... you are committing a cardinal risk management sin.
Of course that doesn't stop people from continuing to do qualitative risk assessments, and there's absolutely nothing wrong with that so long as there is no comparison between the risks. If you use qualitative risk assessment you cannot compare assessed risks. The reason for that lies in the ordinal scale that is typically used:
The example above is exaggerated slightly to prove a point: whilst you would generally expect a value of 4 to be double that of 2, this doesn't work once you start using purely ordinal scales.
Compare the above ordinal scale to ratio scale used in statistics:
Keep the two scales in mind when you are next doing a risk assessment.risk, risk management, risk assessment