Risk ranking is based on a matrix with axes for likelihood and impact. There are several types of risk matrices, at TeamSuccess we use the qualitative 5 x 5 matrix. The combination of the likelihood and impact gives us a risk rank.
There are both benefits and challenges to using a Risk Matrix. Risk matrices are simple to use, however they sometimes give a false sense of security.
The example matrix above categorizes risks into 3 levels; low, medium and high. The risks in the green area are low risk and low likelihood. Risks in the red area are high impact and high likelihood.
It's important to be very careful with low likelihood, high impact events. Gordon Graham explains High-Risk, Low-Frequency Incidents in an entertaining way. We highly recommend watching his video on the topic:
The assessment of risk's likelihood and impact is an estimate only, doesn't include an assessment of timeframes (for example when the risk might materialize), and is often biased.
Sometimes assigning a risk rating can oversimplify the complexity, and doesn't take into account how risks interact with each other.
However, a qualitative approach of rating risks makes it easier to understand and observe the level of risk. It's a simple method to implement, and introduce to a team not yet familiar with risk management. It promotes discussion, makes the analysis process faster, and helps to evaluate the most important areas of risk.