Likelihood is the chance of the risk happening. Impact is the effect if it happens. Severity combines both into an overall rating.
Likelihood, impact and severity are three of the most important fields in a project risk register. Likelihood asks how likely the risk is to happen. Impact asks how bad it would be if it happened. Severity combines the two into an overall risk rating.
Table of Contents:
- What is likelihood in a risk register?
- What is impact in a risk register?
- What is severity in a risk register?
- Likelihood vs impact vs severity
- Simple Low, Medium and High scoring
- Example risk severity table
- Examples of likelihood, impact and severity
- Common mistakes when scoring risks
- How this works in an Excel risk register
- What to do with High severity risks
- Download the Excel risk register template
- Likelihood, impact and severity FAQs
- Summary
These three fields are simple in theory, but they cause a surprising amount of confusion in real project risk registers. People often mix them up, over-score risks, under-score politically awkward risks, or use the severity column as a general panic rating.
Used properly, likelihood, impact and severity help the project team decide which risks need attention first. Used badly, they create a colourful spreadsheet that looks official but does not help anyone make a decision.
What is likelihood in a risk register?
Likelihood means how probable the risk is. It is your assessment of whether the risk is unlikely, possible or likely to happen.
A simple risk register often uses three likelihood ratings:
- Low - the risk is unlikely to happen;
- Medium - the risk could happen;
- High - the risk is likely to happen or warning signs are already visible.
For example, if a supplier has a good track record and has already confirmed delivery dates, the likelihood of supplier delay may be Low. If the supplier has missed two early milestones and is avoiding progress calls, the likelihood may be High.
Likelihood is about probability, not seriousness. A risk can be unlikely but still serious.
What is impact in a risk register?
Impact means how serious the consequences would be if the risk actually happened.
Impact can affect:
- project cost;
- schedule or delivery date;
- quality;
- scope;
- benefits;
- stakeholder confidence;
- compliance;
- health and safety;
- reputation.
A risk with a High impact could cause a missed deadline, budget overrun, failed benefit, unsafe outcome or serious stakeholder problem.
A risk with a Low impact might be annoying, but it would not seriously affect the project.
What is severity in a risk register?
Severity is the overall risk rating. It is usually based on the combination of likelihood and impact.
In a simple risk register, severity may be shown as:
- Low - monitor, but no major action needed;
- Medium - manage with agreed actions;
- High - active management, escalation or senior attention may be needed.
Severity is useful because it helps the project team focus. A register with twenty risks needs a way to show which risks are most important. Severity gives you that sorting mechanism.
A simple 3 by 3 risk matrix combines likelihood and impact to produce a Low, Medium or High severity rating.
Likelihood vs impact vs severity
The easiest way to remember the difference is:
| Risk field | Question it answers | Example |
|---|---|---|
| Likelihood | How likely is this risk to happen? | The supplier delay is possible because the supplier has already missed one minor milestone. |
| Impact | How bad would it be if it happened? | If the supplier delay happens, system testing may slip by two weeks. |
| Severity | How serious is the risk overall? | Medium likelihood plus High impact may produce a High severity rating. |
Likelihood and impact are inputs. Severity is the result.
Simple Low, Medium and High scoring
You do not always need a complicated scoring system. For many project risk registers, a simple Low, Medium and High model is enough.
A common approach is:
- Low likelihood - unlikely to occur;
- Medium likelihood - possible;
- High likelihood - likely or already showing signs;
- Low impact - limited effect on the project;
- Medium impact - noticeable effect requiring management action;
- High impact - serious effect on time, cost, quality, benefits or reputation.
The advantage of Low, Medium and High is that people understand it quickly. The disadvantage is that it can be subjective. That is why the project team should agree what Low, Medium and High mean for the project.
Example risk severity table
Here is a simple way to combine likelihood and impact.
| Impact \ Likelihood | Low likelihood | Medium likelihood | High likelihood |
|---|---|---|---|
| High impact | Medium | High | High |
| Medium impact | Low | Medium | High |
| Low impact | Low | Low | Medium |
This type of table is often called a risk matrix. It gives you a consistent way to convert likelihood and impact into severity.
For a fuller guide, see how to score project risks using a risk matrix.
Examples of likelihood, impact and severity
The examples below show how different combinations can produce different severity ratings.
In this example, a supplier delay risk is scored as Medium likelihood and High impact, giving it a High severity rating.
Example 1: Supplier delay
| Risk description | If the supplier misses the delivery date, testing will be delayed and the project may miss the planned launch date. |
|---|---|
| Likelihood | Medium - the supplier has missed one early milestone. |
| Impact | High - late delivery would delay testing and launch preparation. |
| Severity | High |
Example 2: Minor reporting delay
| Risk description | If the monthly report is delayed, the project board may receive the update one day late. |
|---|---|
| Likelihood | Medium - the report depends on inputs from several people. |
| Impact | Low - the delay would be inconvenient but would not affect delivery. |
| Severity | Low |
Example 3: Loss of key technical expert
| Risk description | If the only technical expert becomes unavailable, key design decisions may be delayed and the project schedule may slip. |
|---|---|
| Likelihood | Low - there is no immediate sign the person will be unavailable. |
| Impact | High - the project is highly dependent on that expertise. |
| Severity | Medium |
This last example is important. Low likelihood does not mean “ignore it”. A low-likelihood, high-impact risk may still need sensible mitigation.
Do not confuse severity with priority
Severity and priority are related, but they are not always the same thing.
A risk may have a High severity rating but not need immediate action if strong controls are already in place. Another risk may be Medium severity but need urgent attention because a decision is due this week.
Severity tells you how serious the risk is. Priority tells you how soon you need to act.
Common mistakes when scoring risks
Scoring everything as High
If every risk is High, the risk register stops helping. The team cannot see what needs attention first. High should mean something.
Scoring politically awkward risks too low
Some risks are uncomfortable because they point to weak sponsorship, unrealistic deadlines, poor decision-making or lack of resources. That does not make them Low. It just makes them awkward.
Using severity as a mood rating
Severity should not mean “how worried someone feels”. It should be based on likelihood and impact.
Ignoring low-likelihood, high-impact risks
A risk can be unlikely and still dangerous. Major supplier failure, legal challenge, loss of funding or system outage may be unlikely, but the impact may be severe enough to justify planning.
Changing scores without explanation
If a risk moves from High to Medium, explain why. Has mitigation worked? Has the situation changed? Has the impact reduced? Without a reason, the change looks arbitrary.
How to write useful scoring notes
When you score a risk, it helps to include a short explanation in the progress or notes column. This makes the rating easier to understand later.
For example:
- Likelihood Medium because the supplier has missed one minor milestone but has confirmed the next delivery date.
- Impact High because late delivery would delay system testing and affect the launch date.
- Severity High until the supplier provides evidence that the delivery schedule is back on track.
This is more useful than simply selecting High from a dropdown and leaving everyone to guess why.
How this works in an Excel risk register
In an Excel risk register, likelihood and impact are often selected from dropdown lists. The severity column may then be selected manually or calculated using a severity table.
For example:
- select Medium in the Likelihood column;
- select High in the Impact column;
- the Severity column shows High based on the risk matrix.
This is one reason dropdowns are useful. They keep the scoring consistent. If one person types “Med”, another types “Medium”, and another types “M”, formulas and filters can become messy.
For spreadsheet help, see how to edit dropdown lists in an Excel template.
When should you change a severity rating?
Change the severity rating when the likelihood or impact has genuinely changed.
Examples:
- Likelihood may reduce after a supplier confirms delivery and provides evidence of progress.
- Likelihood may increase when warning signs appear.
- Impact may reduce if the project adds contingency time or finds a workaround.
- Impact may increase if the project becomes more dependent on the risky activity.
Do not reduce severity just because the risk has been on the register for a long time. A stale High risk is not automatically a Medium risk. It may be a High risk that nobody has dealt with.
What to do with High severity risks
High severity risks should not just sit in the spreadsheet looking dramatic. They need active management.
For each High risk, check:
- Is there a named risk owner?
- Is there a real mitigation action?
- Is there a contingency plan?
- Does the sponsor or project board need to know?
- Is a decision needed?
- Is the risk becoming an issue?
If the answer to most of these is “not sure”, the risk is not being managed. It is just being recorded.
Download the Excel risk register template
Use the free Excel risk register template to record project risks, select likelihood and impact, assess severity, assign owners and track mitigation actions.
Download the Excel risk register template
Related guides
- How to use a project risk register in Excel
- How to score project risks using a risk matrix
- Mitigating action vs contingent action
- How to write a good project risk description
- Risk owner vs action owner
Likelihood, impact and severity FAQs
What is the difference between likelihood and impact?
Likelihood is how probable the risk is. Impact is how serious the consequences would be if the risk happened.
What is severity in a risk register?
Severity is the overall risk rating, usually calculated from likelihood and impact. For example, a Medium likelihood and High impact risk may produce a High severity rating.
Can a low-likelihood risk still be important?
Yes. A low-likelihood risk can still be important if the impact would be serious. These risks may still need mitigation or contingency planning.
Should every project use Low, Medium and High?
Not necessarily. Low, Medium and High is a good simple model for many projects, but larger or higher-risk projects may use a 5-point scale or more detailed scoring.
Should severity be calculated automatically in Excel?
It can be. Automatic severity calculation can improve consistency, especially if likelihood and impact are selected from dropdowns. However, the project team still needs to review whether the rating makes sense.
What is the biggest mistake when scoring project risks?
The biggest mistake is scoring risks without discussing what the ratings mean. If Low, Medium and High are not defined, different people will score the same risk differently.
Summary
Likelihood, impact and severity are the basic building blocks of risk scoring. Likelihood asks how probable the risk is. Impact asks how bad it would be if it happened. Severity combines both into an overall rating that helps the team decide what needs attention.
The aim is not to create perfect mathematical certainty. The aim is to have a practical, consistent way to compare risks and decide what action is needed.
Next step
Once you understand likelihood, impact and severity, the next step is to understand how the matrix works.