From TheFifthVariable.
From the economic view (taken by insurances, for example) risk is represented as the product of
An example in the XP context: The risk that arises from the - potential - event that your top programming expert might be hit by a truck (see: TruckNumber) is: the probability of this event (number between 0 and 1) multiplied by the effect (in whatever units) this would have on your project. In this case you usually won't have much influence on the probability (though I heard people tell about people that heard about projects where programmers weren't allowed to do certain sports like skiing or paragliding), but you can limit the impact it has on your project (e.g. by caring that more than one person has some important knowledge).
Another example concerns TechnicalRisk: You may reduce the probability of technical problems by using only proven techniques (might be rather boring) or you may reduce impact by taking into account some alternate ways to solve the problem if necessary.
In a software development context you usually won't be able to present even roughly estimated values for these numbers. So you might just take arbitrary units (e.g. numbers between 1 and 10); this is often done in Y2kProjects in order to prioritize the components to be tested or corrected. (A COBOL program written in 1977 gives you a rather high chance to have a Y2kProblem: probability 10; if it's used for printing invoices: impact 10, giving a risk coefficient of 100, the highest possible value; if it's used for selecting direct mail addresses: impact -2 because the company will save money if it doesn't work any more ;-)))