Download Risk Matrix
Nora Taulman
Risks in project management are unexpected events that may or may not occur and impact your project outcome in some way. According to the Project Management Institute (PMI), analyzing and managing risks is a key practice in project management. It improves the chances of successful project completion while reducing the consequences of any risk that occurs.
A risk assessment matrix (sometimes called a risk control matrix) is a tool used during the risk assessment stage of project planning. It identifies and captures the likelihood of project risks and evaluates the potential damage or interruption caused by those risks.
The risk assessment matrix offers a visual representation of the risk analysis and categorizes risks based on their level of probability and severity or impact. This tool is a simple, effective way to get a holistic view of the project risks for all team members and key stakeholders.
In this example, you see risk categories ranging from low to high and likelihood ranging from very likely to very unlikely. Using it is as simple as any other matrix: You look for where both of your criteria meet to get your risk rating.
Identify as many risks as you can with your project team. Consider aspects like scope creep, budgetary constraints, schedule impacts, and resource allocation as the starting points for your risk identification process. Create a risk register complete with all of the identified risks, as it will make it easier to create your matrix.
A risk matrix is a matrix that is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity. This is a simple mechanism to increase visibility of risks and assist management decision making.[1]
Risk is the lack of certainty about the outcome of making a particular choice. Statistically, the level of downside risk can be calculated as the product of the probability that harm occurs (e.g., that an accident happens) multiplied by the severity of that harm (i.e., the average amount of harm or more conservatively the maximum credible amount of harm). In practice, the risk matrix is a useful approach where either the probability or the harm severity cannot be estimated with accuracy and precision.
Although standard risk matrices exist in certain contexts (e.g. US DoD, NASA, ISO),[2][3][4] individual projects and organizations may need to create their own or tailor an existing risk matrix. For example, the harm severity can be categorized as:
The company or organization then would calculate what levels of risk they can take with different events. This would be done by weighing the risk of an event occurring against the cost to implement safety and the benefit gained from it.
The risk matrix is approximate and can often be challenged. For example, the likelihood of death in an aircraft crash is about 1:11 million[5] but death by motor vehicle is 1:5000,[5] but nobody usually survives a plane crash, so it is far more catastrophic.
On January 30 1978,[6] a new version of US Department of Defense Instruction 6055.1 ("Department of Defense Occupational Safety and Health Program") was released. It is said to have been an important step towards the development of the risk matrix.[7]
In August 1978, business textbook author David E Hussey defined an investment "risk matrix" with risk on one axis, and profitability on the other. The values on the risk axis were determined by first determining risk impact and risk probability values in a manner identical to completing a 7 x 7 version of the modern risk matrix.[8]
Thomas, Bratvold, and Bickel[16] demonstrate that risk matrices produce arbitrary risk rankings. Rankings depend upon the design of the risk matrix itself, such as how large the bins are and whether or not one uses an increasing or decreasing scale. In other words, changing the scale can change the answer.
Another common problem is to assign rank indices to the matrix axes and multiply the indices to get a "risk score". While this seems intuitive, it results in an uneven distribution.[citation needed]
Douglas W. Hubbard and Richard Seiersen take the general research from Cox, Thomas, Bratvold, and Bickel, and provide specific discussion in the realm of cybersecurity risk. They point out that since 61% of cybersecurity professionals use some form of risk matrix, this can be a serious problem. Hubbard and Seiersen consider these problems in the context of other measured human errors and conclude that "The errors of the experts are simply further exacerbated by the additional errors introduced by the scales and matrices themselves. We agree with the solution proposed by Thomas et al. There is no need for cybersecurity (or other areas of risk analysis that also use risk matrices) to reinvent well-established quantitative methods used in many equally complex problems."[17]
The TRACE Bribery Risk Matrix (TRACE Matrix) measures business bribery risk in 194 jurisdictions, territories, and autonomous and semi-autonomous regions. The overall country risk score is a combined and weighted score of four domains: Business Interactions with Government; Anti-Bribery Deterrence and Enforcement; Government and Civil Service Transparency; and Capacity for Civil Society Oversight, including the role of the media. The domain scores are derived from nine subdomains. The TRACE Matrix was originally developed in 2014 in collaboration with RAND Corporation. It is updated annually by TRACE.
According to this year's data, North Korea, Turkmenistan, Syria, Equatorial Guinea and Yemen present the highest commercial bribery risk, while Norway, New Zealand, Switzerland, Sweden and Denmark present the lowest.
This tool gives information on how different aspects of diet, as well as body weight and physical activity, might be linked to cancer risk. The strength of the evidence that any such link might be a truly causal factor has been put into one of three categories:
Risk matrices all follow the same basic structure. They are typically 5x5 grids that show the likelihood of risks occurring along the Y axis and the severity of their consequences along the X axis. Each axis follows a scale of very low to very high. The risks that your organization could face are placed within the risk matrix depending on where they fall on this scale. This helps you determine levels of risk.
If the risk is high on the likelihood scale and high on the consequence scale, you can define the level of risk as very high. Conversely, if the risk falls low on the likelihood scale and low on the consequence scale, the level of risk would be very low.
Within a risk management matrix, levels of risk are further highlighted with a colour-coded system. A risk that has an overall low level of risk is colour-coded green. If it is medium, it is shown in yellow or orange. An overall high risk is depicted in red. This traffic light system makes it easy to quickly understand levels of risk.
A 5x5 risk matrix simply refers to a risk matrix that is made up of 5 cells along the X axis and 5 cells along the Y axis. Essentially, a 5x5 grid. A risk matrix does not have to be 5x5, although this is the most common type.
As previously stated, a risk matrix will visually tell you the levels of risk that your organization is facing. They are often used during the risk assessment process to help you decide which risk management strategy will be best to deal with them as well as which risks need prioritising. The risk matrix can be interpreted as follows:
You can also use a risk management- matrix when reporting upon risks, which is an important element of the risk management process. Risk matrices are useful for communicating, easily and visually, the risks that your organization faces and the levels of those risks. They may therefore come in handy when sharing risk assessment information with others in the business.
It would be fair to say that the simple nature of the risk matrix is both its greatest benefit and greatest weakness. Their simplicity makes for a great overview of levels of risk, but it also means that nuances are left out, which can negatively impact upon decision making.
It is useful to consider what other measures you can implement, in addition to a risk matrix, in order to ensure that your risk management process is robust. Risk management software, for example, has numerous benefits that can support your organization's approach to risk.
There are other risk categories to consider depending on your work industry. For example, if you have government clients, then you also want to brainstorm legal risks. If your company sells a physical product, you may have to think about manufacturing risks.
Team collaboration is also crucial in this step because you may not have a good idea of similar risks that have occurred in past projects. Make sure to reference past projects and analyze the probability of each risk with your team in order to create a more accurate mitigation plan.
Your risk response plan should include steps to prevent risk and ways to mitigate risk if unfortunate events occur. Because so much goes into project planning, the best strategy when tackling risks may be to divide and conquer.
The size of your risk matrix template determines how closely you can analyze your project risks. A larger risk matrix template offers more room on the risk impact spectrum, while a smaller risk matrix template keeps your risk impact rating simpler and less subjective.
A five-by-five risk matrix is ideal so you can further analyze each risk. Once you chart your risks along your finished risk matrix template, this matrix creates a larger color spectrum to see the impact of each risk as high, medium, or low.
When you pair your risk matrix template with work management software, you can use past data to inform current processes. Asana helps you share the results of your risk matrix with stakeholders so you can collaborate on a risk management plan. Once you have a solid plan in place, you can monitor your team in real-time as they take action.
760c119bf3