Analyse and evaluate the impact of risks
Once you have identified the risks to your business, you need to assess the possible impact of those risks. You need to separate minor risks that may be acceptable from major risks that must be managed immediately.
Analysing the level of risk
To analyse risks, you need to work out the likelihood of it happening (frequency or probability) and the consequences it would have (the impact) of the risks you have identified. This is referred to as the level of risk, and can be calculated using this formula:
level of risk = consequence x likelihood
Level of risk is often described as low, medium, high or very high. It should be analysed in relation to what you are currently doing to control it. Keep in mind that control measures decrease the level of risk, but do not always eliminate it.
A risk analysis can be documented in a matrix, such as this:
Likelihood scale example
| Level | Likelihood | Description |
|---|---|---|
| 4 | Very likely | Happens more than once a year in this industry |
| 3 | Likely | Happens about once a year in this industry |
| 2 | Unlikely | Happens every 10 years or more in this industry |
| 1 | Very unlikely | Has only happened once in this industry |
Consequences scale example
| Level | Consequence | Description |
|---|---|---|
| 4 | Severe | Financial losses greater than $50,000 |
| 3 | High | Financial losses between $10,000 and $50,000 |
| 2 | Moderate | Financial losses between $1000 and $10,000 |
| 1 | Low | Financial losses less than $1000 |
Note: Ratings vary for different types of businesses. The scales above use 4 different levels; however, you can use as many levels as you need. Also use descriptors that suit your purpose (e.g. you might measure consequences in terms of human health, rather than dollar value).
Evaluating risks
Once you have established the level of risk, you then need to create a rating table for evaluating the risk. Evaluating a risk means making a decision about its severity and ways to manage it.
For example, you may decide the likelihood of a fire is 'unlikely' (a score of 2) but the consequences are 'severe' (a score of 4). Using the tables and formula above, a fire therefore has a risk rating of 8 (i.e. 2 x 4 = 8).
Risk rating table example
| Risk rating | Description | Action |
|---|---|---|
| 12-16 | Severe | Needs immediate corrective action |
| 8-12 | High | Needs corrective action within 1 month |
| 4-8 | Moderate | Needs corrective action within 3 months |
| 1-4 | Low | Does not currently require corrective action |
Your risk evaluation should consider:
- the importance of the activity to your business
- the amount of control you have over the risk
- potential losses to your business
- any benefits or opportunities presented by the risk.
Once you have identified, analysed and evaluated your risks, you need to rank them in order of priority. You can then decide which methods you will use to treat unacceptable risks.
Also consider...
- Use our business continuity plan template, which includes a risk management section.
- Learn about preparing an incident response plan and a recovery plan, which will be critical in helping your business survive if one of the risks you've identified does happen.
- Watch a recorded webisode to learn how to analyse and evaluate risk.
- Read about surviving an economic downturn.
- Consider purchasing Risk management - procedures and guidelines (Standards Australia AS/NZS ISO 31000:2009), available from the SAI Global website.
- Last reviewed: 18 Jul 2017
- Last updated: 28 Jun 2016