Risk Managers are assumed to be at the leading edge of their profession if they provide quantitative measures of both probability and impact, and combine them to give an overall measure of risk. The most common such measure is to multiply your measure of probability of the risk with your measure of the impact of the risk as shown below:
Probability impact matrix with risk score
The example shows a risk that has been assessed as ‘medium probability’, ‘medium cost impact’, generating a ‘risk score’ of 15. A risk rating such ‘15’ will have no absolute meaning, (it would be inappropriate to conclude that such a rating is fifteen times more important than rating of 1).
While risk matrices are viewed by some as useful for ranking risk in order of significance (the bigger the number, the greater the risk), it can be irrational when applied blindly. Some advise caution, concluding risk matrices do not necessarily support good (e.g., better-than-random) risk management decisions, while others have described the PIM approach as hiding more than it reveals and that it can be a dangerous waste of time.
Unfortunately much risk analysis involves going through the motions to assign numbers without actually doing much thinking about what lies under the hood.
The correct treatment of risk requires both the impact and probability dimensions to be considered, and that focusing attention on those risks ranked as ‘riskiest’ by a multiplied figure of these two dimensions is dangerous. Indeed, the effect of low probability, high-impact risks will be quite different from that of high probability, low-impact risks, even though individually the risks can the same product term (impact x probability). It is important to consider such consequences when setting contingencies since, as would be expected, low probability, high impact risks require greater contingency than likely, low impact risks.