Risk is quantified by combining two core variables: the probability that something bad will happen and the severity of the consequences if it does. That basic framework applies whether you’re evaluating a medical treatment, a cybersecurity threat, or an environmental hazard. But the specific formulas, units, and methods vary widely depending on the field. Here’s how risk gets turned into numbers across the disciplines where it matters most.
The Basic Formula Behind All Risk
At its simplest, risk equals likelihood multiplied by impact. A project manager at a construction firm and a public health official tracking disease outbreaks are both, at some level, asking the same two questions: how likely is this event, and how bad would it be? The Project Management Institute formalizes this by rating both likelihood and impact on discrete scales (1 through 5, from very low to very high), then combining them. One common weighting treats impact as twice as important as likelihood, producing a severity score of likelihood plus two times impact. Other fields use continuous probabilities instead of scales, but the underlying logic is identical.
Likelihood itself has two components worth separating. There’s the raw probability that an event will occur if nobody intervenes, and the difficulty of actually preventing it. If a risk is highly probable but easy to block, its effective likelihood drops. If it’s moderately probable but nearly impossible to stop, the effective likelihood stays high. This distinction matters when you’re deciding where to spend limited resources on prevention.
Risk in Medicine and Epidemiology
Health research uses several precise tools to quantify risk, each suited to a different type of study.
Relative risk (also called the risk ratio) compares the rate of a health event in one group to the rate in another. You divide the incidence in the exposed group by the incidence in the unexposed group. A relative risk of 2.0 means the exposed group is twice as likely to develop the condition. A relative risk of 1.0 means no difference between groups. This measure works well in studies that follow people forward in time, like clinical trials or cohort studies, because researchers can directly observe how many people in each group get sick.
Odds ratios fill in when that kind of direct observation isn’t possible. In case-control studies, researchers start with people who already have a disease and compare them to people who don’t, looking backward at their exposures. Because the study design doesn’t track a population over time, you can’t calculate true incidence rates. Instead, you compare the odds of exposure among cases to the odds of exposure among controls. The result approximates relative risk, especially when the disease is rare.
Absolute risk reduction is the most practical metric when evaluating a treatment. It’s simply the difference between two event rates. If 20 out of 100 untreated patients develop a bad outcome and 12 out of 100 treated patients do, the absolute risk reduction is 8 percent. Flip that number, and you get the number needed to treat: 100 divided by 8 equals about 13. That means a doctor would need to treat 13 patients for one of them to benefit. This number is far more useful for decision-making than relative risk alone, because a 40 percent relative reduction sounds dramatic but might correspond to a tiny absolute change if the baseline risk is low.
Risk in Business and Cybersecurity
Organizations that protect assets, whether physical or digital, quantify risk in dollar terms using a formula called annualized loss expectancy (ALE). It works like this:
- Single loss expectancy (SLE) is the dollar damage from one incident. If a server worth $100,000 would lose 25 percent of its value in a breach, the SLE is $25,000.
- Annual rate of occurrence (ARO) is how many times per year you expect that incident to happen. If similar breaches occur roughly twice a year, the ARO is 2.
- Annualized loss expectancy is ARO times SLE. In this case, 2 times $25,000 equals $50,000 per year.
This gives security teams and executives a concrete number to compare against the cost of prevention. If a firewall upgrade costs $30,000 annually and eliminates a $50,000 expected loss, the investment makes financial sense. The formula is deliberately simple, which is both its strength (easy to communicate to non-technical decision-makers) and its limitation (it relies on estimates of frequency and impact that can be uncertain).
Environmental and Regulatory Risk Assessment
When the U.S. Environmental Protection Agency evaluates whether a chemical in soil, water, or air threatens human health, it follows a structured four-step process. The goal is to move from “this substance exists” to “here is the numerical probability that it will harm people at real-world exposure levels.”
The first step, hazard identification, asks whether a substance can cause harm at all and under what conditions. The second step, dose-response assessment, establishes the relationship between the amount of exposure and the severity of effects. This is where researchers determine thresholds: below a certain dose, no measurable harm occurs; above it, effects increase with dose. The third step, exposure assessment, estimates how much of the substance people actually encounter, accounting for frequency, duration, and routes of contact (breathing it in, drinking contaminated water, skin absorption). The fourth step, risk characterization, combines all of this into a final risk estimate alongside a description of the uncertainties involved.
This framework matters because it translates complex toxicology into numbers that regulators can act on, like setting a legal limit for a contaminant in drinking water.
Actuarial Risk and Life Tables
Insurance companies and government agencies quantify mortality risk using life tables, which track two key variables by age and sex: the probability of dying within one year and the number of survivors remaining from a starting population. The Social Security Administration, for example, publishes period life tables based on recent mortality data. Starting from a hypothetical group of 100,000 people born alive, the table shows how many survive to each age and the average remaining years of life at that age.
These tables are the backbone of life insurance pricing, pension planning, and Social Security projections. They convert the abstract concept of “risk of death” into specific, age-adjusted probabilities that can be used in financial calculations.
Standardized Units for Comparing Risks
One challenge in risk quantification is making different risks comparable. A unit called the micromort helps with this. One micromort equals a one-in-a-million chance of sudden death. The baseline daily risk of dying from external causes (accidents, violence, and similar events) for the general European population works out to roughly one micromort per day. Medical procedures, recreational activities, and travel can all be expressed in micromorts, giving people a common scale for comparison. Skydiving might cost several micromorts per jump; a routine surgery might carry a known micromort value that a surgeon can compare to everyday risks a patient already accepts.
This kind of standardization addresses a core problem in risk communication: people are poor at intuitively grasping probabilities, especially very small ones.
Why the Format of Risk Numbers Matters
How you present a risk changes whether people understand it. A Cochrane systematic review found that both health professionals and patients understood risk significantly better when it was expressed as natural frequencies rather than percentages. Saying “8 out of 1,000 women who are screened will have a false positive” is easier to grasp than “the false positive rate is 0.8 percent.” The difference wasn’t trivial: comprehension scores were about 0.69 standard deviations higher with natural frequencies, which translates to roughly a 1.4-point improvement on a 10-point understanding scale.
This has practical implications. If you’re trying to make sense of a risk number your doctor gives you, converting it to a frequency (“out of how many people?”) can make it more concrete. And if you’re the one presenting risk data to others, framing it as “X out of Y people” rather than a percentage or decimal will consistently produce better understanding.