What is Risk? The Two Key Ingredients
In project management and system analysis, risk isn't just about what might go wrong. It's a calculated measurement based on two simple factors:
Risk = Likelihood × Impact (Severity)
1. Likelihood (Probability)
This answers the question: "How likely is this event to happen?" We rate this on a scale to quantify the probability.
2. Impact (Severity)
This answers the question: "If it does happen, how bad will the consequences be?" This measures the severity of the outcome.
The 1-to-5 Rating Scales
To make this practical, we use a simple 1-to-5 scale for both likelihood and impact. This consistency makes it easy to compare different types of risks.
Likelihood Scale
- 5Almost Certain: Expected to occur in most circumstances.
- 4Likely: Will probably occur in most circumstances.
- 3Possible: Might occur at some time.
- 2Unlikely: Could occur at some time.
- 1Rare: May only occur in exceptional circumstances.
Impact (Severity) Scale
- 5Catastrophic: Threatens the success of the project or survival of the business; major financial loss; reputational ruin.
- 4Major: Causes major damage to cost, schedule, or quality; significant financial loss.
- 3Moderate: Causes noticeable damage; requires significant effort to fix; moderate financial impact.
- 2Minor: Causes minor issues; can be managed with normal effort; low financial impact.
- 1Insignificant: Little to no impact on the project or system; negligible financial impact.
Putting It Together: The Risk Matrix
By multiplying the Likelihood score by the Impact score, we get a final Risk Score. We can visualize all possible scores on a Risk Matrix. This matrix helps us instantly see which risks demand our immediate attention.
| Impact (Severity) | ||||||
|---|---|---|---|---|---|---|
| 1 Insignificant |
2 Minor |
3 Moderate |
4 Major |
5 Catastrophic |
||
| Likelihood | 5 Almost Certain |
5 | 10 | 15 | 20 | 25 |
| 4 Likely |
4 | 8 | 12 | 16 | 20 | |
| 3 Possible |
3 | 6 | 9 | 12 | 15 | |
| 2 Unlikely |
2 | 4 | 6 | 8 | 10 | |
| 1 Rare |
1 | 2 | 3 | 4 | 5 | |
Examples in Practice
Example 1: Server Hardware Failure
Scenario: A critical production server is five years old and out of warranty.
Likelihood: 3 (Possible) - Older hardware has a reasonable chance of failing.
Impact/Severity: 5 (Catastrophic) - If it fails, the entire application goes down, causing massive business disruption.
Risk Score: 3 × 5 = 15 (Extreme)
Example 2: Key Developer Leaves Project
Scenario: The lead developer, who holds most of the project knowledge, seems disengaged.
Likelihood: 4 (Likely) - The signs point towards a high probability of them leaving.
Impact/Severity: 4 (Major) - Their departure would significantly delay the project timeline.
Risk Score: 4 × 4 = 16 (Extreme)
Example 3: Minor UI Bug Reported
Scenario: A user reports a typo on a rarely visited "About Us" page.
Likelihood: 5 (Almost Certain) - The bug is confirmed and exists for all users.
Impact/Severity: 1 (Insignificant) - It has no effect on functionality and is purely cosmetic.
Risk Score: 5 × 1 = 5 (Medium)
Example 4: Cybersecurity Data Breach
Scenario: The company database stores sensitive customer data but hasn't had a security audit in two years.
Likelihood: 3 (Possible) - Without regular audits, vulnerabilities may exist that could be exploited.
Impact/Severity: 5 (Catastrophic) - A data breach would lead to huge fines, loss of customer trust, and brand ruin.
Risk Score: 3 × 5 = 15 (Extreme)
Example 5: Supply Chain Disruption
Scenario: A manufacturing company relies on a single supplier for a critical component, and that supplier is in a geopolitically unstable region.
Likelihood: 4 (Likely) - Given the instability, a disruption is probable.
Impact/Severity: 4 (Major) - A disruption would halt production for weeks, causing major revenue loss.
Risk Score: 4 × 4 = 16 (Extreme)
Further Reading & References
1. A Guide to the Project Management Body of Knowledge (PMBOKĀ® Guide)
Published by the Project Management Institute (PMI), this is the preeminent global standard for project management. Chapter 11 is dedicated entirely to Project Risk Management, outlining processes for identifying, analyzing, and responding to risk.
2. ISO 31000:2018 - Risk Management Guidelines
This is the international standard for managing risk. It provides principles and generic guidelines that can be applied to any organization, regardless of size or sector. It emphasizes the integration of risk management into all organizational activities.
3. The COSO Enterprise Risk Management (ERM) Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a widely used framework for enterprise risk management. It helps organizations develop a holistic, top-down view of risk across all business units.