![Group 2533.png]](https://www.northgrc.com/hs-fs/hubfs/NorthGRC/Group%202533.png?height=40&name=Group%202533.png){kind=small}
NorthGRC risk calculation
In NorthGRC we use two ways to calculate when combining assessments.
- Risk is calculated as simple average ( Probability + Impact ) / 2
- Weighted averages are used to combine Confidentiality, Integrity and Availability.
Weighted Average
Normally you would make a resulting value by selecting the highest value (Worst case) or by calculating an average of all values.
The problem with worst case values, is that the other values are ignored, and both lowering or rising of risk values other than the worst is ignored and not reflected in the combined risk value. The worst case for these two are both 5, which is unfair for the last.
The problem with average values is that single high values are drowned if the other values are very low. The average for these two are 5 and 2. The last value is too low to reflect the urgency of the risk.
NorthGRC calculates the combined risk by using both the worst case and average.
Combined Risk = (Worst case + average) / 2
For the assets, the result risk values are 5 and 4 (rounded 3.5), which credits the low values and does not hide the high value.
