2. Knowledge base
  3. Risk Management
  4. Step 2: How to Assess Risks

Step 2: How to Assess Risks

Last updated: 2024-12-11
See our solution:
Risk Management
Was this article helpful?
3 of total 3 found this helpful.

Risk Assessment: The Second Step in the Risk Management Process

In this step, you evaluate the risks. The input for the evaluation is a list of risks, which can range from 10 to 300. The output is an evaluation of all risks, allowing you to prioritize those that pose the greatest threat. These are the risks you cannot ignore and must address in some way.

How to Assess and Evaluate Risks

There are various methods to assess risk. However, the more complex the risk assessment and prioritization system, the more likely it is to discourage participation from your organization. Therefore, we recommend a simple approach that all managers can understand and accept. Risk management should help the organization prevent or prepare for risky or crisis situations, not just create a risk register for a select few.

The basic and recommended method of risk assessment involves evaluating the severity of the impact on the organization and the probability of the risk occurring.

Assessment of the Impact and Consequences of the Risk

  • Evaluate the overall seriousness of the impacts and the resulting problems for your company's operations.
  • Severe impacts can halt or paralyze key processes (e.g., power failure, death of a worker, destruction of a machine, destruction of a building, theft of funds).
  • Assess the severity of the impact on the functioning of the organization.

Evaluation of the Probability of Risk Occurrence

  • Evaluate the likelihood of a risky situation occurring.
  • Risks with a high probability must be treated as a priority.

Example: A meteorite falling on your business would have catastrophic consequences, but the probability is very low.

Assessment of the Severity of the Impact and the Consequences for Your Organization

Impact refers to the negative effects a risk would have on your organization if it occurred. These impacts can lead to financial losses, either through lost revenue (e.g., customer churn, reputational damage) or increased costs (e.g., legal fees, operational disruption, crisis management), or both. Another important factor is the timing of the impact. The most serious impacts are those with immediate effects. For example, the risk of an immediate production stoppage due to a fire, natural disaster, or cyber attack has a critical impact on a manufacturing firm as it directly threatens its existence.

Therefore, the impact of the risk must be assessed with regard to the operation of your organization and the financial consequences, such as the loss of funds, fines, loss of customers, or damage to reputation.

Here is the degree of impact, detailing the severity of the impact on your company's operations, using a commonly employed 4-level scale:

1. Low Impact

  • Description: The impact is minimal and typically doesn't disrupt normal operations. Any negative effects are easily managed, and the organization can absorb them without significant cost or long-term consequences. The effects are often imperceptible or negligible, posing little risk to the business's overall performance.
  • The financial consequences are manageable at a normal operating level
  • Example: A minor equipment malfunction that is quickly fixed without affecting production or service delivery.

2. Medium Impact

  • Description: The impact is noticeable and may cause temporary disruptions or require some corrective action. While not immediately threatening the organization’s viability, it may result in increased costs, delays, or moderate inconvenience. Recovery may require time or resources, but the business can continue operations with minimal long-term effects.
  • Example: A short-term supply chain disruption that delays delivery schedules but does not significantly affect customer relationships or revenue.

3. High Impact

  • Description: The impact is severe enough to cause significant disruptions, financial loss, or reputational damage. Recovery may require substantial effort, and while the organization can likely recover, it may face lasting consequences such as a decline in customer trust, market share, or financial stability. Immediate attention is required to mitigate further damage.
  • Example: A major IT failure that causes prolonged downtime, affecting customer orders and service delivery, leading to customer dissatisfaction and potential loss of sales.

4. Critical Impact

  • Description: The impact is catastrophic and directly threatens the existence of the organization. It causes significant financial loss, irreversible damage to reputation, or regulatory consequences that could result in closure or bankruptcy. Immediate and extensive action is required to mitigate the impact, but in many cases, the organization may struggle to survive or recover.
  • Example: A major data breach exposing sensitive customer information, resulting in a loss of customer trust, legal action, and a substantial financial penalty, putting the business at risk of failure.

How to Enter an Impact into the Risk Register

  1. Open the risk register.
  2. Select a specific risk from the list.
  3. Open the Details tab.
  4. Select the Risk Impact field.
  5. Enter a value based on the impact rate from your analysis or discretion.
how to assess risk impact

Evaluation of the Probability of Risk Occurrence

The probability of a risk indicates how likely it is to happen.

  • Probability can be calculated using statistical methods if you have relevant data (historical data or industry statistics).
  • In many cases, it is necessary to estimate the probability (expert estimate).

Low Probability of Risk:

  • It is unlikely that the risk will occur within 5 years.

Medium Probability:

  • It is possible that the risk will occur once within a 1 to 5-year horizon.

High Probability:

  • It is highly probable that the risk will occur within a 1 month to 1-year horizon.

Bordering on Certainty:

  • It is almost certain that the risk will occur within a month.

How to enter a probability into the risk register

  1. Open the risk register
  2. Select a specific risk from the list
  3. Open the details tab
  4. Select the "Risk Probability" field
  5. Enter the value according to the degree of probability according to your analysis or discretion
how to assess and enter risk probability

Tip: During the analysis, you will discover new additional risks

  • Risk assessment is often intertwined with the previous point, i.e. creating a list of risks
  • During the assessment, you can find (identify) new risks that you hadn't thought of before.
  • In this case, add the new risks to the list of risks.

This is followed by Risk Prioritization

Recommended to know
Where to go next