Risk assessment is a term used to describe the overall process or method where you: Identify hazards and risk factors that have the potential to cause harm (hazard identification). … Determine appropriate ways to eliminate the hazard, or control the risk when the hazard cannot be eliminated (risk control).
What is a risk assessment matrix?
A risk assessment matrix is a chart that plots the severity of an event occurring on one axis, and the probability of it occurring on the other. You can also format the matrix as a table, where the risk likelihood and impact are columns, and the risks are listed in rows. By visualizing existing and potential risks in this way, you can assess their impact, and also identify which ones are highest-priority. From there, you can create a plan for responding to the risks that need the most attention.
A risk matrix chart is a simple snapshot of the information found in risk assessment forms, and is often part of the risk management process. These forms are more complex, and involve identifying risks, gathering background data, calculating their likelihood and severity, and outlining risk prevention and management strategies.
How to use a risk assessment matrix template
Also known as a “risk management matrix,” “risk rating matrix,” or “risk analysis matrix,” a risk assessment matrix (by any name) template focuses on two aspects:
Severity: The impact of a risk and the negative consequences that would result.
Likelihood: The probability of the risk occurring. To place a risk in the risk assessment matrix, assign a rating to its severity and likelihood. Then plot it in the appropriate position in your chart, or denote the rating in your table. The typical classifications used are:
Severity:
- Insignificant: Risks that bring no real negative consequences, or pose no significant threat to the organization or project.
- Minor: Risks that have a small potential for negative consequences, but will not significantly impact overall success.
- Moderate: Risks that could potentially bring negative consequences, posing a moderate threat to the project or organization.
- Critical: Risks with substantial negative consequences that will seriously impact the success of the organization or project.
- Catastrophic: Risks with extreme negative consequences that could cause the entire project to fail or severely impact daily operations of the organization. These are the highest-priority risks to address.
Likelihood:
- Unlikely: Extremely rare risks, with almost no probability of occurring.
- Seldom: Risks that are relatively uncommon, but have a small chance of manifesting.
- Occasional: Risks that are more typical, with about a 50/50 chance of taking place.
- Likely: Risks that are highly likely to occur.
- Definite: Risks that are almost certain to manifest. Address these risks first.
Classifying and Prioritizing Risk
After you’ve placed each risk in the matrix, you can give it an overall “risk ranking.” Risks that have severe negative consequences and are highly likely to occur receive the highest rank; risks with both low impact and low likelihood receive the lowest rank. Risk rankings combine impact and likelihood ratings to help you identify which risks pose the greatest overall threats (and therefore are the top priority to address).
Some organizations use a numeric scale to assign more specific risk rankings. However, most rankings fall into a few broad categories, which are often color-coded:
- Low: The consequences of the risk are minor, and it is unlikely to occur. These types of risks are generally ignored, and often color-coded green.
- Medium: Somewhat likely to occur, these risks come with slightly more serious consequences. If possible, take steps to prevent medium risks from occurring, but remember that they are not high-priority and should not significantly affect organization or project success. These risks are often color-coded yellow.
- High: These are serious risks that both have significant consequences, and are likely to occur. Prioritize and respond to these risks in the near term. They are often color-coded orange.
- Extreme: Catastrophic risks that have severe consequences and are highly likely to occur. Extreme risks are the highest priority. You should respond to them immediately, as they can threaten the success of the organization or project. They are often color-coded red.
Once you’ve ranked your risks, you can make a risk response plan to prevent or address those that are “high” or “extreme.” You may not need to respond to risks ranked “low” or “medium” before work begins.