Analysing and evaluating risks

Once you have identified and created a list of possible risks to your business, you need to analyse and evaluate each one.

The most common way of analysing risks is to use a scale that rates each risk on:

  • the likelihood of it occurring
  • the consequences of it occurring.
Likelihood scale example
4 Very likely Happens more than once a year in this industry
3 Likely Happens about once a year in this industry
2 Unlikely Happens every 10 years or more in this industry
1 Very unlikely Has only happened once in this industry
Consequences scale example
4 Severe Financial losses greater than $50,000
3 High Financial losses between $10,000 and $50,000
2 Moderate Financial losses between $1000 and $10,000
1 Low Financial losses less than $1000

Note: The scales above use 4 different levels; however, you can use as many levels as you need. Also use descriptors that suit your purpose (e.g. you might measure consequences in terms of human health, rather than dollar value).

Once you have established the likelihood and consequences of a particular risk, you then need to create a risk rating table for evaluating the risk. Evaluating a risk means making a decision about its severity and ways to manage it.

Use the following formula to calculate risk rating: Likelihood x Consequences = Risk rating

For example, you may decide the likelihood of a fire is 'unlikely' (a score of 2) but the consequences are 'severe' (a score of 4). Using the tables above, a fire therefore has a risk rating of 8 (i.e. 2 x 4 = 8).

Risk rating table example
Risk ratingDescriptionAction
12-16 Severe Needs immediate corrective action
8-12 High Needs corrective action within 1 month
4-8 Moderate Needs corrective action within 3 months
1-4 Low Does not currently require corrective action

Your risk evaluation should consider:

  • the importance of the activity to your business
  • the amount of control you have over the risk
  • potential losses to your business
  • any benefits or opportunities presented by the risk.

Once you have identified, analysed and evaluated your risks, you need to rank them in order of priority. You can then decide what methods you will use to treat unacceptable risks.

Also consider...