A risk assessment matrix is a single-page outline of the risks that a project is exposed to, the probability of the risks happening, and the severity of their impact. This project management tool enables organizations to know where their projects stand in the face of particular internal and external risks.
The information used to build a risk assessment matrix is extracted from the risk assessment form. The information is tabulated, with risks being grouped based on their likelihood of occurring, their resulting impacts, and their consequences to the project.
How to Make a Risk Assessment Matrix
The first step of risk management is filling up a risk assessment form to determine the potential risks that a project is exposed to. The data filled in the form is gathered from different sources after doing various tasks such as:
- Determining and gathering risk data
- Determining the probability of the risks occurring
- Determining the consequences and impacts of the risks
- Assigning risk priorities
- Developing risk prevention strategies
After filling a risk assessment form, a risk management matrix has to be made. The matrix simply provides the team leader with an overview of the risks that the project is exposed to, their probability of happening, the expected extent of their impact, and how they should be prioritized.
You can use different programs, such as Microsoft’s Excel, to create a risk assessment template for your projects.
Here’s how to create on in Excel:
Placing Risks in the Risk Matrix
Risks can be placed in a risk assessment matrix based on two criteria:
i) The likelihood of the risk occurring
i) The severity of the consequences of the risk
Likelihood of Occurrence
In likelihood of occurrence, a risk can be classified into five categories:
- Definite. These are risks that are known to happen and will most likely happen during the course of a project. These risks have an 80% or higher chance of happening.
- Likely. These risks happen frequently and are likely to happen 60% to 80% of the time.
- Occasional. These risks happen commonly and have a 50/50 chance of occurring.
- Seldom. These risks are not likely to occur but cannot be entirely ruled out from the matrix.
- Unlikely. These risks are rare and exceptional and have less than 10% chance of occurring.
Severity of the Consequences
The consequence of a risk can be classified based on the severity of its impact. The consequences can be classified into five categories:
- Insignificant. These risks are not expected to cause a lot of damage. The impact of the risks to the progress of the project is negligible.
- Marginal. These risks will affect some damage to the project. However, the damage will not be too significant to make any difference in the outcome of the project.
- Moderate. These risks do not pose a great threat. However, the risks may be quite large.
- Critical. These are risks that can cause significant consequences to the progress of the project. The risks can lead to huge losses in the project.
- Catastrophic. These risks can completely make a project unproductive or unsuccessful. These risks should be given the highest priority during risk management.
How to Use the Risk Assessment Matrix
After filling the risk assessment form based on the likelihood and consequences of the identified risks, it is easy to determine the risks that should be given the highest priority.
Every risk in the table should be categorized as extreme, high risk, medium, or low risk. The categories should also have different colors in the risk assessment form.
Below is an overview of what is covered under each category:
The risks that fall under the extreme category are the most critical and should be given priority during risk management. Immediate action should be taken on these risks to prevent the project from failing.
The extreme category should be colored red and denoted with an E.
Risks that fall under this category also require immediate action. Here, project leaders can choose to either eliminate the risks or substitute them. If the issues cannot be resolved immediately, clear timelines should be set for solving them.
The high risk category is denoted in pink and with the letter H.
Risks that fall in the medium category are not very serious. However, some reasonable steps should be taken to mitigate them. Risk management strategies should be implemented to address these issues.
Medium-classified risks typically do not require extensive resources. Most of the time, they can be handled through smart thinking.
The medium category cells are denoted in orange and the letter M.
Risks that fall in this category can be ignored as they have a negligible impact on the project. However, if there are specific steps that can be taken to minimize the risks, they should be implemented.
The low risk category is denoted in green and with the letter L.
More in Details, Please…
Here are more tips on why and how to use a Risk Matrix: