Step 2: How to Assess Risks

Last updated: 2025-08-19
Was this article helpful?
216 of total 426 found this helpful.

Risk Assessment: The Second Step in the Risk Management Process

In this step, you evaluate and score your risks. Start with a list of all identified risks — usually between 10 and 100 items for a small or mid-sized U.S. business. The goal is to determine each risk’s likelihood and potential impact so you can prioritize them. Address the highest-priority risks first — the ones that could do the most damage to your operations, finances, reputation, or customers. You can manage these risks by reducing them (mitigation), shifting them (insurance/transfer), accepting them, or avoiding them altogether.

How to Assess and Evaluate Risks

There are simple, practical ways to assess risk. Avoid complex scoring systems that discourage use. Pick an easy method managers and staff can understand and apply. The purpose is to help your small or medium business prevent or prepare for problems, not to create a register only a few people use.

A practical approach is to evaluate two things for each risk: how severe the impact would be on the business and how likely the risk is to occur.

1. Assess the Impact and Consequences of the Risk

  • Estimate how serious the consequences would be for daily operations, revenue, customers, employees, and reputation.
  • Severe impacts can stop or severely disrupt critical activities (for example: extended power outage, workplace injury or fatality, loss of key equipment, major property damage, or significant theft or fraud).
  • Consider both immediate effects and downstream consequences when judging how severe an impact would be.

2. Evaluate the Probability of Risk Occurrence

  • Estimate how likely the event or situation is to occur based on your past experience, industry benchmarks, and the controls you already have in place.
  • Risks that are both likely and have serious impact should be prioritized for action, such as mitigation plans, insurance, or contingency procedures.

Example: A meteorite hitting your business would be catastrophic but extremely unlikely — so it’s a lower priority than more probable threats like a cyber breach, data loss, or a facility fire.

How to Assessment of the Severity of the Impact and the Consequences for Your Organization

Impact refers to the negative effects a risk would have on your organization if it occurred. These impacts can lead to financial losses, either through lost revenue (e.g., customer churn, reputational damage) or increased costs (e.g., legal fees, operational disruption, crisis management), or both. Another important factor is the timing of the impact. The most serious impacts are those with immediate effects. For example, the risk of an immediate production stoppage due to a fire, natural disaster, or cyber attack has a critical impact on a manufacturing firm as it directly threatens its existence.

Therefore, the impact of the risk must be assessed with regard to the operation of your organization and the financial consequences, such as the loss of funds, fines, loss of customers, or damage to reputation.

Here is the degree of impact, detailing the severity of the impact on your company's operations, using a commonly employed 4-level scale:

1. Low Impact

  • Description: The impact is minimal and typically doesn't disrupt normal operations. Any negative effects are easily managed, and the organization can absorb them without significant cost or long-term consequences. The effects are often imperceptible or negligible, posing little risk to the business's overall performance.
  • The financial consequences are manageable at a normal operating level
  • Example: A minor equipment malfunction that is quickly fixed without affecting production or service delivery.

2. Medium Impact

  • Description: The impact is noticeable and may cause temporary disruptions or require some corrective action. While not immediately threatening the organization’s viability, it may result in increased costs, delays, or moderate inconvenience. Recovery may require time or resources, but the business can continue operations with minimal long-term effects.
  • Example: A short-term supply chain disruption that delays delivery schedules but does not significantly affect customer relationships or revenue.

3. High Impact

  • Description: The impact is severe enough to cause significant disruptions, financial loss, or reputational damage. Recovery may require substantial effort, and while the organization can likely recover, it may face lasting consequences such as a decline in customer trust, market share, or financial stability. Immediate attention is required to mitigate further damage.
  • Example: A major IT failure that causes prolonged downtime, affecting customer orders and service delivery, leading to customer dissatisfaction and potential loss of sales.

4. Critical Impact

  • Description: The impact is catastrophic and directly threatens the existence of the organization. It causes significant financial loss, irreversible damage to reputation, or regulatory consequences that could result in closure or bankruptcy. Immediate and extensive action is required to mitigate the impact, but in many cases, the organization may struggle to survive or recover.
  • Example: A major data breach exposing sensitive customer information, resulting in a loss of customer trust, legal action, and a substantial financial penalty, putting the business at risk of failure.

How to Enter an Impact into the Risk Register

  1. Open your company’s risk register (spreadsheet or software).
  2. Select the specific risk you want to update from the list.
  3. Open the Details tab or edit view for that risk.
  4. Locate the Risk Impact or Impact Severity field.
  5. Enter the impact value using your assessment—for example Low, Medium, High, or a numeric score from your risk matrix—based on your analysis or management judgment.
how to assess risk impact

How to Evaluate the Probability of Risk Occurrence

  • Risk probability describes how likely a risk event is to happen within a given timeframe.
  • When you have historical data or industry benchmarks, estimate probability using simple statistical methods (frequency, rates, or trend analysis).
  • If data is limited, rely on structured input from subject-matter experts or experienced staff — use consensus estimates or scoring to reduce bias.

1. Low

  • Unlikely to occur within the next 5 years.

2. Medium Probability

  • Possible. Could occur about once over a 1–5 year period.

3. High Probability

  • Likely. Expected to occur within 1 month to 1 year.

4. Almost Certain

  • Very likely to occur within 1 month.

How to Enter a Probability Into the Risk Register

  1. Open the risk register
  2. Select the risk you want to update from the list
  3. Open the Details tab for that risk
  4. Click or tap the "Risk Probability" field
  5. Enter the probability based on your assessment (for example, a percent chance or a standard rating like Low / Medium / High). Use the best available data and your professional judgment when estimating.
how to assess and enter risk probability

Tip: You May Identify Additional Risks During Assessment

  • Risk assessment often overlaps with making your initial risk list.
  • While evaluating risks, you may discover new risks you hadn’t considered.
  • If you find new risks, add them to your risk register or list.

This is followed by Risk Prioritization