One of the easiest and quickest risk assessment tools is the classification of deviations through Risk Priority Number (RPN) calculation.
Let me put the equation here:
RPN = Severity rate X Occurence/Probability rate X Detectability rate.
There are several ways to implement it (using reverse scale on detectibility rate, exponential scale on severity), but as long as the method is consistent and able to clearly decide which classification to go with, I don't think these details really matter.
However, there might be a trap when re-evaluating RPN when concluding the investigation.
During your impact analysis or root cause analysis you might find out that your phenomenon occured more/less than originally thought, so you give a higher/smaller number to your occurence rate.
Also you may find a better, already available tool that detects your phenomenon better, so you apply a different number for your detectability rate.
But what you cannot downgrade, is the severity. The GMP-impact on your product or process is never to be re-evaluated, just because you identified the root cause, or evaluated the exact impact.