Defining severity and probability

Answer:

The way of calculating risks, or severity and probability of the risk depends on the methodology you use. Since most of the methodologies are semi-quantitative (they use numbers to express the value but it is not expressed in some measuring units), the key is to ensure repeatability, meaning that the methodology enables different persons to come up with same results.

To achieve this, you need to determine criteria by which you will determine probability or severity on the predefined scale (e.g. from 1 to 5). For example, if something happens every day, it has high probability and is marked with 5, if something happens once in ten years it has low probability and is marked with 1. The same should be done for the severity, you make the scale and define when each value in the scale will be assigned.

Once you define the severity an probability criteria, you need to decide how to calculate the risk, whether by subtraction or multiplication. For example, if we take that risk is calculated as severity + probability and we take our scales from 1 to 5, the maximum risk can be 10 and the lowest risk can be 2. On this range of scale, you need to define what risk level is acceptable and what risks need to be addressed. For example, risks lower than 6 are insignificant and wont be analyzed any further.

For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/