Risk Assessment – What Scale should I use?

When undertaking a risk assessment process, one of the key things you need to decide upon is the scale you are going to use. I have seen some very complicated risk assessment scales, ones with multiplication of values, a scale of 1 to 10, different areas for reporting risk.

It doesn’t have to be complicated.

Actually the simpler the scale, the easier it is to evaluate risk.

Keep it simple

Unless your business is complex, multi-million pound and based across numerous countries, a simple risk assessment process should suffice.

I would suggest when you first start looking at risk, you use a scale of Low, Medium and High and look at the likelihood of the risk happening and the impact that it would have on the business.

With high, medium and low, it’s very easy to decide where a risk sits. It’s not like having a scale of 1-10 where its hard to define the difference between a 6 and a 7.

The Benefits of a Three-Tier Scoring System

  1. Clarity and Ease of Use –  A Low, Medium, High scale provides clear distinctions between risk levels. This clarity makes it easier for the assessors, regardless of their technical expertise, to understand and contribute to the risk assessment process.
  2. Faster Decision Making – With only three options to choose from, decision-makers can quickly categorise risks without getting bogged down in minute differences. This speed can be crucial when dealing with time-sensitive risk assessments.
  3. Consistency Across Teams – A simpler scale reduces the likelihood of inconsistent scoring between different team members or departments. It’s easier to establish and maintain a shared understanding of what constitutes a Low, Medium, or High risk.
  4. Focus on Action – The three-tier system naturally guides the focus towards action. High risks clearly require immediate attention, Medium risks need monitoring and potential action, while Low risks can be accepted or addressed as resources allow.

Implementing the Low, Medium, High Scale

risk management

Risk. Chart with keywords and icons

When using this scale, consider the following approach:

  1. Likelihood Assessment:
    • Low: Unlikely to occur (e.g., once every few years)
    • Medium: May occur occasionally (e.g., annually)
    • High: Likely to occur frequently (e.g., monthly or more often)
  2. Impact Assessment:
    • Low: Minor disruption or financial loss
    • Medium: Significant disruption or financial loss, but recoverable
    • High: Major disruption, substantial financial loss, or damage to reputation
  3. Overall Risk Rating: Combine the likelihood and impact assessments to determine the overall risk level.
This matrix provides a straightforward way to determine the overall risk level based on the combination of likelihood and impact.

Enhancing the Three-Tier System

While keeping the system simple, you can still add nuance:

  1. Risk Descriptions: Provide brief descriptions for each risk level to ensure consistent interpretation across your organization.
  2. Numerical Equivalents: If needed for reporting or comparison purposes, you can assign numerical values (e.g., Low=1, Medium=2, High=3) without complicating the initial assessment.
  3. Risk Appetite: Define your organization’s risk appetite in terms of these three levels. For example, you might decide that all High risks must be addressed, Medium risks should be evaluated case-by-case, and Low risks are generally acceptable.
  4. Periodic Review: Regularly review your risk assessments to ensure the ratings remain accurate as your business environment changes.

Conclusion

A simple Low, Medium, High scoring system for risk assessment offers a practical, efficient, and effective approach for most organizations. It provides clear categorization, facilitates quick decision-making, and ensures consistency across teams. While more complex systems exist, starting with this three-tier approach allows you to establish a solid risk assessment foundation. As your organization’s needs evolve, you can always refine or expand the system while maintaining its core simplicity and effectiveness.

Remember, the goal of risk assessment is not to create a complex scoring system, but to identify, prioritize, and address risks effectively. A simple, well-implemented scoring system often achieves this goal better than a more complicated one.

If you need help undertaking a risk assessment, please contact us, we are happy to help.