What is a Risk Matrix?
Table of Contents: Definition – Design – Process – Advantages and disadvantages – Questions from the field – Notes
Smartpedia: The risk matrix shows a graphic image of the risk situation by visualising risks based on the probability of occurrence and the extent of damage.
Risk matrix – the visualisation of the risk situation
In many areas of life and work, we face the challenge of identifying and assessing risks. We often lack a clear overview of the multitude of risks, their probability of occurrence and the potential damage they can cause. This is where the risk matrix comes into play: an effective tool that helps to visualise identified hazards and analyse their probability and potential impact in order to make informed decisions.
The risk matrix is a graphical representation of the identified risk situation. The positioning of the risks enables a comparison of the risks, it helps with communication and is the basis for defining measures to minimise the main risks. Synonyms are risk diagram, risk graph, risk map, risk portfolio and risk profile.
The design of a risk matrix
Due to the simplicity of the presentation with the colour ranges green for acceptable, yellow for tolerable and red for unacceptable, a risk matrix can be understood even without prior knowledge. The colours of the fields symbolise the priority with which countermeasures for risks should be taken. The exact appearance of a risk matrix is not standardised:
- The names of the axes in the diagram can vary.
- The number and labelling of the gradations in the extent of damage can vary: e.g. with three levels ‘1, 2, 3’ or ‘low, medium, high’ or five levels from ‘low to critical’ or with percentages from 0-20% to 81-100%).
- The number of fields could vary: 2 x 2, 3 x 3, 4 x 4 or 5 x 5 fields, i.e. a total of 4, 9, 16 or 25 possible gradations.
- And the number and designation of the probabilities of occurrence can also vary: e.g. with three levels ‘low, medium, high’, with four levels ‘very low, low, medium, high’ or with five levels ‘impossible, improbable, possible, probable, very probable’.
- Impacts such as the extent of a loss of image, the loss of market share or the degree of employee satisfaction can be visualised.
In short, the display is easy to understand and can be customised.
The process for creating the risk matrix
The process for creating the risk matrix is relatively simple:
- Identify risks.
- Assess risks.
- Visualise risks.
Before you can assess a risk and visualise it in the risk matrix, you must first identify it. Risk identification is a process for systematically identifying and collecting potential risks that could affect a company, undertaking, project or development. The aim of risk identification is to record internal and external sources of risk as completely and continuously as possible.
The following help to identify risks:
- experience from previous projects,
- an exchange between management, project management and the project team,
- consulting external experts or specialised employees,
- and, if necessary, orientation on existing risk assessments¹.
Of course, risk diagrams from previous projects should never be used one-to-one without checking and revising them, but they can still be a good source for identifying risks.
Once risks have been identified, the next step is to categorise the probability of occurrence and assess the potential extent of damage. The following combinations are conceivable, for example:
- high probability of risk occurrence, low extent of damage
- low probability of risk occurrence, low extent of damage
- low probability of risk occurrence, high extent of damage
- high probability of occurrence, high extent of damage
Once the probability of occurrence and extent of damage have been assessed, the simplest task follows: assigning the individual risks to the matrix.
And what follows the assignment to the risk matrix? The substantive work begins: which risks deserve special attention, which measures are defined for which risks, how are possible measures designed, who monitors the risks, who implements the measures for risk avoidance, risk diversification or risk transfer, etc.?
Advantages and disadvantages of the risk matrix
The use of a risk matrix offers a number of advantages:
- They are ideal for visualising and communicating risk assessments.
- They give a good impression of the number and criticality of risks.
- They promote a common understanding of risk in the organisation and increase both transparency in dealing with risks and risk sensitivity.
- They are flexibly adaptable, so that different contexts in the evaluation of risks – e.g. probability of occurrence and potential damage to the company’s image – can be presented.
- They are suitable for both quantitative statements (e.g. monetary levels of a potential loss) and qualitative statements (e.g. “serious” and “existence-threatening”).
There are also a number of disadvantages:
- It is not possible to derive an overall risk from the presentation, but it can be significant for the implementation of a project.
- Qualitative and quantitative statements are limited because many risks with low probabilities and low impact can have the same effect as a risk with high probability and high impact.
- In practice, a risk map is only suitable for displaying a limited number of risks, otherwise the clarity would be lost. In this case, it is advisable either to visualise only selected risks (e.g. top ten risks) or to work with several risk diagrams.
- Changes in the assessment of risks cannot be traced because the illustration is a snapshot.
Despite these disadvantages, the risk matrix is often used as it offers a quick and simple method for identifying and prioritising risks. However, it is important to recognise its limitations and supplement it with other risk management methods if necessary.
Questions from the field
Here you will find some questions and answers from the field:
Is the risk matrix the result of the risk analysis?
The risk matrix is often described as the result of the risk analysis. However, this is not entirely correct, as a risk analysis is not a one-off but an ongoing activity in a project. The extent of damage and probability of occurrence often change over the course of the project. In addition, new risks emerge that did not exist at the start of the project or were overlooked. The risk matrix is therefore a tool that documents the status of the risk analysis and serves as a basis for defining risk-minimising measures.
What questions arise when designing the risk matrix?
Questions on the Design of the Risk Matrix
To design a risk matrix you have to answer various questions:
- Do you use a quantitative or qualitative classification? If you have sufficient data to make a quantitative assessment of the probability of occurrence, you should choose a quantitative classification. If you only have imprecise, quantitative data, you should prefer a qualitative classification.
- How many levels do you use per criterion and how do you name these levels?
- Do you use units as reference values (e.g. probability of occurrence per time unit, use case, patient)?
Of course, you can also correct your decisions based on new considerations during the course of a project, but this may also lead to a reassessment of the risks.
What is the ALARP principle?
ALARP is an acronym and means “As Low As Reasonably Practicable”. Freely interpreted, ALARP is a principle of risk reduction.
According to this principle, the extent of damage and the probability of a risk occurring should be reduced, taking into account a reasonable financial and technical effort, in such a way that the maximum degree of safety is guaranteed.
Risks that lie within the unacceptable range of the risk matrix must be brought into the ALARP area by means of risk-reducing measures. Risks that lie within the ALARP range are often considered tolerable. Risks that lie within the acceptable range of the risk matrix are usually only observed.
What is the PEST analysis?
The PEST analysis is a strategic tool that helps companies to analyse the macroeconomic environment in which they operate. PEST stands for Political, Economic, Social, and Technological – the four main categories considered in the analysis. By systematically analysing political, economic, social and technological factors, the PEST analysis can identify potential risks that could affect the business environment.
What are the limits of the risk matrix?
A risk matrix is a tool that facilitates the communication of risk assessments. It does not contain statements about an organisation’s risk appetite, nor does it visualise an overall risk or support the tracking of risks.
Operational risk management often requires the calculation of risk indicators, the categorisation of risk causes and structured work with sorted risk lists. However, as risk diagrams are not standardised, they can also be adapted flexibly.
Simply visualise where your organisation’s risk appetite lies with a red line in the diagram. Add additional key figures to risks or note down measures to minimise the probability of occurrence. You have the freedom to do so. Use your risk matrix in such a way that it provides you with the best possible benefit.
Where is the risk matrix used?
- In project management for the identification, assessment and prioritisation of project risks in order to plan countermeasures in good time.
- In corporate management for strategic planning and decision-making by assessing market and business risks.
- In healthcare to assess patient safety risks and implement risk minimisation measures.
- In construction and engineering to identify safety risks and plan accident prevention measures.
- In IT and cyber security to assess cyber threats and implement security measures.
- In production and manufacturing to identify production risks and ensure quality and safety.
In short: the matrix is used in many areas where visualisation is useful.
How useful is it to define measures for all identified risks?
It does not always make sense to take measures for all identified risks. A project’s resources are often limited and not all risks are equally significant. You should therefore define measures primarily for risks that have a high probability and/or a high potential for damage. Here are some reasons why a selective approach makes more sense:
- If you focus on the most significant risks, you can deploy resources more efficiently to prevent or mitigate the greatest potential damage.
- Not every risk justifies the expense of countermeasures. You should therefore carefully weigh up whether the costs of the measures outweigh the potential benefits.
- Defining and tracking measures for all identified risks can lead to an enormous administrative burden that distracts from the core activities of the project.
- As risks and their relevance can change over the course of the project, it makes more sense to regularly review and adjust which risks require measures rather than defining measures for all risks from the outset.
Overall, it is more effective to use a risk matrix to assess the risks and then define measures for those that pose the greatest risk to the project.
Impulse to discuss:
Does it show the company’s willingness to take risks?
Notes:
You are welcome to share or link to the content on this page.
[1] Here you will find a list of 130 potential project risks (in German).
Here you can find a German video tutorial on how to create a risk matrix with Excel.
Here you will find additional information from our t2informatik Blog: