Risk Rating Criteria
In order to evaluate the level of a risk of a change, the likelihood of it going wrong and the impact of it going wrong needs to be assessed. Both of these aspects are given integers between 1 and 4 (inclusive):
Rating | Likelihood | Impact |
|---|---|---|
| 1 | Not expected, but there's a slight possibility it may occur at some time. | Minimal impact |
| 2 | The event may occur at some time. | Minor impact, local service disruption less than 1 week |
| 3 | There is a strong possibility the event will occur. | Serious disruption for multiple users, more than a week |
| 4 | Very likely. The event is expected to occur. | Serious disruption to the ability to deliver service |
The resulting risk level is calculated by the product of Likelihood and Impact, resulting in a score from 1 to 16. The risks may then be prioritized in the following way:
- Low: 1 and 2
- Medium: 3 and 4
- High: 6, 8, and 9
- Extreme: 12 and 16
| Likelihood | Impact | |||
|---|---|---|---|---|
| 1 - Minimal impact | 2 - Minor impact, local service disruption less than 1 week | 3 - Serious disruption for multiple users, more than a week | 4 - Serious disruption to the ability to deliver service | |
| 1 - Unlikely to happen | (1) Low | (2) Low | (3) Medium | (4) Medium |
| 2 - Happens less than once per year | (2) Low | (4) Medium | (6) High | (8) High |
| 3 - Happens every few months / more than once per year | (3) Medium | (6) High | (9) High | (12) Extreme |
| 4 - Happens every 2-3 months or more frequently | (4) Medium | (8) High | (12) Extreme | (16) Extreme |