During the assessment, you may have discovered potential problems that will need to be presented to management in a structured order. This can be done by calculating a risk score. A risk score gives us a way to quantify our findings and determine a prioritized list of what is most important. The risk score takes into account two key items: raw risk and policy control.
Raw risk has two basic components, which are probability and impact. What’s probability? It is the likelihood of an event happening. Impact can be best defined as an attempt to identify the extent of the consequences should a given event occur. If you multiply the probability by the impact, you can get a raw risk score that is easy to chart.