How to Use a Risk Assessment Matrix

By Indeed Editorial Team

Published 17 December 2020

Managing financial, cultural and physical risks are a necessary part of a business's operations and project management process. Many methods and systems exist to help companies evaluate risks for specific projects depending on the type of risk and potential outcomes. One of the best methods to use is a risk assessment matrix. In this article, we explain what a risk assessment matrix is, describe how to use a risk assessment matrix, define a variety of risk factors and give an example of a risk assessment matrix.

What is a risk assessment matrix?

A risk assessment matrix is typically either a simple chart plotting the severity of a risk or a table that lists potential risks. Whether it is a chart or a table, it must contain information about the chances of the potential risk occurring.

The risk assessment matrix provides a visual representation of complex data in a simple format. It comprises relevant data so that the user can gauge the situation at a glance without needing an excessive amount of information. Managers can use this simplified version of observations to rate certain risks and take proper actions as required.

How to use a risk assessment matrix

Using a risk assessment matrix can improve your company's overall risk evaluation. Follow these steps to use the matrix effectively:

  1. Identify the potential risks

  2. Sort the risks according to the probability of occurrence and impact

  3. Determine how to rank each risk

  4. List possible preventive measures

1. Identify the potential risks

The first step in any risk assessment process is to identify the potential risks associated with the project. The risk management process is a useful tool to prioritise risk according to the possibility and gravity of occurrence. This exercise makes sure that you have an easily manageable structure in place. Once you identify the potential risks, the next step is to order them according to the severity – from greatest to least impact.

2. Sort the risks according to the probability of occurrence and impact

In this step, sort the risks according to the probability of an adverse event happening and their potential impact on the project. Using probability helps determine which risks are most likely to happen and shows you which deserve the most attention.

3. Determine how to rank each risk

After identifying and categorising the risks according to the probability and impact, the next step is to rank them. You can rank or plot each risk on the risk assessment matrix according to its probability and impact. Once you do that, you will get a graphic representation of the potential risks in the order of their probability and impact.

The higher the probability and impact, the greater the rank should be. A higher rank means that the risk is more likely to occur and jeopardise the company. These risks must be the top priority items on the matrix. In comparison, risks that are unlikely to happen or would have very little or no impact even if they occur should be a low priority on the matrix.

4. List possible preventive measures

Once you identify and rank the risks, the next step is to devise some contingency plans to deal with the various possible situations, including the worst-case scenarios. This is the last step in the risk assessment process. It mainly deals with questions like how you should deal with the higher- and middle-ranked risks in the matrix, should they occur.

Determining risk probability

Probability refers to the likelihood of an event occurring or not occurring. Companies use various methods to sort risk probabilities. Some companies assign each potential risk a probability percentage ranging from zero to 100. It means that if there is no likelihood of a risk occurring, they give it a 0% rating, and if it is sure to happen, the rating would be 100%. If the chance of occurrence is low, the probability rate can be low as well, say 10%. In comparison, if the chances of risk are high, the probability rating could be 90%.

Risk assessment categories

Another way to sort risks according to their probability is by using categories. For instance, the risks could be:

  • Unlikely: A potential risk belongs in this category if it is highly unlikely to happen. For example, the chances of it snowing in summer are highly unlikely.

  • Seldom: You should put a risk in this category if it is uncommon but has a small chance of occurring, such as the chances of getting food poisoning at a party.

  • Occasional: If there is a 50-50 chance of a risk happening, it falls in this category.

  • Likely: If a risk is almost certain to occur, it belongs to this category. The summer bushfires in Australia are an example of this kind of risk.

  • Definite: Any risk that is almost definitely going to occur belongs in this category. If that risk has a high impact as well, it becomes a priority, and you should deal with it urgently. For instance, in the case of a pandemic outbreak with no known cure, the risk of infection to a large number of people is definite. This risk needs urgent action, so you have to take steps to minimise the impact.

What is impact?

Impact refers to how severe the effects will be if the potential risk actually occurs. Several aspects of a project may feel the impact of a specific risk. It could even have a cumulative effect on the company's performance. This is why companies rate risks based on the impact they might have on the three crucial aspects mentioned below:

  • Schedule: How will the risk negatively affect the delivery time frames?

  • Cost: Would it need budget realignment?

  • Technical performance: How will the occurrence of the risk affect the total performance?

Similar to evaluating and sorting risks based on probability, you can also sort risks based on the severity of their impact:

  • Insignificant: These are risks that have little or no negative impact on the project.

  • Minor: These risks may cause a slightly negative impact, but they are unlikely to cause any significant disruptions.

  • Moderate: All of the risks that pose a modest threat to operations fall in this category.

  • Critical: These are the risks that cause a real danger of project failure.

  • Catastrophic: Any risk that is almost certain to jeopardise the entire project and drastically affect the daily operations fits into this category. These are high-priority risks that need urgent action.

Example risk assessment matrix

Here is a sample risk impact/probability chart:

If you, for example, are using a risk impact/probability chart, it will consist of a probability axis and an impact axis and will contain these four corners:

  • Low impact/low probability: Risks in this corner of the chart are both low impact and low probability. You do not need to pay attention to these risks.

  • Low impact/high probability: This kind of risk poses a moderate threat to operations. Although you should try to minimize the possibility of such events occurring, you can manage these risks if and when they take place.

  • High impact/low probability: This type of events will have a high impact on operations, but the probability of them materializing are unlikely. In order to avoid such risks occurring, you should take all possible preventative steps. You should also put contingency plans in place to minimize the severity of the impact should the risk manifest.

  • High impact/high probability: The risks in this category are the highest-priority risks because they have a high probability of occurring and would also have a severely negative effect on operations. This means that you should give these risks the most attention and should take them into consideration in the daily decision-making process.

While medium-priority risks can impact the profitability and overall success of a project, the high-priority risks could result in the premature closure of a project, and they have the potential to negatively impact the entire organisation.

It is vital to use an effective risk assessment matrix to identify potential risks and to test them according to their impact and probability. A detailed risk assessment matrix is also useful if you wish to set up effective mitigation responses and contingency processes.

Explore more articles