With Risk Assessment, before obtaining an overall risk level we must classify our risks based on their likelihood and impacts.

This can be done using different scales of classification as explained below.

Three Point Classification Scale

The three point classification risk assessment scale is used in risk assessment where few risks have been identified. It grades likelihoods and impacts of an activity based on scores of high, medium or low using our own judgments.

Explanations of each are as follows:

Likelihood

HIGH – This is a common occurrence within the organisation or has the potential to occur given current measures put in place to prevent it from doing so.

MEDIUM – There is a moderate chance that this risk will occur based on the current controls implemented within the firm to reduce the risk.

LOW – The chances are pretty low that this event will happen, due to either measures put in place ensure it is unlikely to present risk or it has never or rarely occurred in past experience.

Impact (or Consequence)

HIGH – There will be a substantial financial cost to the firm if the risk does occur and/or valuable resources are lost or damaged as a result.

MEDIUM – If/When the risk takes place, the overall losses of resources and finances will be moderate.

LOW – Very little losses in finance and for resources result from this risk taking place.

When we have reached a stage where identified risks have been assessed accordingly and likelihood and impact grades have been allocated, the scores are logged in the Risk Register. Likelihoods are then compared to impacts on a “risk map” to provide us with an overall ranking of the risk priority.

Five Point Classification Scale

It is common in practice that we will see classification levels up to a maximum of five, rather than the high/medium/low risk classification. This is because it satisfies larger risk registers allowing greater distinction between risk scores when they have been prioritised.

Ten Point Classification Scale

For more advanced risk management strategies where more identified risks need to be prioritised, organisations might consider using a 10 point classification scale as opposed to the basic 3 or 5 point classification scale.

The theory is much the same as that of 3 point classification, but with scores given out of 10 rather than 3 (or high, medium or low).

These individual scores can then be plotted on our risk map as a prioritisation method or multiplied together to have a numerical risk score which can then be ranked. Either technique is acceptable.

The advantage of using a higher point classification is that there are less overlaps between prioritised risks because the scale is much larger. This makes it easier to rank risks based on priority, compared to the 3 or 5 point classification scale. On the other hand, the 10 point classification is less common in practice because the higher scale makes it harder to determine differences between each individual score i.e. what is the major difference between a score of six and a score of seven?