Analyse and evaluate the impact of risks

Once you have identified the risks to your business, you need to assess the possible impact of those risks. You need to separate minor risks that may be acceptable from major risks that must be managed immediately.

Analysing the level of risk

To analyse risks, you need to work out the likelihood of it happening (frequency or probability) and the consequences it would have (the impact) of the risks you have identified. This is referred to as the level of risk, and can be calculated using this formula:

level of risk = consequence x likelihood

Level of risk is often described as low, medium, high or very high. It should be analysed in relation to what you are currently doing to control it. Keep in mind that control measures decrease the level of risk, but do not always eliminate it.

A risk analysis can be documented in a matrix, such as this:

Likelihood scale example

4 Very likely Happens more than once a year in this industry
3 Likely Happens about once a year in this industry
2 Unlikely Happens every 10 years or more in this industry
1 Very unlikely Has only happened once in this industry

Consequences scale example

4 Severe Impact likely to cause business to stop trading or significant financial losses felt
3 High Major impact on your business with large financial loss
2 Moderate Moderate impact on your business with some financial loss
1 Low Insignificant impact on your business with minimal financial loss

Note: Ratings vary for different types of businesses. The scales above use 4 different levels; however, you can use as many levels as you need. Also use descriptors that suit your purpose (e.g. you might measure consequences in terms of human health, rather than dollar value).

Evaluating risks

Once you have established the level of risk, you then need to create a rating table for evaluating the risk. Evaluating a risk means making a decision about its severity and ways to manage it.

For example, you may decide the likelihood of a fire is 'unlikely' (a score of 2) but the consequences are 'severe' (a score of 4). Using the tables and formula above, a fire therefore has a risk rating of 8 (i.e. 2 x 4 = 8).

Risk rating table example

Risk ratingDescriptionAction
12-16 Severe Needs immediate corrective action
8-12 High Needs corrective action within 1 month
4-8 Moderate Needs corrective action within 3 months
1-4 Low Does not currently require corrective action

Your risk evaluation should consider:

  • the importance of the activity to your business
  • the amount of control you have over the risk
  • potential losses to your business
  • any benefits or opportunities presented by the risk.

Once you have identified, analysed and evaluated your risks, you need to rank them in order of priority. You can then decide which methods you will use to treat unacceptable risks.

Also consider...