22. Risk Priorities

When risks have been identified, it is time to prioritize and analyze core risks through qualitative risk analysis (evaluates the likelihood and impact of identified risks using subjective judgment, expert opinion, and descriptive scales such as low, medium, high rather than numerical data) and/or quantitative risk analysis (data-driven method that assigns **numerical values** to the probability and impact of risks).

One effective method to prioritize risk is to use a risk matrix, which helps identify priority as the intersection of likelihood of occurrence and impact.

It also gives the team a common language to use with management when determining the final priorities.

Assignment of priority may relate to business priorities, the cost of mitigating a risk, or the potential for loss if an incident occurs.