12 tips for evaluating risks

Sword GRC Blog

12 tips for evaluating risks

Risk evaluation – understanding the probability of business risks and their potential impacts is core to the risk management process. In this short blog, Sword GRC Marketing Manager, Jenny Ritson-Smith provides 12 risk evaluation tips to help risk professionals assess ‘uncertainty’ and determine the threats that should command the most attention in order to make the best decisions around mitigating them.

“Technological; supply chain; health and safety; staff-related… any risk that could be detrimental to either project or business goals should be carefully evaluated,” Jenny advises. “It’s important that organizations determine ways of circumventing threats that have potential for disruption or seek ways of minimizing the effects of risk events.

“Proactive companies will ensure that risk evaluation is part of a robust risk management process. While there are many methodologies available, many organizations choose to combine risk assessment with risk registers in order to estimate risks and determine their significance – which risks matter most and should be prioritized accordingly.”


  1. Conduct qualitative or quantitative risk assessment – qualitative assessments are quicker to perform and require less resource than more in-depth quantitative assessment that may be required for decision-making
  2. Remember to differentiate probability (the likelihood of a risk occurring) from impact (the consequence of risk occurring)
  3. In qualitative assessment, probability and consequence are typically given verbal rather than numerical estimations – e.g., low likelihood, or high likelihood. In quantitative assessment, risks are numerically scored
  4. Calculate risk scores by multiplying risk probability with risk impact. If time-to-impact is of concern, include rating velocity, working to formula: (Probability + Velocity) x Impact = Risk Score
  5. Determine your project risk thresholds – at what point do risks exceed tolerance levels?
  6. Remember, there can be numerous causal factors and multiple impacts for a single risk
  7. The risk landscape is constantly evolving – periodic risk reviews and evaluations are recommended for risk management best practice
  8. The combination of numerous small risks can result in significant risk exposure – add up individual risk scores to determine your total project risk score
  9. Don’t forget that the same risk can re-occur at different stages of the project lifecycle. Check that your risk responses work effectively and make tweaks to controls as necessary
  10. With less time to address risks (response time) and greater uncertainty, a risk that may occur at a later stage in a project may be a higher risk than the same risk occurring at project outset or earlier on
  11. Try and involve all stakeholders in risk evaluation – this may help to improve the quality pf your risk information, but be mindful of differences in risk perception
  12. Developing greater objectivity in the way that risks are evaluated and analysed could help maximize precision, further enhancing risk management

“If anything, I would suggest that risk professionals stay up-to-date with risk management best practices. The whitepaper guidance produced is a great resource, offering authoritative insights from a trusted source.

BowTie risk evaluation

“If you are looking for a best-in-class risk analysis tool, Active Risk Manager’s BowTie functionality allows risk professionals to create classic BowTie risk analysis structures, enabling the analysis of causes of potential treats, preventative measures, incident scenarios, and consequences, factoring in recovery or mitigation practices.”