Difference between Risk & Impact assessment

Discuss and debate ITIL Change Management issues
Post Reply
User avatar
Posts: 26
Joined: Sat Jun 09, 2012 8:00 pm

Tue Jan 29, 2013 5:24 am


Could you please explain me what is Risk Assessment & what is Impact Assessment. As fas as i know both are same. But my new organisation having two document one is for Risk Assessment and one is for Impact Asssessment.

2. Could you please explain how to calculate Risk level. Like Risk level-1, 2, 3 & 4.


User avatar
ITIL Expert
ITIL Expert
Posts: 1894
Joined: Mon Mar 03, 2008 7:00 pm
Location: Helensburgh

Tue Jan 29, 2013 7:11 am

Impact is about things that will happen (like the use of resources or downtime) risk is about things that might happen (like something going wrong or taking longer than predicted).

The simplest way to look at level of risk is to multiply the likelihood by the effect if it happens. What numbers you then assign to a particular level are a function of your company's aversion to risk, but probably anything fairly likely to happen which has severe consequences is probably level 1 and to be avoided.
"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718
User avatar
Posts: 26
Joined: Sat Jun 09, 2012 8:00 pm

Tue Jun 04, 2013 3:09 pm

Could you please brief more about Risk Level one by one.

Risk Level 1 --------
Risk Level 2--------
Risk Level3--------
Risk Level 4--------
User avatar
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Wed Jun 05, 2013 4:07 am


I am extremely puzzled by the types of questions you are asking in regards to Change Management

You have asked what is Risk & Assessment and how to classify
You have asked whether Dev and Test shuld be under change mgmt
You have asked several questions about the basic concpets of ChHange Management

What is even more troubling is that you have indicated that you are in a role of being the Change Manager for a customer / client

First, the obvious question - why ar eyou the CM if you have no knowledge, training or experience doing CM
Second, if this is a consulting role for a client, does your organization not think it is not good to have a CM who is not skilled enough to fulfill the role
Third - this site and other sites are not a substitute for training. While this site acan asnwer specific questions, it is usually about differences of opinion not trying to get free education by asking questions

Finally, when I started in CM, I did not have any experience either. However, what I had was experience in IT Operations seeing the impact of poor or no CM process in place. In addition, I had the ITIL Foundation course.
I also had - what I feel is an important quality for a change manager .

I am a power mad, anal retentive, pedantic dictatorial type control freak.

With this attitude, I realized that I am the one who has to write the policy, process etc and make sure it is well written and very clear.

I admit I used the information in the ITIL books as a guide and where I extrapolated the information to help me write the policy document

You need to have that level of confidence in doing the role of CM for your customer / client.

Also, when you write your first policy document, it will have errors in it because you need to get input and comments from those it impacts.

Remember, all documents are reviewed and changed to reflect the current situation
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
User avatar
Posts: 11
Joined: Tue Jul 07, 2015 8:00 pm

Wed Jul 08, 2015 4:24 pm

When trying to define Risk & Impact for a Change, think about the "worst" that could happen if the Change is not successful.

Risk relates to what the organization is willing to "absorb" if the Change doesn't go well. Risk factors may be related to: Audit, Operational Stability, Regulatory, Financial, Reputation or Safety. So when assessing Risk, see if it may affect any of those Risk criteria.

Impact relates to "who" may be affected, or impacted if a Change does not go well.... is it a site, or a location, or a group of people using the application?

If you cannot answer any of these questions or if they are simply unknown, then the higher Risk & Impact your Change will be.

You will need to define the numeric value in terms of the Risk being, a High, Medium or Low Risk.

I've mostly seen the number "1" to indicate a high risk or a high severity level for an incident... so I'd stick with that classification.
Post Reply