Just about every risk register in existence uses the same formula:
Likelihood × Impact = Risk Score.
It feels tidy. Quantitative. Defensible. But in practice it’s often misleading.
Because while the math looks clean, the inputs are usually guesswork. “Medium likelihood.” “High impact.” Based on what, exactly? Someone’s gut? A workshop discussion from three years ago?
The truth is, most risk scoring models are broken (and GRC teams know it). But fixing them doesn’t mean tossing out the whole idea. It means making the model useful, not just usable.
The Illusion of Precision
One of the biggest traps in risk scoring is the illusion of precision. You assign numbers to vague categories, then multiply them as if they’re facts. A “3” for likelihood and a “4” for impact gives you a “12.” Great. But what does 12 mean?
Without clear definitions, calibration, and context, these numbers don’t guide decisions. They just fill dashboards.
Even worse, subjective scoring can be manipulated – not out of malice, but to justify a preferred narrative. A team that wants funding can inflate scores. A team that wants to avoid attention can downplay them. Suddenly, your “data-driven” process is anything but.
The Real Goal of Risk Scoring
Risk scoring isn’t about math. It’s about prioritization. You’re trying to answer one essential question:
Where should we focus our limited time and resources?
If your model isn’t helping you do that clearly and consistently, it’s not working.
How to Make Your Risk Scoring Actually Useful
- Define your scales with real-world clarity
Don’t just say “high impact.” Describe what that actually means in your organization. Is it financial loss? Reputational damage? Operational downtime? Be specific and consistent. - Use ranges, not just multipliers
Instead of locking into a single risk score, consider using thresholds or ranges to group risks. This makes prioritization clearer and avoids the trap of over-precision. - Calibrate across the enterprise
A “4” in one department shouldn’t mean something totally different in another. Calibrate your scoring with examples, peer review, and cross-functional input to align interpretation. - Layer in context
Risk isn’t static. A “moderate” risk during steady-state operations might become “high” during an acquisition or system migration. Include contextual flags that can dynamically influence scoring. - Show your work
Subjectivity isn’t the enemy, but undocumented subjectivity is. Capture rationale. Keep a record of how scores were decided. This not only improves audits, it makes reassessment easier.
Bonus Thought: Stop Worshipping the Heat Map
We love to rank risks in colorful grids. But once you’ve built a 5×5 matrix, your work isn’t done. The goal isn’t to plot, it’s to act. Make sure your risk scoring directly informs treatment decisions, escalation paths, and monitoring priorities.
If it doesn’t drive action, it’s just decoration.
From Math Exercise to Management Tool
Risk scoring doesn’t have to be perfect. In fact, it never will be. Risk is inherently uncertain, and no model can eliminate subjectivity entirely. But it can be structured, transparent, and consistently applied. That’s what makes it useful.
The goal isn’t to produce an exact number that impresses a regulator. The goal is to enable conversations that help your organization decide where to pay attention, what to monitor more closely, and what can safely wait.
So stop pretending your “12” is a fact. That number should be a signal (not a verdict). It’s a starting point for discussion, not the final answer.
A good risk scoring model doesn’t just rank risks. It helps teams explain why something matters, compare competing priorities, and make smarter tradeoffs with limited resources. It supports alignment across silos, gives leadership clarity, and makes it easier to justify or challenge how decisions get made.
That’s what turns a math exercise into a management tool.
That’s what good risk scoring actually looks like.
Want help rethinking how you assess, score, and prioritize risk? Let’s talk.
