Calculating Risk Without a Calculator

Start with your gut.

Does this feel risky? On a scale of "probably fine" to "oh no," where does this land? Your gut is your primary risk scoring mechanism now — calibrated over years of experience, imposter syndrome, and one really bad incident in 2023 that you don't talk about.

Ask a colleague.

Find someone who looks busy. Ask "does this seem like a big deal?" They will say "maybe?" or "I'd have to look into it." This is not actionable. Log it as a second data point anyway. Two inconclusive data points are not a dataset — but they are a start.

Consult the Magic 8-Ball.

Shake twice. "Outlook not so good" is High severity. "Cannot predict now" is Medium. "It is decidedly so" is Low — because if the Magic 8-Ball is certain, the risk is ironically low. This is not endorsed by any risk framework. It is, however, reproducible.

Assign a score. Something out of 10.

Avoid 1, 2, 9, and 10 — those feel too committal. The range 5–7 is where most scores land. If you score something an 8, people will ask why not a 9. Score 7s. Be confident about the 7s.

Check the CVSS base score if applicable.

Google the CVE. Find the CVSS score. It will be 9.8. Everything is 9.8. Patch it at your earliest convenience — which in practice means "next quarter, unless something worse comes up." Something worse will always come up.

Build a risk matrix.

A 5×5 grid of likelihood vs. impact. Color it red, orange, and green. Most things will land in the orange zone — which doesn't require immediate action but makes it clear you're taking it seriously. Orange is the risk manager's best friend.

Present the findings.

In a slide. One slide. The recommendation will say "remediate as soon as possible." It will not be remediated. Exabot Risk would have modeled this outcome and included it in the original report.