School of Information Systems

How to make a risk assessment matrix

07 Mar 2022

Isidora Markovic

If you want to do your own risk assessment matrix, you can start by defining the scope of work. Depending on what you are trying to improve, you need to identify different areas of risk. Choose your objective and make sure it is clear as possible.

Step 1: Identify Hazards

In order to start, you want to go for as many risks as you can. The idea behind this is to get different views. A brainstorming session could be of help. The list that you get is going to be the foundation of the risk assessment matrix.

Connected with your scope, the list needs to belong and detailed. It can include anything from theft, to burns, and even pollution. It is really important that you think at all potential risks for any new project you are working on.

You can also think about what happens when you identify them. But not to worry, we will discuss that soon enough.

Step 2: Risk Analysis

The risk analysis is not something to take lightly. There are certain steps that you need to follow in order to do effective management of risks. When an organization has pitched all the right risks, the next step is going to carefully evaluate them.

 A risk assessment matrix focuses a lot of chances and consequences as the main focus. But depending on the organization, we are talking about you can encounter terms like “vulnerability” or “speed of onset”.

Step 3: Determining Risk Impact

Any risk assessment matrix means that you will need to check probabilities and consequences of risk events that might happen. The results of such assessments are used to make a top of risks in order to find the most important ones, as well as less critical ones.

In a risk chart, you can see exactly how both high-risk and low-risk factors are shown. The impact of a successful attack can be split into two types: “technical impact” and the “business impact”.

Step 4: Prioritize the risks

When you will see a risk assessment matrix, you will be able to compare different levels of risk. It can include any internal rules or policies.

 One thing that should be noted is that the risk assessment process can be an ongoing evolution. A matrix needs to change at the same time with changes that appear in your company. If it is done one timer per year, emerging risks could go unnoticed or even undetected.

How to use the risk assessment matrix?

When the risk assessment process is complete, you can start to take data into the matrix. Any risk assessment matrix uses two axes, one that measures the likelihood, and the other one measures the consequence result.

Likelihood: the probability of a risk

 Depending on the likelihood of the occurrence of the risk, the risk can be classified under these categories:

– A risk that is almost guaranteed to show up during the execution of the project. Any risk that is more than 85% likely to cause problems is going to fall under this category.

 – Risks that have a 60%-80% chance to occur can be grouped as likely.

 – Risks that have a 50/50 probability of occurrence are named occasional.

 – Seldom are the risks that have a low probability of occurrence.

 – Unlikely are the risks that have almost no probability of occurring.

Consequences: the severity of the impact or the extent of damage caused by the risk

The consequences of risk can be ranked into five categories. These are based on how severe the damage can get.

  • Risks that can cause the negligible amount of damage are called insignificant.
  • Risks that have a small potential for negative effects are called minor.
  • Risks that do not impose a great threat but are yet sizable damage can be classified as moderate.
  • Risks that have substantial negative effects and are going to impact in a serious way the success of a project is called critically.
  • Risks that come from human error or the environment. Other causes can be procedural deficiencies or major system loss. This will require the closing on the operation and are called catastrophic.

Knowing what elements a risk assessment matrix has is important. This is going to help you and your organization to manage risk effectively and reduce workplace incidents.

 The risk assessment matrix is a document that has to be updated and maintained with curiosity. Risks are evolving and the matrix should do the same. There are certain events that are going to trigger the need for a refresh. One could be like establishing an enterprise risk management program.

https://tms-outsource.com/blog/posts/risk-assessment-matrix/

Joni Suhartono