Two twos are four – but not always
It’s fairly common practice in risk assessments to use a numerical scale when estimating likelihood and impact. A 1-4 scale is often used, with 1 being the lowest and 4 the highest. The likelihood and impact “scores” are usually multiplied to give an overall risk rating, which is then plotted on a risk matrix – essentially a graph with likelihood on one axis and impact on the other. This is a perfectly reasonable way of quantifying and prioritising risks, which is more than adequate for the risk assessment needs of many organisations.
However, this approach comes with a health warning. It’s important to realise that the numbers are really only there for convenience, and a level 4 likelihood isn’t necessarily (in fact it almost certainly isn’t) four times as likely as a level 1 or twice as likely as a level 2. Similarly, a level 4 impact isn’t four times as bad as a level 1 or twice as bad as a level 2. Indeed, the increase in likelihood or impact between level 1 and level 4 could well be 20 or 50 or 100-fold or more (exponential).
The important thing here is where a risk falls on the risk matrix, as this will help us to consider which risks we ought to do something about and what we ought to do to mitigate them. For instance, if a risk sits in the top right hand corner (high likelihood and high impact), action needs to be taken, full-stop, regardless of any pseudo-scientific or quasi-mathematical scoring system that was used to determine its placement.