CEB Blogs


Corporate Law

The 3 Rating Scales You Need for Risk Assessments

It pays to be prepared

To develop a framework on which to run a legal risk assessment, corporate legal teams should use rating scales to understand each major threat’s potential impact, likelihood, and ability to be controlled.

By quantifying these three elements, the legal team can get a holistic view of each risk, and so deploy resources to mitigate those risks as efficiently as possible.

Before you dive into the rating scales, make sure the project lead has identified the threats that need to be assessed, and which people in the company should participate in this activity. Assessments should be distributed to staff with relevant subject-matter knowledge in a variety of functions, such as Internal Audit, HR, Finance, and IT.

Three Dimensions

Different rating scales will help legal teams account for each of these three risk dimensions.

  1. Potential impact: To make judicious use of resources, you need a clear idea about which risks pose the biggest threat to your organization. Harm comes in many forms including: monetary, reputational, and operational. Chart 1 shows how you can use scales to collect information about each area.

    Measuring the potential impact of a risk

    Chart 1: Measuring the potential impact of a risk  Source: CEB analysis

    Click chart to expand

  2. Likelihood: To direct mitigation efforts towards the risks most likely to transpire, evaluate the probability that they will occur. To capture all dimensions of likelihood, such as frequency and timing, use the scale in chart 2.

    Measuring the likelihood of a risk

    Chart 2: Measuring the likelihood of a risk  Source: CEB analysis

    Click chart to expand

  3. Control effectiveness: Finally, assess the controls you have in place to deal with these risks. The one-question scale in chart 3 will help you figure out which threats need more attention, and which are suitably protected against.

    Measuring how good the controls are

    Chart 3: Measuring how good the controls are  Source: CEB analysis

    Click chart to expand

Finally, collect responses (scores) from participants, calculating inherent risk based upon the product of aggregate impact and likelihood scores. Divide the inherent risk scores by the control effectiveness scores to derive the residual risk score.

The residual risk score, reflected in the far right column of chart 4, will help legal teams see which threats pose the greatest danger to their organization — in this example it’s the company’s political activity.

Final risk scorecard

Chart 4: Final risk scorecard  Source: CEB analysis

Click chart to expand

More On…

  • Increasing Legal Risk Visibility

    Learn more about how corporate employees approach legal decisions, whether they understand the ramifications of their decision, and how likely they are to consult Legal when uncertain (pdf).

Leave a Reply



Recommended For You

Biglaw Pay Hikes: How to Scrutinize Your Company’s Legal Rates

With one of the top US law firms announcing a 12.5% pay hike for their...