Threat Probability and Impact Scoring

Every identified threat needs a probability score (how likely is this threat to materialize?) and an impact score (how severe would the consequences be if it does?). The combination determines the response priority. A high-probability, high-impact threat demands immediate strategic response. A low-probability, high-impact threat demands contingency planning. A high-probability, low-impact threat demands operational adjustment. A low-probability, low-impact threat demands only monitoring. The scoring is not static — it updates every time an early warning indicator fires or a quarterly review produces new evidence.

1. Score Probability (1-5) 1 = Remote (<10% within 12 months). 2 = Unlikely (10-25%). 3 = Possible (25-50%). 4 = Likely (50-75%). 5 = Near-certain (>75%). Base the score on early warning indicator activity: how many indicators have fired? What is their credibility? Are the signals from independent sources? Update the probability score monthly.
2. Score Impact (1-5) 1 = Negligible (no revenue or strategic impact). 2 = Minor (affects a single product or segment). 3 = Moderate (affects a major product or customer segment). 4 = Significant (threatens a primary revenue stream). 5 = Existential (threatens the viability of the organization's core business). Impact scoring should quantify affected revenue where possible.
3. Calculate Priority Priority = Probability x Impact. Scores of 15-25: strategic response required. Scores of 8-14: contingency planning required. Scores of 3-7: active monitoring. Scores of 1-2: passive monitoring. The priority score determines the level of organizational attention and resource allocation each threat receives.