This page has been moved to the eSSIF-Lab Framework on Github.
A risk-level a measure for the deviation of the intended realization (results) of a specific objective that its owner uses to represent the priority with which the risk of that objective should be reckoned with.
Risk-levels can be expressed in many forms, such as
- one of the first letters of 'Low', 'Medium', or 'High';
- a digit in the interval [1-n], where n is usually 4, 5 or 9;
- a combination of digits (indicating the expected impact) and letters (indicating the assessed likelihood);
- a color, e.g. one of 'green', 'yellow' and/or 'organge, 'red';
- a combination of character representation (appealing to the conscious mind of the reader) and a color (appealing to its unconscious mind)
Every party that has a risk management process in place should establish its (personal) set of possible risk-levels and decide which criteria to use for assigning such levels to its (managed) objectives in a way that is both meaningful and practical for that party.
Note the difference between risk-level and risk: where risk-level is about expected effects that uncertainties of various kinds may have on the realization of its associated objective, risk is about the kinds of (or: possible) effects that such uncertainties can have.
: NRM, ISO 27000:2016