In today’s modern threat landscape, compliance risk, cybersecurity risk, fraud risk, and even climate change risk can have a significant impact on your company’s reputation and bottom line. External risk events like the COVID-19 pandemic point to an increasing need for businesses to develop a risk assessment plan that helps them execute certain strategies and achieve objectives effectively, even in the face of an unprecedented risk landscape.
While you’ll never be able to eliminate business risk entirely, prevention is the best insurance against loss. By defining, assessing, and analyzing risk with a risk assessment matrix, you’ll cultivate a solid understanding of your risk environment and be able to accurately measure and manage risk before it occurs — saving your company time, money, and resources.
In this article, we break down how to create a risk assessment matrix in four easy steps and how to monitor your risk matrix so you can continue to identify emerging threats.
What Is a Risk Assessment Matrix?
A risk assessment matrix, also known as a Probability and Severity or Likelihood and Impact risk matrix, is a visual tool depicting potential risks affecting a business. The risk matrix is based on two intersecting factors: the likelihood the risk event will occur and the potential impact the risk event will have. In other words, it’s a tool that helps you visualize the probability versus the severity of a potential risk.
Depending on likelihood and severity, risks can be categorized as high, moderate, or low. As part of the risk management process, companies use risk matrices to help them prioritize different risks and develop an appropriate mitigation strategy. Risk matrices work on large and small scales; this system of risk prioritization can be applied at the discrete project level, or at the enterprise level.
Take the risks of the COVID-19 pandemic as a risk assessment matrix example. Supply-chain disruption might be classified as a high-level risk — an event with a high probability of occurring and a significant impact on the business. This risk affects the entire organization and would be an example of an enterprise-level risk. Meanwhile, at the project level, COVID-19 could pose a “key person” and timeline risk if a team member crucial to the project contracts COVID-19 and is unable to work for a significant period of time. This risk may not affect the entire organization but has a significant impact on the project. At the project risk level, this might also be an event with a high probability of occurring and a significant impact on the project.
Still, even unusual risk events can have a significant impact on business outcomes. While it’s uncommon in many industries, a fatal workplace injury would be high-impact and reportable to OSHA. That’s why it’s so critical to have an accurate picture of all the potential risks your business faces so you can assess their impact and create a successful risk management plan.
How Does a Risk Matrix Work?
Risks come in many forms: strategic, operational, financial, and external. The risk assessment matrix works by presenting various risks as a chart, color-coded by severity: high risks in red, moderate risks in yellow, and low risks in green. Every risk matrix also has two axes: one measuring likelihood and one measuring impact.
Likely risk events may have a 61 to 90 percent chance of occurring, while highly unlikely events are extremely rare, with a less than 10 percent chance of occurring. Depending on the business and its risk appetite, an insignificant impact may cause a negligible amount of damage — such as a loss of less than $1K — while a catastrophic impact might create losses of $1M or more.
By grading the risk event’s likelihood and impact, the risk matrix provides a quick snapshot of the threat landscape. Visualizing the threat landscape in this way, audit, risk, and compliance professionals can more easily foresee and determine how to minimize events that can have a substantial impact on the company.
Why Is a Risk Matrix Important?
A risk matrix can help businesses cultivate a solid understanding of the risk environment, helping them manage and mitigate risks before they occur. The magnitude and complexity of business risks continue to grow. KPMG’s Internal Audit: Key Risk Areas 2023, outlines ten key and emerging risks that set the stage for a new normal that will impact businesses for years to come:
Image: KPMG 2023 Key Risk Areas
Now more than ever, companies must meet the challenges of the present — and the future — with risk-informed decision-making.
The risk assessment matrix is a crucial tool in risk management for three reasons:
1. Easy Prioritization of Risks
All risks aren’t equal. A risk matrix allows you to prioritize the most severe risks your company faces. As mentioned previously, having a comprehensive view of today’s modern threat landscape is critical for preventing value losses. All companies must take on some level of risk in order to succeed, but calculated risks based on a robust risk analysis will help businesses take on risks in a way that helps achieve objectives.
While it may be tempting to allocate resources to all potential business risks, some operational risks — such as major reputational damage due to a breach of private data, or an excessive increase in operating costs due to a natural catastrophe — must be prioritized before others.
By rating and color-coding these risks in a risk assessment matrix, audit, risk, and compliance professionals can identify the most pressing threats to the business and plan for them.
2. Targeted Strategy for Managing Risks
Just as all risks aren’t equal, all risks don’t carry the same impact. With its prioritization of the most pressing threats, the risk assessment matrix enables professionals to craft a targeted strategy for managing high-risk events. Focusing your attention and resources on the highest risks will benefit your overall business strategy since these risks have the biggest impact and can pose the greatest value losses.
From a project management perspective, for example, a brief bottleneck in the project workflow would create little impact, provided there was enough float built in at the beginning of the project design. A cost risk that significantly escalates the project cost would have a severe impact, however, and requires a targeted management plan.
As any project manager knows, Murphy’s law is inevitable: what can go wrong, will go wrong. Appropriately planning for cost risk due to factors like scope creep will ensure a project’s success. With the help of the risk matrix, planning for Murphy’s law becomes a lot easier.
3. Real-Time View of the Evolving Risk Environment
Audit, risk, and compliance professionals know risks can be emergent and recurring. The risk assessment matrix enables you to identify specific types of risk, their probability, and their severity, and maintain a real-time view of the evolving risk environment.
Though emergent risks are by definition unknowable, businesses can identify areas of vulnerability at the strategic level by strengthening their enterprise risk management processes. By looking at early warning signs or trigger events indicating something is amiss, companies can maintain business continuity in an increasingly dynamic and complex risk landscape.
Strategic risk assessment tools like the risk matrix also enable companies to track patterns of risk — threats that are likely to reoccur and therefore require a year-over-year mitigation strategy.
How to Make a Risk Assessment Matrix
Although the magnitude and complexity of business risks continue to grow, creating a risk assessment matrix doesn’t have to be a complicated process. There are four basic steps to making a risk assessment matrix:
Step 1: Identify the Risk Landscape
Because the magnitude and complexity of business risks continue to grow, it’s essential you develop a comprehensive picture of the total risk landscape. Project risks vary in category and remediation strategy compared to enterprise-level or macro-level risks. Project teams should tailor their focus based on the scope of their risk assessment.
To begin, hold brainstorming sessions with key stakeholders in your organization so you can mine insights and start generating a list of ideas that will serve as the foundation of your risk assessment matrix. Since risk analysis is subjective, it’s vital to get a wide variety of stakeholder input — doing so minimizes the chances of missing something valuable.
Start your brainstorming session by categorizing risks according to the following criteria:
- Strategic Risk: risks associated with failed business decisions.
- Operational Risk: risks associated with breakdowns in internal processes/procedures.
- Financial Risk: risks associated with financial loss.
- External Risk: risks associated with uncontrollable sources.
Begin with the highest-level risks related to business functions, such as operations, and then narrow your focus to specific processes within those functions, such as supplier management. Don’t forget to take into account prior risks that have already been identified!
Step 2: Determine the Risk Criteria
After brainstorming risks associated with the larger risk landscape, determine the criteria by which you’ll be evaluating these risks. As mentioned earlier, risk assessment matrices typically use two intersecting criteria:
- Likelihood: the level of probability the risk will occur or be realized.
- Impact: the level of severity the risk will have if the risk is realized.
It’s critical to achieve consensus on the risk criteria, as this will affect not only the way you calculate your risk matrix but also the discussions you’ll have on how to mitigate your risks. Accurate measurement is the key to successful risk management!
Step 3: Assess the Risks
Now, assess the risks based on your risk criteria, providing a qualitative risk analysis according to a predefined scale. Most organizations use the following, three-part scale to assess severity:
- High risk
- Moderate/Medium risk
- Low risk
A more granular approach could prove useful as well. Expanding the scale to a 5×5 matrix is common, where 1 is extremely low-risk and 5 is extremely high-risk, providing more insight into levels of severity and helping companies allocate resources more efficiently.
Organizations can opt to adapt either the 3×3 or 5×5 risk assessment matrix template or develop their own. Best practices require at least three categories for each of the risk’s probability of occurrence and impact/severity.
Organizations may also opt to give a risk a cumulative “Risk Score” which is usually derived by adding or multiplying the risk’s Likelihood score by the risk’s Impact score. “Weighting” is another option businesses can use to customize or adjust their risk scoring – perhaps the identified risks associated with a certain project or department take priority, and so they could be weighted heavier in a risk assessment. To avoid confusion, the company’s risk assessment matrix methodology should be formally documented in policy and procedure documents, including any weighting and any changes to the risk process or approach.
Step 4: Prioritize the Risks
Finally, compare the different levels of risk (high, medium, or low) to the risk criteria (likelihood and impact). Prioritize those risks that pose the highest likelihood and impact, and create a risk assessment plan to effectively mitigate them.
Keep in mind, the risk landscape is constantly evolving, and the risk assessment matrix should be updated multiple times a year (annually at minimum) in order to reflect the changing risk environment. Failure to update the risk assessment strategy could result in missing emerging risks that may disrupt business objectives and continuity.
How to Determine the Likelihood of a Risk Occurring
An essential component of the risk assessment matrix is determining the likelihood of a risk occurring. After all, if you incorrectly determine the probability of a risk, you’ll be missing a critical opportunity to prevent unnecessary value losses.
Most companies use the following five categories to determine the likelihood of a risk event:
5: Highly Likely. Risks in the highly likely category are almost certain to occur. Typically, risks with 91 percent or more likelihood fall into this category.
4: Likely. A likely risk has a 61-90 percent chance of occurring. These risks need regular attention, as they are bound to reoccur and therefore require a consistent mitigation strategy.
3: Possible. Possible risks may happen about half the time — they have a 41-60 percent chance of occurring and need attention.
2: Unlikely. Risks in the unlikely category have a relatively low chance of occurring — 11 to 40 percent. But they may still affect your business, so it’s a good idea to keep an eye on them.
1: Highly Unlikely. Highly unlikely risks are exactly as they sound, with a low probability of occurring.
If the business is using a 3×3 risk matrix, the following three categories of likelihood suffice:
1: Unlikely. Risks in this category have a relatively low chance of occurring.
2: Likely. Risks in this category are predicted to occur and require a mitigation strategy.
3. Highly Likely. Risks in this category are almost guaranteed to occur and require a mitigation strategy.
How to Take Care of Your Risk Assessment Matrix
Since the modern threat landscape is constantly changing, your risk assessment matrix needs regular attention and iteration to meet the challenges of today and tomorrow. Whether your business needs to establish a solid enterprise risk management program, cybersecurity risk management program, or strengthen internal controls to prevent fraud; risk events, both external and internal, will require regular assessment in order to determine their likelihood and risk impact successfully.
It is recommended for organizations to schedule periodic risk assessments by either internal or external parties, such as IT risk assessments, and incorporate those findings into the central risk matrix. Likewise, it’s crucial to get management and leadership buy-in to risk management and mitigation, so an appropriate manager should review and sign off on the risk assessment matrix whenever it is updated. I suggest setting up a regular schedule or cadence for reviewing the risk assessment matrix at least quarterly, though the minimum for most frameworks is at least annually.
Additionally, risk mitigation or action plans should be updated along with the risk assessment matrix. Various risks will resurface or change in nature, prompting a commensurate change in mitigation strategy. Risks can go up or down in their impact or likelihood scoring, and the mitigation strategies of yesterday may no longer be sufficient for today’s environment. It’s important to take into account regulatory, economic, geopolitical, and technological changes that can have a major impact on your risk plan.
With the help of an up-to-date risk assessment matrix, you’ll be more easily equipped to identify emerging threats and properly allocate resources to mitigate their impact.
Ready to Reduce the Likelihood of Risks?
Using the risk assessment matrix for risk management will reduce not only the likelihood of the risks your business faces but also the magnitude of their impact on business operations. Effectively managing risk has always been critical for success in any business endeavor, but never more so than today. An important part of your risk strategy should involve managing your company’s risks by using integrated risk management software that facilitates collaboration and risk visibility to increase the effectiveness of your risk management programs.
Begin mitigating risk with a single click — get started with RiskOversight today!
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.