Risk is a measurement of how much an organization is exposed to danger. Once vulnerabilities are identified, the vulnerabilities must go through the organizational risk process. This process evaluates each vulnerability and assigns it based on the sum of the probability of exploitation and impact to the organization.

Examples of probability levels:

• Certain: 100% chance it will happen
• Likely: >80% chance it will happen 
• Possible: 60-79% chance it will happen
• Unlikely: 11-59% chance it will happen
• Rare: Less than 10% chance it will happen

Examples of impact levels:

• Negligible Loss: If this happens, it won't bother us too much
• Marginal Loss: If this happens, it will be an annoyance but we can get by
• Moderate Loss: If this happens, there will need to be a few projects to get us back to where we were
• Critical Loss: If this happens, there will be some major projects to get us back to where we were
• Catastrophic Loss: If this happens, we need to start from the beginning because there will be nothing left

A risk matrix is typically used as a visual representation to better understand the relationship between probability and impact:

From the preceding example, we can begin to measure each vulnerability by understanding the probability of the vulnerability being exploited and if exploited, how much impact it would have on the organization.

Examples of levels of risk:

• High: This is probably something we should have a lot of oversight and control over. We'll probably need to have regular and more frequent reporting on this.
• Medium: These items are good to know about and we should monitor these to see if they change too much. We'll probably need to look at these every month or quarter.
• Low: These items are also good to know about but we don't need to worry as much as the high and medium risk items. We should look at these twice a year or once a year.