A risk or issue may have three different scores, depending on your configuration. These are:
- Original Score
- This is the score of the risk/issue when it was first identified. This should remain the same throughout the life of the risk/issue. Without any actions or controls, this is the inherent risk.
- Current Score
- This is the score at the last review of the risk/issue and should take account of the action progress and any controls which have been put in place or improved. This is the current residual risk The residual risk should always be equal to, or less than the inherent risk.
- Target Score
- This is the score at which the risk/issue exposure becomes acceptable and assumes all identified actions and controls have been put in place. This is the target residual risk.
For each type of score above, a risk/issue will be assessed for the level of impact, should it occur, and the likelihood of it occurring. Multiple types of impact may be defined and the impact score will then be the highest of these. Each of the two components (impact and likelihood) is scored on a 1 to 5 scale and the overall score determined by multiplying the two components together.
For example, if a risk has a financial impact score of 4, a reputation impact of 3 and a likelihood of 2, then it's overall score will be 8; the highest impact is 4.