Risk level


This page has been moved to the eSSIF-Lab Framework on Github.

Short Description

A risk-level a measure for the deviation of the intended realization (results) of a specific objective that its owner uses to represent the priority with which the risk of that objective should be reckoned with.

Risk-levels can be expressed in many forms, such as

  • one of the first letters of 'Low', 'Medium', or 'High';
  • a digit in the interval [1-n], where n is usually 4, 5 or 9;
  • a combination of digits (indicating the expected impact) and letters (indicating the assessed likelihood);
  • a color, e.g. one of 'green', 'yellow' and/or 'organge, 'red';
  • a combination of character representation (appealing to the conscious mind of the reader) and a color (appealing to its unconscious mind)

Every party that has a risk management process in place should establish its (personal) set of possible risk-levels and decide which criteria to use for assigning such levels to its (managed) objectives in a way that is both meaningful and practical for that party.

Note the difference between risk-level and risk: where risk-level is about expected effects that uncertainties of various kinds may have on the realization of its associated objective, risk is about the kinds of (or: possible) effects that such uncertainties can have.


The purpose of risk-levels is that it enables the party that has defined them to compare them, which allows it to prioritize the risks/objectives that it needs to manage.


[1]: NRM, ISO 27000:2016