know the details)
- Second line: Risk function challenges and calibrates (ensures consistency)
- Third line: Internal audit validates methodology and application
When Should Scores Be Updated?
- Scheduled reviews (monthly for high risks, quarterly for medium)
- After significant events or near-misses
- When controls change
- When external conditions shift materially
Documentation Requirements
For audit and governance purposes, document:
- Rationale for each score (not just the number)
- Evidence or data sources used
- Date of assessment and assessor
- Any calibration or challenge applied
Summary
- Likelihood is probability of occurrence; impact is consequence if it occurs
- Define clear, organization-specific scales with examples
- 5×5 matrices offer more granularity; 3×3 offers simplicity
- Watch for biases: anchoring, central tendency, optimism
- Implement governance: first-line scoring, second-line challenge, third-line validation
Frequently Asked Questions
What is risk likelihood?
Risk likelihood is the probability that a risk event will occur within a defined time period. It's typically rated on a scale from 1 (Rare) to 5 (Almost Certain) based on historical data, expert judgment, and environmental factors.
What is risk impact?
Risk impact is the consequence or effect on the organization if the risk event occurs. It's typically rated across multiple dimensions including financial, operational, reputational, and regulatory impacts.
Should I use a 3x3 or 5x5 risk matrix?
A 5x5 matrix provides more granularity for prioritization but requires more precise definitions. A 3x3 matrix is simpler and works well for smaller organizations or rapid assessments. Choose based on your organization's maturity and needs.
How do I calculate the risk score?
The most common formula is: Risk Score = Likelihood × Impact. On a 5x5 scale, this produces scores from 1-25, which can be banded into Low, Medium, High, and Critical categories.
How often should risk scores be updated?
Critical and high risks should be reviewed monthly. Medium risks quarterly, and low risks annually. Additionally, update scores whenever significant changes occur—new controls, incidents, or external shifts.
Should impact consider multiple dimensions?
Yes. A risk might have low financial impact but high reputational or regulatory impact. Best practice is to assess impact across all relevant dimensions and use the highest as the overall impact score.