Question - Normalizing Risk Scores

Forum - Software
1

Is there a way to “normalise” the Risk score?

In my business, we use the following formula to provide a consistent 1 - 10 score.

Likelihood = 1 (low) to 5 (high)
Impact = 1 (low) to 5 (high)

Risk_Score = Likelihood x Impact

Risk = (Risk_Score x 10) / 25

It took me a while to get my head around the why, but I have come to love this.

See Normalizing Risk Scoring Across Different Methodologies | SimpleRisk GRC Software for more info and a great write-up on why.

2

I like Josh, we spoke a decade ago when we both were trying to go somewhere with our respective projects. I have truly respect for him but I guess everyone (he, you, eramba and the next guy) has different views.

We are updating our documentation, but in the meantime you can ready this episode (on our dev environment) that shows a little what we think of all this: Risk Management | Eramba learning portal