Typically, risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each IT risk, someone is asking the questions: what is the magnitude of the identified IT risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)?