The standard risk calculation is:
Probability of Occurrence x Impact
This is a generally bad idea, for several reasons:
- Each measure (probability of occurrence and impact) are actually probability distributions.
- The multiplication operator is not present for probability distributions, which are integral equations
- They can be multiplied in through a convolution process. (Writing code for this convolution is done in most mathematical physics courses. I remember doing mine in Macro-8, on a DIGITAL PDP-8M in 4K of memory).
So here's what to do. Don't do the multiplication, instead define eacj cell in the 5x5 risk matrix for the class of risks in the project. Then assign one of the 5x5 values to the risk. With that information determine the color of the cell.
With this work done for each class, than individual risk activities in the project can be assigned to the matrix and specific descriptions of the risk defined. The assessment of RED, YELLOW, GREEN is now the role of Subject Matter Experts and their experience from past performance, testing, modeling, and external assessments.