A risk assessment should focus on likelihood and impact to help you prioritize risks

What key factor should be included in risk assessment?

• A. Employee turnover rates
• B. Quality of service provided
• C. Likelihood and impact of identified risks
• D. Customer satisfaction scores

Answer: (C)

In risk assessment, the key factor that should be included is the likelihood and impact of identified risks. This aspect is crucial because it enables organizations to prioritize risks based on their potential effect on business objectives and operations. By quantifying how likely a risk is to occur and the extent of its impact, organizations can allocate resources more effectively, implement appropriate controls, and develop strategies for risk mitigation. Understanding both the likelihood and impact allows risk managers to create a risk profile that accurately reflects the organization's risk landscape. This profile helps leadership make informed decisions about where to focus efforts in reducing or managing risks. In essence, assessing these factors provides a comprehensive view of risks, which is fundamental for effective operational risk management. While employee turnover rates, quality of service provided, and customer satisfaction scores are all important metrics for assessing a company's performance, they do not directly address the inherent risks that may affect operations. Those metrics can provide context or insights into the operational environment but do not serve as the primary elements for a structured risk assessment that responds directly to the potential threats an organization might face.

Outline (skeleton you can skim)

• Opening hook: risk assessment as weather forecasting for a business

• What risk assessment is and why it matters in ORM

• The key factor: likelihood and impact of identified risks

• Why other metrics aren’t the core risk signal (employee turnover, service quality, customer satisfaction)

• How to measure likelihood and impact in practical terms

• A simple, repeatable risk assessment workflow

• Common traps and how to sidestep them

• Real-world flavor: analogies and quick examples

• Quick tools and standards that anchor the practice

• Takeaway: keep your focus on likelihood and impact to steer the ship

Article: The heart of ORM risk assessment: likelihood and impact

Let me ask you something. If you had to pick one factor that tells you where the real trouble lies, what would you choose? In operational risk management, the answer almost always comes down to the likelihood of something going wrong and the impact it would have if it did. Think of it as weather forecasting for business: you’re not worried about every cloud—that would wreck you with noise—you’re worried about the storms with a real chance of soaking you or knocking out your operations.

What risk assessment is really about

Operational risk management isn’t about chasing every tiny hiccup. It’s about identifying credible threats to objectives, understanding how likely they are to occur, and estimating how badly they could bite. When leaders have a clear view of which risks are both probable and consequential, they can allocate scarce resources with discipline. They can decide where to strengthen controls, where to build resilience, and where to accept small, manageable risk because its cost is lower than the protection it would require.

The core factor: likelihood and impact

Here’s the core idea in plain terms: for each identified risk, estimate two things — how likely it is to happen (likelihood) and how serious the consequences would be if it does (impact). Multiply or otherwise combine those two dimensions to create a risk ranking. This is the backbone of most risk matrices you’ll see in ORM discussions, risk dashboards, and even boardroom briefings.

Why this pair matters more than other metrics

Some numbers are great for measuring performance, but they aren’t the best compass for risk. Employee turnover rates, quality of service, and customer satisfaction scores tell you about day-to-day performance and sentiment. They don’t directly answer, “What threats could derail our key objectives, and how bad would that be?” Sure, a high turnover rate might hint at process fragility or culture gaps, and a dip in service quality could signal procedural risks. But those signals are context, not the primary signal. In risk assessment, you want a direct line to threats and their potential consequences, not just symptoms. That’s why likelihood and impact sit at the center.

How to measure likelihood and impact in practical terms

You don’t need a PhD in mathematics to apply this well. Start with a simple, intuitive scale you can maintain. A common approach uses a 3- or 5-point scale for both dimensions:

• Likelihood: Rare, Unlikely, Possible, Likely, Almost Certain (or 1–5)

• Impact: Insignificant, Minor, Moderate, Major, Catastrophic (or 1–5)

For each risk, assign numbers for both. Then you can create a combined risk score (for example, a 5x5 matrix or a simple product of likelihood and impact). The exact method isn’t sacred—the point is to have a consistent, transparent way to compare risks.

Where to pull the data from? A mixed bag keeps you honest:

• Historical incident data and near-misses

• Control effectiveness and residual risk after safeguards

• Expert opinion from process owners and frontline staff

• Scenario analysis and stress testing for plausible futures

• External data sources like supplier risk alerts, regulatory changes, or market shifts

A practical, repeatable workflow

If you want a workflow you can actually use, here’s a friendly, bread-and-butter approach:

1. Identify the objectives and the big threat categories. Start from the business plan, then map what could derail critical objectives: operations, compliance, safety, reputation, and financial performance.

2. Gather risk inputs. Talk to process owners, review incident logs, and pull in audit findings. Don’t rely on one source—triangulation helps.

3. Assess likelihood and impact for each risk. Use your scales, and document the what, how, and why behind each rating so someone else can follow your thinking later.

4. Rank and prioritize. Focus on the top-right corner of your risk matrix: high likelihood and high impact. These are the risks that deserve the most attention and resources.

5. Decide on controls and actions. Design/adjust mitigations, assign ownership, and set measurable targets. This isn’t a one-and-done task; it’s a cycle with ongoing monitoring.

6. Monitor and adjust. Track changes in likelihood or impact as conditions evolve. A risk that was moderate today might spike tomorrow if a critical control weakens or a supplier changes terms.

7. Communicate clearly. Build dashboards or crisp briefings for leadership that tell the risk story in plain language, with visuals like heat maps to make the message stick.

A note on practicality: keep it simple, but keep it honest

People worry about making risk assessment too abstract. It doesn’t have to be. A well-kept risk register, a clean matrix, and a couple of well-chosen scenarios can carry more weight than pages of theory. The goal is to create a shared mental model. When people across the organization understand what could happen and how bad it would be, they make better decisions, faster.

Common traps—and how to dodge them

• Treating metrics as checklists. If you’re simply ticking boxes without digging into why a risk has a high likelihood or a big impact, you’re blind to the dynamics driving the numbers.

• Relying on a single data source. One department’s view can tilt the picture. Mix data: incidents, controls, tests, and expert judgment.

• Underestimating the effect of root causes. Don’t just rate risk; chase the underlying drivers. If you fix the symptom but ignore the cause, the risk returns.

• Ignoring residual risk after controls. A good assessment notes not only the initial risk, but what remains after safeguards are in place.

Real-world flavor to ground the concept

Here’s a quick analogy that helps people grasp the logic. Imagine you’re planning a weekend trip. A weather app predicts a 70% chance of rain (likelihood) and forecasts heavy rain if it happens (impact). You’d probably pack a rain jacket, reschedule outdoor plans, or even choose a different destination. Your decision isn’t about whether rain might fall; it’s about how likely it is and how hard it would affect your plans. Operational risk management works the same way: you don’t chase every cloud, you assess which clouds threaten your plans most and respond accordingly.

Another way to think about it is a risk heat map. Picture a grid, with likelihood on the horizontal axis and impact on the vertical axis. Each risk lands somewhere in that square. The ones in the upper-right corner demand action; those in the lower-left are less urgent. This visual helps teams align around priorities and communicates clearly to stakeholders who don’t live in the details every day.

Tools, standards, and sources you can lean on

• ISO 31000 provides a broad framework for risk management governance, though you’ll see many teams adapt it to their own systems.

• COSO ERM offers a practical way to think about risk governance and the integration of risk across the organization.

• The FAIR model (Factor Analysis of Information Risk) is a more data-driven approach for information risk, useful if you’re focused on IT and digital risk.

• Simple risk matrices, dashboards, and heat maps built in tools you already use (Excel, Power BI, or your favorite GRC platform) can do the job without adding friction.

• Scenario planning guides you through “what if” thinking, which is essential for understanding how likelihood and impact might shift when conditions change.

Putting it all together: the essential takeaway

When you’re building or refining an ORM program, anchor your work on likelihood and impact. It’s not the flashiest phrase, but it’s the most practical compass for decision-making. Other metrics—like turnover or satisfaction—have their place as context or indicators of sub-process health, but they don’t inherently map to the risk of business disruption. If you measure and manage risks through the lens of how likely they are to occur and how badly they would bite, you’ll end up with a clearer, more actionable risk profile.

So, what’s the next step you can take today? Start with a focused risk inventory in your area of responsibility. Gather a few credible data points, pick your scales, and run through a quick assessment of the top five risks you see looming. Document the reasoning behind each rating, assign owners, and set a couple of concrete follow-up actions. Before you know it, you’ll have a living map that helps leadership steer with confidence rather than guesswork.

A final thought to keep in mind: risk assessment isn’t a one-off exercise. It’s a rhythm—the drumbeat of vigilance that keeps operations steady even when the weather shifts. And yes, the right factor—the likelihood and impact of identified risks—keeps beating at the center.

If you’d like, I can tailor this approach to a specific sector—manufacturing, healthcare, financial services, or tech—so you’ll have a concrete, domain-relevant template to work from.