In short
A risk rating is how critical a risk is judged to be - usually derived from likelihood × impact on an agreed scale, then mapped to a band such as Low, Medium or High.
- Formula - Risk Rating = Likelihood × Impact (typically 1–5 on each axis → 1–25 on a 5×5 matrix).
- Under the formula - financial and non-financial impact matrices, plus a likelihood matrix with testable frequency bands. Positions are derived from these definitions, not from gut feel.
- Two layers - gross (before controls) and net/residual (after controls); both belong on the register.
- Where it fails - adjectives without monetary or harm bands, stale scores, and ratings that nobody uses to make decisions.
If you manage risk in a regulated firm, you will hear "risk rating" constantly - in RCSAs, risk registers, committee packs, and regulator conversations. It sounds simple: score how likely something is, score how bad it would be, multiply the two, and you have a priority.
In practice, risk rating is one of the most inconsistently applied concepts in enterprise risk management. Two risk owners can look at the same risk and produce different ratings because they are using different mental models of "likely" and "severe". Boards see heat maps where every risk sits in the middle. Registers carry scores that have not moved in eighteen months despite material incidents.
This article defines what a risk rating is, how to calculate it, how rating bands work, and - importantly - what separates a rating that actually drives decisions from one that is just a number in a spreadsheet.
What Is a Risk Rating?
A risk rating is the classification of a risk's criticality based on how likely it is to occur and how severe the consequences would be if it did. It answers a prioritisation question: relative to everything else on the register, how much attention does this risk deserve right now?
Most ERM and GRC frameworks express risk rating as a number produced by multiplying likelihood and impact, then translate that number into a category - Low, Medium, High, or more granular bands. The methodology is qualitative at its core: you are using structured judgement, not a statistical model, unless your programme has explicitly adopted quantitative methods for specific risk types.
Risk rating is not an end in itself. It exists to support decisions: where to invest in controls, which risks to escalate, what goes on the principal risk page of the board pack, and whether current exposure sits inside risk appetite. If the rating does not change any of those outcomes, it is decoration.
Risk Rating vs Risk Score
Vendors and frameworks use both terms. In most mid-market programmes they mean nearly the same thing, with a slight emphasis difference:
| Term | Typical meaning |
|---|---|
| Risk score | The raw numerical product (e.g. 12 on a 5×5 matrix) |
| Risk rating | The resulting band or label (e.g. Medium) - sometimes used for the whole assessment output |
Pick one vocabulary and use it consistently in your risk register, RCSA templates, and board reporting. Auditors and regulators are far more interested in consistent definitions and evidence than in whether you call the output a "score" or a "rating".
The Risk Rating Formula
The standard qualitative formula used across ISO 31000-aligned programmes, COSO ERM, and most UK regulated-firm frameworks is:
// Standard risk rating formula
Risk Rating = Likelihood × Impact
On a 5×5 risk matrix, each axis is scored from 1 to 5. The product ranges from 1 to 25. Some organisations use a 1–10 scale on each axis (product range 1–100); the 5×5 model is the mid-market default because it is simple enough for boards to read and granular enough for triage.
Third-party data breach via a key supplier
- Likelihood: 3 (could occur once in the assessment period given current supplier controls)
- Impact: 4 (regulatory notification, client harm, reputational damage)
- Calculation: 3 × 4 = 12
On a common banding of 1–5 Low, 6–12 Medium, 13–25 High, a rating of 12 is Medium - warranting active monitoring and treatment planning, but not necessarily immediate board escalation unless net exposure or appetite thresholds say otherwise.
Where Risk Positions Come From: Financial and Non-Financial Matrices
The multiplication is the easy part. What actually determines whether a risk rating is defensible - and whether two assessors would score the same risk the same way - is what sits underneath the grid: your impact and likelihood matrices.
In a well-run ERM programme, risk positions (the gross and net likelihood × impact scores on the register) are not plucked from intuition. They are derived by scoring each risk against published matrices that define what each level means in practice. Most frameworks separate impact into two layers:
- Financial impact matrix - anchors each impact level to monetary bands sized to your organisation's materiality. For example: Level 1 = up to £50k residual loss; Level 2 = £50k–£250k; Level 3 = £250k–£1m; and so on. The exact thresholds should reflect your ICAAP, management reporting, or board materiality - not a generic template copied from a consultant deck.
- Non-financial impact matrix - describes operational, regulatory, conduct, and reputational harm at each level. Level 3 might mean "regulatory notification required, local supervisory interest"; Level 5 might mean "national enforcement action, franchise-level reputational damage, or loss of licence to operate". Without this layer, two risks can share the same impact score while one implies a manageable fine and another implies existential harm.
- Likelihood matrix - defines credible frequency bands in testable language: less than once in twenty years; once in ten years; multiple events within five years. This lets you compare owner assessments against incident history, loss data, and external benchmarks rather than debating what "unlikely" feels like.
When a risk owner scores impact as 4 and likelihood as 3, they should be able to point to the matrix row and say: "Impact 4 means £250k–£1m financial exposure plus regulatory notification; Likelihood 3 means we expect something in this category roughly once in the assessment period." That is what makes the resulting position - 12 on a 5×5 grid - explainable to a second-line challenger, an auditor, or a non-executive director.
The matrix is the output; the definitions are the input
A 5×5 heat map is a visual summary of positions already scored against your matrices. If the financial and non-financial bands are not written down, the positions float - and the rating is just a number with no ledger behind it. For how this connects to the visual layer boards see, see the 5×5 risk matrix and heat maps.
The same matrices apply whether you are setting a gross (inherent) position or a net (residual) position. The difference is the scenario you are scoring against: gross asks "how bad and how likely with no controls?"; net asks "how bad and how likely given controls as they actually operate?" Both positions should be traceable back to the same published definitions - otherwise gross and net scores become incomparable across risks and across quarters.
For judgement-based assessment, well-understood financial and non-financial matrices are what let a risk owner set a residual position directly and still defend it. For formula-based assessment, the matrices provide the anchor points the formula works from. Either way, the matrices are the foundation. For the four assessment approaches built on top, see how to assess enterprise risk.
Risk Rating Categories (Low, Medium, High)
After calculating the numeric rating, organisations map it to pre-defined bands. There is no single universal cut-off - firms define bands to match their risk appetite and reporting needs. A typical 5×5 banding looks like this:
| Band | Score range | Typical response |
|---|---|---|
| Low | 1–5 | Accept and monitor; minimal active treatment unless appetite is very tight |
| Medium | 6–12 | Managed within existing controls; treatment plans where net rating exceeds appetite |
| High | 13–25 | Priority treatment, senior oversight, likely principal-risk or board visibility |
Some firms use five bands (Very Low through Very High) or split Medium into two tiers. That is fine - document the thresholds in your ERM framework and apply them the same way every quarter. The failure mode is not choosing 6–12 vs 6–15 for Medium; it is having no written definition at all, so every assessor invents their own cut-offs.
Gross vs Net Risk Ratings
A single risk usually carries two ratings, not one:
- Gross (inherent) rating - likelihood × impact before controls. Shows the raw severity of the risk.
- Net (residual) rating - likelihood × impact after controls, reflecting how controls reduce likelihood, impact, or both.
The gap between gross and net ratings is one of the most informative outputs in an RCSA or risk register review. A risk with gross 20 and net 6 tells a very different story to a risk with gross 8 and net 6 - even though both net ratings are identical. For full definitions, see gross risk vs net risk vs residual risk explained.
Rating net risk as if controls work perfectly
The most common rating error is scoring net risk based on control design rather than control performance. If a control has never been tested, or failed its last test, it should not fully reduce the net rating. Net ratings should reflect the control environment as it actually operates - which is why RCSA and control testing are linked, not separate exercises.
How to Calculate a Risk Rating: Step by Step
Whether you are running an RCSA workshop or updating the principal risk register, the sequence is consistent:
- Publish your matrices. Document financial impact bands, non-financial harm descriptors, and likelihood frequency statements in one place - your ERM framework or GRC tool. Do this once, not ad hoc per risk or per workshop.
- Identify the risk. Write it as cause → event → consequence, not as a vague theme ("cyber" or "people risk").
- Score gross likelihood and impact. Ignore controls for this step. Ask: if nothing mitigated this, how likely and how bad?
- Multiply to get the gross rating. Record the number and the band.
- Map controls and score net likelihood and impact. Reflect which controls actually reduce exposure and by how much.
- Multiply to get the net rating. Compare to appetite. If outside appetite, define actions with owner and date.
- Review on a cadence. Re-rate when something material changes - not only when the board meeting is due.
For a full walkthrough of the first-line assessment process, see how to run an effective RCSA step-by-step.
What Makes a Risk Rating Defensible?
Regulators and auditors rarely challenge the formula. They challenge whether the rating can be explained. A defensible rating has:
- Published financial and non-financial matrices - so "impact 4" means the same monetary band and the same non-financial harm descriptor to operations, compliance, and the board.
- A named owner - someone who can explain why the rating is what it is without reading from a script.
- Evidence or rationale - incident data, control test results, KRI trends, or documented judgement where data is limited.
- Movement tracking - a record of when the rating changed and why, visible quarter to quarter in board-ready risk reporting.
- Consistency - the same methodology applied across business units, not a different mental model in every workshop.
Where Risk Ratings Break Down
Most programmes have ratings. Fewer have ratings that anyone trusts. The patterns are predictable:
- Everything is Medium - assessors avoid extremes; the heat map becomes a uniform amber block with no triage value.
- Stale ratings - scores set eighteen months ago, unchanged despite incidents, regulatory change, or control failures.
- Implicit scales - no published financial or non-financial matrices; each owner interprets "likely" and "severe" differently.
- Net-only reporting - boards see post-control ratings without gross context, understating control dependency.
- Ratings disconnected from actions - High-rated risks with no open actions, or actions with no link back to the score.
- Spreadsheet drift - multiple versions of the register with different ratings for the same risk ID.
The fix is rarely a better formula. It is making the rating live in a system the first line actually uses - where controls, assessments, and movement history sit on the same record as the score. That is the gap most generic "how to calculate risk rating" guides skip: the arithmetic is easy; keeping ratings honest over time is the hard part.
Qualitative vs Quantitative Risk Ratings
Everything above describes qualitative risk rating - structured scales and expert judgement. That is what most mid-market ERM programmes run on, and what boards expect to see in principal risk reports.
Quantitative risk rating uses statistical models, loss data, and probability distributions to produce financial risk figures (VaR, expected loss, scenario outputs). It is appropriate for market risk, credit portfolios, and capital modelling - not for every operational risk on the register.
A mature programme is deliberate about which risks get qualitative ratings and which warrant quantitative treatment. Trying to quantify everything usually produces false precision; rating everything qualitatively without definitions produces false consistency. The right answer is usually a blend, documented in the ERM framework.
How Initia Risk Handles Risk Ratings
Initia Risk is built around the gross-to-net rating model: each risk carries gross and net positions on your configured matrix, linked to controls and assessments. The financial and non-financial impact matrices and likelihood matrix are fully customisable in the tool - so the definitions that drive positions live in one place, not scattered across framework PDFs and workshop slides.
When a risk owner scores a position, they are scoring against those published matrices. The platform supports both formula-driven residual ratings (derived from control type, importance, and effectiveness) and judgement-based ratings where the owner sets the position directly - grounded in the same matrix definitions either way, with a full audit trail. Heat maps and board-ready exports show movement over time, so "what changed this quarter" is visible without rebuilding slides from spreadsheets.
If your ratings live in a workbook that nobody updates between board cycles, the problem is not the formula - it is the operating model. Book a conversation if you want to see what connected ratings look like in practice.
Key Takeaways
- A risk rating classifies criticality from likelihood and impact - usually Likelihood × Impact on a 5×5 scale.
- Positions come from matrices - financial impact bands, non-financial harm descriptors, and testable likelihood frequency. Without these, the rating is just a number.
- Score vs rating - use consistent vocabulary; the number and the band both matter.
- Gross and net - capture both; the gap shows control effectiveness.
- Bands are yours to define - but they must be written down and applied consistently.
- Defensibility comes from definitions, owners, evidence, and movement - not from the multiplication itself.
- The hard part is keeping ratings current and connected to decisions - not calculating them once.
Related reading: the 5×5 risk matrix explained, gross vs net vs residual risk, what a risk register is, and the GRC glossary for quick definitions.