Risk Scoring: Likelihood, Impact, and the Matrix
Every risk decision comes down to two questions: how likely is this, and how much would it hurt. Risk scoring is the discipline of answering both in a way that lets you compare one risk against another and decide where to spend first. The output is a number or a color, but the value is the ranking it produces.
Every risk decision comes down to two questions: how likely is this, and how much would it hurt. Risk scoring is the discipline of answering both in a way that lets you compare one risk against another and decide where to spend first. The output is a number or a color, but the value is the ranking it produces.
There are two schools of how to do it. One is fast and subjective, the other slow and precise. Good programs use both, for different risks.
Two ways to score risk
The choice between qualitative and quantitative scoring is really a choice about what you have: time and data, or neither. Each has a place.
Putting a number on it
| Term | Formula | Means |
|---|---|---|
| SLE | AV x EF | Single Loss Expectancy: the loss each time the risk occurs. Asset Value times Exposure Factor (the percent of the asset lost). |
| ARO | (frequency per year) | Annualized Rate of Occurrence: how many times a year the risk is expected to happen. |
| ALE | SLE x ARO | Annualized Loss Expectancy: the expected yearly cost of the risk. This is the number you compare against the cost of a control. |
Quantitative scoring is where risk meets the budget. By translating a risk into an expected annual cost, you can compare it directly against the price of the control meant to reduce it. Three formulas do the work.
The logic is simple once the terms are clear. If a risk costs you a known amount each time it happens, and you know how often it happens, you know what it costs you per year. That yearly figure is what you weigh against the cost of fixing it.
[[INSIGHT: The whole point of Annualized Loss Expectancy is the comparison it enables. If a risk costs you $12,500 a year and the control that stops it costs $20,000, the math just told you to accept the risk. Scoring is not paperwork, it is how you avoid spending more to prevent a loss than the loss is worth.]]
- Risk scoring combines likelihood and impact to rank risks against each other.
- Qualitative scoring uses descriptive scales and a likelihood-by-impact matrix; it is fast.
- Quantitative scoring uses SLE, ARO, and ALE to put a dollar figure on risk.
- ALE = SLE x ARO, and SLE = Asset Value x Exposure Factor.
- Compare a risk’s annual cost against the cost of the control to decide what to do.
Frequently asked questions
How is a risk scoring matrix used?
It plots likelihood against impact, each on a scale from very low to very high. Where the two meet gives the overall risk level. A 5×5 grid is the most common version.
What is the difference between qualitative and quantitative risk scoring?
Qualitative scoring uses descriptive scales and expert judgment (low, medium, high) and is fast. Quantitative scoring assigns monetary values using SLE, ARO, and ALE, enabling cost-benefit analysis but requiring more data and effort.
How do you calculate Annualized Loss Expectancy?
ALE = SLE x ARO. Single Loss Expectancy is Asset Value times Exposure Factor, and ARO is how often the risk is expected per year. For an asset worth $10,000 with a 10% exposure factor and an ARO of 5, the ALE is $5,000.
Which method should I use?
Qualitative when you need speed or lack data, and quantitative when you need to justify spending with hard numbers. Many programs start qualitative and add quantitative analysis for the highest risks.
