4. How we assess risk
Not all risks can be eliminated completely but the likelihood and impact can be reduced or better controlled through assessment, control actions, monitoring and review.
Strategic or operational risks should be assessed in the context of the scale of risk associated with each. This may be determined by considering:
- likelihood of the risk occurring
- impact, or severity of the consequences should it occur
Risks are assessed by selecting a scale for both likelihood and impact and multiplying them to produce a risk rating. This rating then falls within one of the following categories in the matrix - high, medium or low.
Once a risk has been identified the first step in the assessment process is to work out the pure risk status (see section 2). This is achieved by determining the likelihood of the risk occurring by selecting the appropriate score from table at appendix A.
Next assess the impact that the occurrence of the risk would have on the corporate objective, the delivery of the service, or objectives of the project if it should occur. Do this by selecting the appropriate score from table at appendix B.
The likelihood and impact scores then need to be multiplied together to give the pure risk score using the risk matrix at appendix C.