Risk identification gives you a list. Risk analysis gives you an agenda.
The difference matters enormously. A list of forty risks paralyzes; a ranked set of priorities directs money, time, and attention to where they buy the most safety. The tool for getting from one to the other is disarmingly simple — estimate likelihood, estimate impact, combine — but doing it well is a craft. This article covers that craft.
Two estimates, honestly made
Likelihood asks: how probable is this event within a defined period? The defined period is the part people forget. "How likely is a key employee leaving?" is unanswerable; "how likely within the next twelve months?" is an estimate you can make and later verify. Always fix the time horizon — one year is the common convention — and write it into your rating scale.
Impact asks: if it happens, how bad is it? Bad along which dimension, though? A data breach costs money, but it also burns customer trust, attracts regulators, and demoralizes the team. Mature impact scales define several dimensions — financial, operational, reputational, legal, safety — and rate a risk by its worst dimension. A risk that costs little but could trigger a regulatory investigation is not a small risk.
One subtlety separates thoughtful analysis from mechanical scoring: for impact, rate the plausible serious case, not the theoretical apocalypse and not the best case. Every risk "could" theoretically destroy the company if you stack enough bad luck; anchoring on realistic severity keeps ratings meaningful and comparable.
Where the estimates come from
Qualitative ratings have a reputation for being guesswork. They don't have to be. Ranked from strongest to weakest, your sources are:
Your own history. How many times in the last five years did a release fail, a supplier miss a deadline, an employee leave a critical role? Internal incident data is the gold standard for likelihood because it reflects your controls, your people, your environment.
Industry data. Breach reports, insurance statistics, sector studies. Useful calibration, especially for risks you haven't yet experienced — though remember that published data skews toward reported, large, and dramatic events.
Structured expert judgment. When data is thin — which for many strategic risks it always will be — judgment is legitimate, if it's structured. Have several people rate independently before discussing (this prevents anchoring on the first opinion voiced), then discuss the divergences. The discussion where an engineer explains why she rated likelihood 4 while the manager said 2 is often the most valuable twenty minutes in the whole process.
The biases that bend your ratings
Risk analysis is performed by human brains, and human brains have systematic bugs. Four of them do most of the damage:
Availability bias. Events that are recent or vivid feel more likely. After a competitor's ransomware incident hits the news, cyber ratings spike; five quiet years later, they sag — while the actual threat has done neither. Antidote: anchor ratings to data and defined scales, not to headlines.
Optimism bias. We're careful. Our people are good. It won't happen here. Every organization that ever suffered a major incident had people who believed this. Antidote: the outside view — ask "how often does this happen to organizations like us?" before asking "how often will it happen to us?"
Anchoring. The first number spoken in a workshop pulls every subsequent estimate toward it, regardless of merit. Antidote: silent, independent rating first; discussion second.
The confidence trap. Confident people are more persuasive, but not more accurate. Antidote: require justifications, not just numbers. "Likelihood 2, because we've had zero occurrences in six years and two independent controls exist" can be examined. "Likelihood 2, trust me" cannot.
You cannot remove these biases. You can design your process so they cancel out rather than compound: independent first ratings, mixed groups, written justifications, and comparison against last cycle's ratings with an explanation for every change.
Gross and net: the two-photograph technique
A single rating hides a crucial distinction: are you assessing the raw risk, or the risk given everything you already do about it?
Best practice is to assess both. Gross (inherent) risk is the exposure with no controls — imagine the firewall off, the backups gone, the review process abandoned. Net (residual) risk is what remains with current controls operating.
The pair tells you three things a single number can't. The gap between gross and net shows what your existing controls are worth — often an eye-opener for budget discussions. The net rating tells you whether further treatment is needed. And a net risk that sits close to its gross value flags a risk you're essentially not controlling at all.
When qualitative is enough — and when it isn't
The 5×5 approach is qualitative: it ranks risks rather than pricing them. For most organizations, most of the time, that's exactly right — the goal is prioritization, and ranking achieves it at a fraction of the effort of quantitative modeling.
Quantitative methods (expected loss calculations, Monte Carlo simulation, scenario modeling) earn their keep in specific situations: when you're pricing insurance or contractual risk transfers, when a single decision involves enough money that precision pays, or when regulators demand it. If you need to decide whether a CHF 200k control is worth it against a risk, a rough expected-loss estimate — likelihood as a percentage times impact in francs — beats matrix squares.
The pragmatic path many organizations follow: qualitative for the full register, light quantification for the top five to ten risks. All models are wrong; the useful question is whether the analysis is good enough for the decision at hand.
From analysis to action
Remember what the ratings are for. Nobody outside the risk team cares whether a risk scores 12 or 15; they care what happens next. Analysis succeeds when it produces three outputs: a ranked list that survives scrutiny ("why is X above Y?" has an answer), evaluation decisions — which risks exceed appetite and require treatment — and documented reasoning that lets you revisit ratings next quarter and understand why they moved.
Rate honestly, write down why, compare over time. That's the craft. The organizations that master it don't predict the future any better than anyone else — but they're consistently pointing their resources at the right problems, which in practice is almost as good.