The typical risk equation is Risk = Probability × Impact. This simple formula is used across project management, engineering, finance, and safety planning to quantify how serious a potential threat is. The idea: risk isn’t just about how bad something could be, or how likely it is. It’s about both dimensions multiplied together. A catastrophic event with near-zero probability may pose less overall risk than a moderate problem that’s almost certain to happen.
That core equation is the starting point, but different fields have adapted it into more specialized formulas. Medicine, toxicology, epidemiology, and disaster planning each use their own version of a risk equation tailored to the decisions people in those fields need to make.
How Probability × Impact Works
The two-dimensional framework treats probability as a measure of how likely an uncertain event is to occur, and impact as the extent of what would happen if it did. In project management, for example, you might rate each dimension on a scale of 1 to 5, then multiply them to get a risk score between 1 and 25. A risk with a probability of 4 and an impact of 2 scores an 8, while one with a probability of 2 and an impact of 4 also scores an 8. Both deserve similar attention despite looking very different.
This approach works because it forces you to evaluate threats systematically rather than relying on gut feeling. Teams use the resulting scores to rank risks, decide where to invest in prevention, and determine which risks they can accept. The equation can use qualitative ratings (low, medium, high), numerical scales, or actual statistical probabilities depending on how much data is available.
Disaster and Environmental Risk
In disaster planning and environmental health, the equation expands to three factors: Risk = Hazard × Exposure × Vulnerability. FEMA uses this framework for hazard mitigation planning. A hazard is the dangerous event itself (a flood, an earthquake, a chemical spill). Exposure captures whether people, buildings, or infrastructure are actually in the path of that hazard. Vulnerability reflects how susceptible those exposed elements are to damage.
This three-part version explains why two cities facing the same hurricane threat can have wildly different risk levels. A coastal city with aging infrastructure and a large elderly population has high exposure and high vulnerability. A nearby city set further back from the coast with newer construction and strong evacuation routes faces the same hazard but carries far less risk.
The Framingham Risk Score and Heart Disease
In medicine, the most influential risk equation has been the Framingham Risk Score for heart disease. First published in its modern form in 1998, it estimates your 10-year probability of having a heart attack or other coronary event. The inputs are age, sex, total cholesterol, HDL cholesterol, blood pressure, smoking status, and whether you have diabetes. The original version used lookup tables so clinicians could calculate a score without a computer, classifying patients as low, intermediate, or high risk.
The Framingham equation traces back to 1967, when researchers first attempted to combine multiple risk factors into a single prediction model. That early version used seven variables including age, cholesterol, weight, blood pressure, smoking, and ECG abnormalities. Over decades, the model was refined, swapping some variables and shifting from continuous values to simpler categories.
For years, U.S. guidelines relied on an updated version called the Pooled Cohort Equations, which broadened the data beyond the original Framingham population. But as of 2025, the American Heart Association and American College of Cardiology now recommend a newer model called PREVENT (Predicting Risk of CVD EVENTs). In a study of 3.3 million U.S. adults, the older Pooled Cohort Equations overpredicted risk by roughly twofold, while PREVENT showed excellent accuracy across racial and ethnic groups. PREVENT is validated for adults aged 30 to 79 and is now the recommended tool for estimating 10-year cardiovascular risk. A 10-year risk of 7.5% or higher is the threshold that defines increased risk in current guidelines.
Risk in Epidemiology: Relative Risk and Odds Ratios
When researchers study whether something causes disease, they use equations that compare risk between two groups. The two most common are relative risk and odds ratio.
Relative risk divides the rate of disease in an exposed group by the rate in an unexposed group. If 20 out of 100 smokers develop lung disease and 5 out of 100 nonsmokers do, the relative risk is 4.0, meaning smokers are four times as likely to develop it. A relative risk of 1.0 means no difference between groups. Anything above 1.0 signals increased risk from the exposure, and anything below 1.0 signals a protective effect.
Odds ratios work similarly but compare the odds of an outcome rather than the probability. Instead of dividing the number of cases by the total group size, you divide the number of cases by the number of non-cases within each group. In a study of radon exposure and lung cancer, for instance, researchers calculated an odds ratio of 1.84, meaning people with high radon exposure had 84% higher odds of lung cancer compared to those with low exposure. Odds ratios are especially useful in case-control studies where you start with people who already have the disease and look backward at their exposures.
Toxicology: The Hazard Quotient
For chemical exposures, the typical risk equation is the hazard quotient. It answers a straightforward question: is the amount of a substance someone is exposed to greater than the amount considered safe?
The formula divides the actual exposure dose by a reference dose, which is the level of daily exposure that regulatory agencies consider unlikely to cause harm over a lifetime. A hazard quotient below 1.0 suggests the exposure is within acceptable limits. A value above 1.0 signals that the exposure exceeds the safety threshold and warrants concern. The Agency for Toxic Substances and Disease Registry uses this calculation to evaluate whether contaminated sites pose non-cancer health risks to nearby communities.
For airborne chemicals, the same logic applies but uses air concentrations instead of ingested doses. You divide the measured air concentration by a reference concentration to get the hazard quotient. The interpretation is the same: below 1.0 is generally acceptable, above 1.0 is not.
Choosing the Right Equation
The version of the risk equation you need depends entirely on the decision you’re trying to make. If you’re prioritizing threats to a project or business, Probability × Impact gives you a quick, comparable score for each risk on your list. If you’re evaluating community resilience to natural disasters, the three-factor model incorporating hazard, exposure, and vulnerability captures the full picture. If you’re a clinician deciding whether a patient needs cholesterol medication, a validated model like PREVENT translates lab values and health history into a concrete 10-year probability.
What all these equations share is the same underlying logic: risk is never about a single number. It always combines the likelihood of something happening with the severity of the consequences, whether that’s expressed as a simple multiplication, a hazard quotient, or a multivariable statistical model built on decades of patient data.