Risk rating methodology considers the potential impact of the risks based on the likelihood and impact of risk occurrence where the likelihood is “the probability that a given event will occur” and impact is “the result, effect, or consequences of an event.” The combination of these elements is an assessment of the severity of the risk or the degree to which the risk will result in a consequence that could materially impact the organization’s ability to achieve goals and objectives.

## Risk Rating Methodology

Every organization’s activities involve some level of risk. Risks are events that occur as a result of uncertainty and can have a positive or negative impact on the project’s objectives. Because each project is unique, the associated risk varies from one to the next. As a result, risk management is an important part of any organization because proper management increases the likelihood of a project’s success.

Inherently, internal auditors cannot evaluate every possible risk facing an organization. The multiple sources of potential engagements coupled with the related scope of work require the efficient use of limited internal audit resources.

To some extent, frameworks for assessing and developing risk-based plans will vary from enterprise to enterprise. An organization’s magnitude, formality, management direction, sector, statutory requirements, and other demographics are just some of the possible influencing aspects.

Various risk assessment frameworks can be used to measure risk. The most well-accepted are the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) Framework, ISO 31000, and the Turnbull guidance.

## Impact Assessment

The consequences or effects of a risk event on the project objectives are frequently defined as impacts. These effects can be both beneficial and detrimental to the goals. The impact of risk events on various project objectives can be defined qualitatively as well as quantitatively. These project objectives include cost, schedule, quality, scope, health and safety, and so on.

## Probability Assessment

The possibility of a risk event occurring is referred to as risk probability or likelihood. The likelihood can be expressed qualitatively as well as quantitatively. When discussing probability in a qualitative context, words like frequent, possible, rare, and so on are used. It is also possible to express the probability numerically. This can be accomplished through the use of scores, percentages, and frequencies defined by the organizations based on the relative description.

## Risk Assessment Methods Using Impact and Probability

The Probability and Impact Matrix is one the most used qualitative assessment methods. It is based on the two components of risk, probability of occurrence, and the impact on objectives if it occurs. The matrix is a two-dimensional grid that maps the possibility of the risk’s occurrence and their subsequent fallout on the project targets. The risk score, often referred to as risk level or the degree of risk, is calculated by multiplying the two axes of the matrix.

**Risk = Impact x Probability**

As the impact and probability can be described in both a corresponding and arithmetical manner so can the risk score. The higher the combined ratings are, the higher the score and risk level. These ratings are broadly defined from low to high or from very low to very high. The ratings must be classified by each entity and be distinct for each activity. The entities must determine their risk tolerance. Generating these determinations of impact and probability levels can help to reduce the influence of bias.

## Impact and Probability in Risk Assessment Analysis

Qualitative risk assessment methods are relatively quick to implement, cost effective, and simple to understand. The qualitative assessment results do not provide an accurate risk estimate. They do, however, provide a rather descriptive result and, in many cases, enough information to plan responses. These assessments’ findings also lay the groundwork for more detailed quantitative analysis, if possible and warranted. It is carried out on a regular basis throughout the life cycle of a project because new risks may emerge at later stages and risk responses may result in other risk events.

## Probability and Impact Matrix

The Probability and Impact Matrix is a popular qualitative assessment method. It is based on two aspects of risk: the likelihood of occurrence and the impact on the objective(s) if it occurs. The matrix is a two-dimensional grid that maps the probability of risk occurrence and its impact on project objectives [5]. The risk score, also known as the risk level or the degree of risk, is calculated by multiplying the matrix’s two axes.

## Final Thoughts

The two main components of risk analysis are impact and probability. Looking at impact versus probability is a common method for categorizing and prioritizing risks because some risks may have a severe impact on project objectives but occur only on rare occasions, whereas others have a moderate impact but occur more frequently.

The result from these risk matrices is used to prioritize the risks, plan the risk response, identify risks for quantitative assessment, and guide resource allocations during the audit.