Risks are scored during an assessment and then a rating is derived. Ratings are of three kinds: qualitative, semi-quantitative, and quantitative.

Qualitative rating

Qualitative risk assessments rely on the assessor's perceptions of the probability and impact of a risk. If the method is purely qualitative, then the ratings are based on the list values such as high, medium, or low. In this case, the risk scores do not roll up. Because this method has minimal mathematical dependency, qualitative risk assessment is easy and quick to perform. This method also enables an organization to take advantage of the assessor's experienced knowledge of the process or asset that is being assessed. Users who are new to risk assessments usually use this kind of rating.

The following figure shows an example of qualitative rating.

Semi-quantitative rating

In a semi-quantitative rating, the qualitative ratings also have a corresponding numerical scale. For example, if the quantitative risk score is between 0-10, then the qualitative rating is low. Users who use this type of rating are not new to risk assessments. Most users belong to this category. In this category, the risk scores roll up and the risk appetite is qualitative in nature.

The following figure shows an example of semi-quantitative rating.