Impact (also severity) describes how serious the consequences of a security incident could be for the organisation. In the risk matrix it forms one of the two axes, typically in five levels from negligible to existential. The assessment covers financial losses, reputational damage, regulatory consequences, and business interruptions. You should define the levels clearly and back them with concrete examples so that different assessors reach consistent ratings. In an ISMS under ISO 27001, impact is a central element of the risk analysis.