Subscribe to Blog

Your email:

Current Articles | RSS Feed RSS Feed

Risk Assessment: Creating a Risk Matrix


Risk is going to get you...

In this day and age, Risk is the biggest buzzword in the compliance industry.  We've talked about it, you can't go anywhere without hearing about it, and everyone's got a Risk-Based solution.  I think the primary reason why we focus on Risk Assessment and Risk Management, is because in business, we need to quantify our actions.  We can no longer rely purely on "gut instinct" to execute on events, whether Quality, Financial, Social or similar areas.  The world moves too fast, and one misstep can make or break you as a business.  Risk provides the objective metric to help the decision-making process.  But, you need to know how to use risk.

How do you define Risk?  It's not as easy as you may think.  Companies spend plenty of time and money coming up with a scheme on how to calculate risk for their organization.  Risk is defined as the "systematic application of policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk".  All this really means is that we put tools in place to help us look for risks, assess those risks, and then take action on the risk.  The trick here is finding the risk, isn't it?  How do we find the risk? 

The components of risk usually manifest themselves in two forms- Hazards or Harms.  Hazards represent the potential source of a harmful event (the cause).  Harms are the resulting damages to products, persons or the environment (the effect).  Risk is essentially cause and effect on a defined scale.  It's the scale in which most struggle. 

Usually, when trying to quantify hazards and harms, most organizations look at two metrics:  Severity and Frequency(or likelihood).  Often a third metric, Detectability can be used - but we'll keep it "simple" with two.  Taking these metrics into account, we can develop a scale in which to measure hazards and their harms.  This can be numeric (scale of 1-5), verbal (good to bad) or both.  Below is a list of verbal and numeric scale.

Severity and Frequency TablesIf you were to graph these scales, you would come up with a numerical matrix, one that highlights the Risk "zones" by their multiplied(or some other mathematical method) number on the axis, much like this one below:

Basic Risk CalculationYou can see that we have a Low-risk or Generally Acceptable Risk zone, and a high-risk or Generally Unacceptable Risk zone, but what about the middle?  There's a gray area of subjectivity here. How do companies determine this gray area?

Risk RegionsThis is not always an easy answer. Some companies have to weigh the costs versus benefits on these risks, without creating a disproportionate cost to risk (Example:  spending $1M to prevent a blister is disproportionate; spending $1M to prevent a fatality is proportionate).  Companies will carefully vet these zone, and typically adopt a concept called ALARP (As Low as Reasonably Practicable).  Simply put, this means that the risk is as low as we can possibly get it, or it is "Tolerable" or "Undesirable" - but it isn't critical or catastrophic.  So then, with the ALARP in place, you have a Risk Matrix:

The Risk Matrix

Now you can go off and start using it, right? need to "vet the matrix" - put it through real-world historical examples and see if the risk matrix comes up with the correct risk based on historical events.  You may need to "tweak" the matrix based on the vetting process.  Hard mathematics will not properly assess the risk without a little real-world honing.  Once you've fine-tuned the matrix, you can start utilizing it in your Compliance system.

Risk assessments and Risk Matrices are wonderful tools to help guide decision-making in an organization. But they are not meant to be stand-alone tools. They help to provide a guide for risk assessment, using quantitative and repeatable metrics to ensure a consistent method of determining risk. Most best in class organizations will assemble a "risk team" to go over adverse events and determine the risk. It is up to the team to decide how an event will be handled, and what the true risk is. Risk Matrices are the keys to unlocking quantitative risk-based processes, but the people are the drivers of the system.

Free Webinar OnDemand: Risk Management
OnDemand Risk Management WebinarRisk Management 2.0 The expanding role of Risk Mitigation in Industries

You will learn
• How Risk is evolving in many industries today
• How Risk fits into the Enterprise
• Understanding Risk and defining a risk matrix

Watch the Risk Management Webinar Now


its great to found this. can you help me with the suitable risk matrix for automotive industries the ratings doesnt have to be all high up. thank you..
Posted @ Wednesday, February 08, 2012 8:37 PM by dyiana
Each industry will have it's own standard risk factors, but more often than not, risk matrices are purely dependent on the organization's individual processes and policies. Most often, the 5x5 Risk Matrix is the standard, but many risk management tools are inherent in existing processes, such as FMEA, PPAP, APQP, HFACS, or Hazard Analysis. The key is to use an industry metric as a foundation, but ultimately your organization will need to come up with a matrix that make the most sense to your business.
Posted @ Thursday, February 09, 2012 8:42 AM by Tim Lozier
could you tell me what reference did you get these matrices. thank you. 
Posted @ Thursday, June 07, 2012 12:43 AM by Maye Salazar
I need all information regarding the set up of a risk assesment aswell as risk matrix file
Posted @ Monday, June 18, 2012 6:40 AM by Martin Jonker
Dear Sir, 
Can you send me risk assesment chat and saverity rates probablitiy rates and frequency rate how can i make please send me details.
Posted @ Tuesday, July 10, 2012 4:38 AM by Mukhtar Ahmad
I have been tasked with putting together a risk matrix at my job site. This is my first solar job site and would like your help. 
Thank You
Posted @ Tuesday, July 17, 2012 8:51 AM by Dan Slaven
This have helped me to get insight o risk matrix! Could you help me to figure out the risk matrix bof banking area?
Posted @ Tuesday, August 28, 2012 4:22 AM by Cesar Bia
Informative writing. 
Am writing my dissertation on collapse proneness of buildings in my city. 
This has been helpful..
Posted @ Wednesday, September 12, 2012 5:35 PM by Shadrack Kombe
Dear Sir,  
Can you send me risk assesment chat and saverity rates probablitiy rates and frequency rate how can i make please send me details.  
Posted @ Thursday, October 11, 2012 5:15 PM by Manoj Kumar
helo I have a assignment that I have to create a risk assessment on hazards on the environment but I dont understand what risk matric to use can you help
Posted @ Wednesday, October 17, 2012 5:23 AM by Elouise Sklar
could we use this risk matrix in derivatives?
Posted @ Saturday, October 27, 2012 9:12 PM by pamela gulfo
Thanks for greatful information on risk matrice,could you please furnish me with risk matrix in cement industry
Posted @ Tuesday, February 12, 2013 12:39 AM by Sharaf Modhawi
I am in the telecommunications industry, fixed line to be specific. Can you assist me with a risk matrix for this industry. Thank you
Posted @ Saturday, March 09, 2013 7:56 AM by cephas chikwaya
Excelent benfits
Posted @ Thursday, April 04, 2013 4:44 AM by Elmardi Elmaki
Hi, I would like to cite this work and am wondering if the work can be attributed to another source, perhaps in a peer reviewed journal? Any direction in this area would be really helpful! Thanks!
Posted @ Monday, April 15, 2013 9:41 PM by Sharona
Im assigned to conduct a risk assessment on emergency eyewash in an area were cidex is used to decontaminate equipments used in the operating room. (hospital) Can you Can you send me a sample matric I can use as guide
Posted @ Thursday, April 25, 2013 10:32 PM by David Babauta
I am extremely lazy. Will you please do my job for me? 
Posted @ Thursday, June 06, 2013 12:04 PM by Wally
very useful article. needs more clarification on the matrics. 
Posted @ Thursday, June 27, 2013 6:21 AM by austin asprilla
kindly send me risk assesment chat/matrix and saverity rates probablitiy rates and frequency rate how can i make it easily  
please send me details. (belong to pharmaceutical)  
Posted @ Thursday, August 01, 2013 1:59 AM by Luqman
can you send me risk assessment chat & severity rate,probability rate and frequency rate.How i can make please send me the details
Posted @ Saturday, August 31, 2013 11:12 AM by jayaprakash
Kindly send me a risk assessment matrix with examples for a mobile telecommunication (cellular)
Posted @ Sunday, September 01, 2013 6:08 AM by Rufaro
Hi, just a quick question..It has been established that the theft of laptops in a year is rated as highly probable, a 4 on a 
five-point probability scale. The impact on the profitability of the organisation concerned is rated 
as a serious financial loss, a three on a five-point scale. Using the information provided, plot the 
information on a risk analysis matrix. How do plot the info on a risk analysis matrix? do i draw a line from probability (4) to Inpact (3) ?  
Posted @ Monday, September 09, 2013 2:49 AM by charles
How is a Risk Assessment  
Matrix for a financial company set-up.
Posted @ Saturday, October 26, 2013 1:38 PM by P Lea
A very good tool to analyse risk
Posted @ Tuesday, November 05, 2013 1:30 AM by Muralidharan
After you decide on a matrix do you stick with it or can you change it depending on what area you are analyzing?
Posted @ Tuesday, November 12, 2013 4:31 PM by Elaine
Could you please send me recorded version of this webinar please. 
Risk Assessment: Creating a Risk Matrix
Posted @ Sunday, November 17, 2013 1:55 AM by MEENAKSHI
i would like to have mor detald on crating reisk matris
Posted @ Sunday, December 01, 2013 1:50 AM by Kassim al Jabri
i would like to have mor detald on crating reisk matris
Posted @ Sunday, December 01, 2013 1:51 AM by Kassim al Jabri
I wonder how same numbers (I call risk priority numbers LXF) could have different ranking eg 4 appears in both tollerable and acceptable regions.
Posted @ Thursday, December 19, 2013 10:16 PM by Masoud Sadra
How to calculate the probability and severity
Posted @ Friday, December 20, 2013 6:21 AM by Kassim Al Jabri
Dear Sir, 
Can you send me risk assessment of steel structure erection accordingly 5x5 matrix.Likelihood level x Consequence Level = Risk LEVEL
Posted @ Thursday, December 26, 2013 1:04 PM by Wakeel Akhtar Ansari
Thank you for this post. That’s all I are able to say. You most absolutely have built this blog website into something special. You clearly know what you are working on, you’ve insured so many corners. Thanks. is bubblegum casting legitimate
Posted @ Tuesday, April 01, 2014 6:22 AM by is bubblegum casting legitimate
Is there a theoretical basis in a 5x5 risk assessment matrix with respect to how the ratings are derived? For example, a moderate consequence with a high likelihood should yield an overall "X" rating?
Posted @ Thursday, May 15, 2014 11:29 AM by curious risk assessor
Posted @ Wednesday, June 04, 2014 3:20 AM by Deniel
I wanted to thank you for this great read!! I definitely enjoyed every little bit of it. I have you bookmarked to check out new stuff on your post
Posted @ Monday, July 14, 2014 1:06 AM by bicycle club rules
If you publish informative comments on blog sites there may be always the chance that real mankind will click throug, thank you for informative and beneficial post, obviously inside your blog site everything is good.h robocalls
Posted @ Thursday, September 18, 2014 7:50 AM by automated calling
Well, very good post with informative information. I really appreciate the fact that you approach these topics from a stand point of knowledge and information. This is the first time, I visited at your site and became your fan.
Posted @ Thursday, September 25, 2014 5:55 AM by Salvato455
i started for 8 week to work for Gas and electricity distribution network operators. I have the task to develop Risk matrix the Company. It will be great if somebody could help me.
Posted @ Monday, December 08, 2014 7:43 AM by Hi
Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics