**| Home | Guidelines
| Manage | Organize
| Identify | Assess |
Root
Cause Analysis |
**|

Once a set of risks are identified, they must be assessed to determine their severity and hence relative priority in mitigating them. Risks are rated on the dual basis of likelihood and consequence. The product of the likelihood and consequence score is called the risk rating. Risks rated medium to high are worth taking some preventative actions to avoid them. Click on the link below to view a sample risk rating schema.

The likelihood score is based on the chance that the undesirable event might happen and cause some negative consequence during the execution of the decision choice (or project). If the decision-maker is unable to assess the probability of occurrence directly, another approach is to compare all the risks identified together. Rank-order the list of risks from highest to lowest likelihood. Then pick those risks whose likelihood the decision-maker can estimate and use them as reference points for gauging the likelihood of the others that are more difficult to estimate their likelihood.

For each of the five likelihood interval scores, there is an
associated numerical score ranging from 1 to 5. The
highest likelihood is rated a 5 (if the likelihood is greater than
80%) and the lowest likelihood is rated a 1 (if the likelihood is less
than 20%). As an example, suppose risk A is estimated to have a
50% chance of the event happening and risk M is rated at a 30% chance
of happening. If risk B is located in the rank-order list
between risks A and M, then the decision-maker knows that the
likelihood of risk B's occurring is somewhere between
30-50%. The decision-maker then assigns a comparative
rating base on known comparisons as to whether their estimate of
likelihood is closer to risk A or risk M. In other words, risk B
is either a 2 or a 3 on the likelihood scale. **If in doubt,
give the risk the higher likelihood score.**

The consequence rating is based on the assessed potential impact on
the decision-maker's original need, providing a specific risk does
occur. The likelihood and the consequence must be aligned such
that the magnitude of the impact is matched with the appropriate
likelihood. For example, if an undesirable event (risk)
occurred, there might be a high likelihood of a small consequence or a
small likelihood of a large consequence. It is up to the
decision-maker to pick what they think is the worst combination of
likelihood and consequence. **If in doubt, pick the
likelihood that matches the worst potential consequence.**

The description on the consequence scale must be defined by the
decision-maker. The scale on the *risk score card* is what
is often used by large corporations implementing large
programs. These programs are determined to be successful
if they are completed within cost and schedule (which are two of the
consequence scales in the risk score card). The other
condition of success is whether the final product meets the original
objectives of the customer (decision-maker). In other words, did
the decision choice satisfy the intended need once it was
implemented?

The decision-maker can create their own success scale with five intervals of successful implementation. For each of the five intervals on the consequences scale, there is an associated numerical score ranging from 1 to 5. The highest adverse consequence (worst) is rated a 5 (as defined by the decision-maker) and the lowest adverse consequence is rated a 1 (as defined by the decision-maker). At the top of the consequence scale, describe the worst outcome possible for this particular decision choice and implementation plan such as...the original need is not met. At the bottom of the scale, describe the conditions where the essence of the need is met but slightly off target. In-between these two extreme points, describe intermediate outcomes so that the scale represents a progressive description of consequences between low to high impact.

Finally, the risk rating is the product of the two scores: the
consequence score multiplied by the likelihood score. For
example, if the likelihood was rated a 3 and the consequence was rated
a 3, then the risk rating would be a nine (3*3). By
referring to the risk score card, the decision-maker would rate the
risk as medium. **As a general rule, all risks rated as medium
or high warrant a risk mitigation plan.** If the
decision-maker is strapped for resources (funds or schedule), then
they could limit themselves to just mitigating the high risks whose
risk rating is 15 or higher. See the section on risk
mitigation for methods on how to handle
risks once they are identified and assessed.