Risk impact and risk likelihood are the two basic coordinates of risk thinking. One tells you how bad it could be; the other tells you how often or how easily it could happen. Treat them as separate, and your risk view stays flat. Combine them, and you get a map for prioritising action.
Risk impact is the potential consequence if a risk materialises. It answers the question: “If this happens, how bad is it for our objectives?” Impact can be expressed in money, time, safety incidents, regulatory outcomes, reputation damage, customer experience or strategic setbacks.
Risk likelihood is the chance that a risk event will occur within a defined time frame or context. It answers the question: “How probable is it that this will actually happen?” Likelihood can be described qualitatively (“rare”, “possible”, “almost certain”) or quantitatively (probabilities, frequencies, expected counts).
In simple terms:
- Impact = severity of the punch.
- Likelihood = probability of being hit.
Why Treating Them Separately Matters
Many organisations instinctively focus on one more than the other:
- If you obsess over impact only, you chase every scary scenario, even those that are extremely unlikely, and risk paralysing the business.
- If you obsess over likelihood only, you ignore high-impact, low-probability events until they happen – at which point it is too late.
Separating the two helps you:
- Avoid panic about dramatic but extremely rare risks.
- Avoid complacency about quiet but frequent risks.
- Have more nuanced conversations: “Yes, this is unlikely, but impact is catastrophic” or “Yes, this happens often, but impact is minor.”
Measuring Risk Impact
Impact should be defined in the language of your objectives. Typical dimensions include:
- Financial: Financial risks such as loss amount, earnings hit, cost overruns, write-offs, capital erosion.
- Customer & business continuity: Business risks such as downtime, service disruption, lost customers, SLA breaches.
- People & safety: injuries, fatalities, mental health impact, staff turnover.
- Regulatory & legal: Regulatory risks and legal risks such as fines, sanctions, licence restrictions, litigation.
- Reputation & trust: Reputational risks arising from negative media, social backlash, rating downgrades, partner exits.
- Strategic: Strategic risks such as delay or derailment of key initiatives, loss of competitive position.
Organisations often use qualitative bands (insignificant, minor, moderate, major, severe) and, where possible, anchor them with thresholds – for example, “major” = more than X days of downtime or more than Y% impact on profit.
Good practice is to:
- Define impact criteria before conducting a risk assessment of individual qualitative risks and quantitative risks, to avoid moving the goalposts.
- Keep thresholds realistic and tailored to scale (what is “major” for a start-up is routine noise for a large conglomerate).
- Consider worst credible impact, not just typical impact, especially for critical risks.
Measuring Risk Likelihood
Likelihood is about how often or how easily something might happen. It can be approached in several ways:
- Qualitative scales:
- Rare: may occur only in exceptional circumstances.
- Unlikely: could happen, but not expected.
- Possible: might occur at some time.
- Likely: will probably occur.
- Almost certain: expected to occur in most circumstances.
- Quantitative approximations:
- Probabilities (e.g., 1% annual chance).
- Frequencies (e.g., once in 10 years, 3 times per year).
- Historical rates (e.g., observed default rates, incident counts).
Challenges include: data risks, changing environments and human bias. To improve risk analytics and likelihood assessment:
- Implement data driven risk management solutions (Include data such as incidents, near misses, external benchmarks).
- Combine data with expert judgement, especially for emerging risks.
- Review likelihood periodically; what was “rare” yesterday may be “possible” today.
The Risk Matrix: Where Impact Meets Likelihood
The classic risk matrix plots likelihood on one axis and impact on the other. Each risk is placed where the two meet, creating zones like “low”, “medium”, “high” or “extreme” risk.
This allows you to:
- Prioritise: high-impact/high-likelihood risks demand immediate attention; low-impact/low-likelihood risks can be accepted or monitored.
- Differentiate strategies:
- High impact, low likelihood (catastrophic but rare): focus on risk resilience, contingency plans and insurance.
- High likelihood, low impact (frequent but small): focus on process improvements and automation.
- Medium-medium: use cost-benefit analysis to decide how much to invest in controls.
However, risk matrices are only as good as the thinking behind them. They should be a conversation tool, not a mechanical sorting box.
Common Pitfalls in Using Impact and Likelihood
- Collapsing them into a single vague “risk level”
Saying “this is a high risk” without specifying whether it is high impact, high likelihood or both hides crucial information. Always keep the two dimensions visible. - Assuming impact and likelihood are independent
In reality, controls that lower likelihood can also lower impact, and vice versa. As conditions change (e.g., economy, regulation, technology), both can shift. - Static, one-off assessments
Treating impact and likelihood as fixed numbers ignores dynamics. For instance, as an organisation becomes more dependent on a single supplier, both impact and likelihood of disruption may rise. - Ignoring tail risks
Focusing only on “most likely” impact underplays extreme but credible scenarios. For critical risks (e.g., safety, cyber, compliance), you need to understand the tail as well. - Over-precision for weak data
Using very fine-grained numerical scales can give an illusion of accuracy. Where data is sparse, it is better to use broad bands with clear definitions and document assumptions.
Linking Impact and Likelihood to Risk Response
How you treat a risk should depend on the risk’s position in the impact–likelihood space:
- High impact / high likelihood
- Strong controls and risk mitigation.
- Clear ownership and tight monitoring.
- Possibly risk transfer (insurance, contracts) and contingency plans.
- High impact / low likelihood
- Focus on resilience, emergency response, business continuity and disaster recovery.
- Consider insurance or financial buffers.
- Regular scenario exercises and simulations.
- Low impact / high likelihood
- Streamline and automate controls so they are cost-effective.
- Use process re-engineering or technology to reduce frequency.
- Often suitable for risk reduction through efficiency projects.
- Low impact / low likelihood
- Typically accepted with minimal specific action.
- Monitored periodically in case conditions change.
Risk impact and likelihood also link directly to risk appetite:
- Appetite for high-impact risks may be very low in areas like safety, compliance or core reputation, irrespective of likelihood.
- For opportunity-type risks (e.g., new products, markets), an organisation may accept higher likelihood of downside if impact is manageable and upside is attractive.
Helping Stakeholders Understand the Distinction
To make impact and likelihood intuitive for boards and teams:
- Use plain-language examples:
- “This is unlikely, but if it happens we could lose a year’s profit” (high impact, low likelihood).
- “This happens every quarter but costs us very little each time” (low impact, high likelihood).
- Show before/after scenarios:
- How a new control reduces likelihood.
- How a continuity plan reduces impact.
- Keep scales visible in reports and dashboards, not just overall ratings.
When people understand that every risk has two coordinates – how bad and how likely – conversations move away from vague labels (“big risk”, “small risk”) to sharper, more actionable decisions. That is the real power of distinguishing risk impact from risk likelihood in an enterprise risk management strategy: it turns risk from an abstract worry into a structured, prioritised, and ultimately manageable part of strategy and operations.
