Risk Evaluation

Risk evaluation is concerned with assessing probability and impact of individual risks, taking into account any interdependencies or other factors outside the immediate scope under investigation:

• Probability is the evaluated likelihood of a particular outcome actually happening (including a consideration of the frequency with which the outcome may arise). For example, major damage to a building is relatively unlikely to happen, but would have enormous impact on business continuity. Conversely, occasional personal computer system failure is fairly likely to happen, but would not usually have a major impact on the business
• Impact is the evaluated effect or result of a particular outcome actually happening
• Impact should ideally be considered under the elements of:
  • time
  • quality
  • benefit
  • people/resource

Some risks, such as financial risk, can be evaluated in numerical terms. Others, such as adverse publicity, can only be evaluated in subjective ways. There is a need for some framework for categorising risks, for example, high, medium and low.

When considering a risk’s probability, another aspect is when the risk might occur. Some risks will be predicted to be further away in time than others and so attention can be focused on the more immediate ones. This prediction is called the risk’s proximity. The proximity of each risk should be included in the Risk Log.