What’s a Risk Assessment Matrix? And How to Build One in 4 Simple Steps

Having a clear picture of your company’s risk profile is critical to the world of internal controls, internal audit, ERM, and more.

Frankly, it's what enables risk professionals to focus their efforts on the most impactful risk areas—and help their leaders (and themselves) the sleep better at night.

However, many people feel lost when it comes to the intricate process of evaluating risks. Admittedly, there is a lot to factor in, with layers and layers of people and processes to consider.

That's why the risk assessment matrix is such an important tool.

The risk assessment matrix will help your organisation identify and prioritise different risks, by estimating the probability of the risk occurring and how severe the impact would be if it were to happen. 

What is a risk assessment matrix?

So what exactly is a risk assessment matrix? It is a widely used tool that organisations implement as a part of their risk assessment process to define risks and categorise them based on the likelihood of occurrence and level of impact. 

Organisations can use different terms to describe their matrix. You might hear risk control matrix (sometimes called a risk control table or risk control chart) or risk and control matrix (RACM). Regardless of what an organisation calls the matrix, it’s referring to that holistic matrix that summarises risks, how significant those risks could be (usually measured by likelihood, impact, etc.), what mitigating factors are in place, and the “residual” or unmitigated risk. 

So no matter what you call your matrix—a risk assessment matrix, risk control matrix, or a RACM—this post is relevant for you. We’ll walk through the steps you can take to build a matrix that summarises your risks and create a process to identify and assess those risks.

The importance of risk assessments—why use a risk control matrix?

Organisations of all sizes use a risk assessment matrix for three major reasons:

• To measure the size and scope of risk
• To determine if they have the appropriate resources to minimise the risk
• To triage and prioritise the list of risks in a legible, easy-to-read matrix

The purpose of a risk assessment matrix is to help teams identify, evaluate, and prioritise risks for their organisation—at the enterprise, business process, and individual process levels. In addition, a risk assessment matrix is a key tool to help organisations build risk resilience and stay ahead of risk in this ever-changing business climate.

Check out the example of a risk assessment matrix below, which shows the balance of having enough information for a good analysis without requiring an excessive level of detail. 

Get your PDF risk assessment matrix template!

How to perform a risk assessment in 4 steps 

It may seem like an intimidating process when you think about how to write a risk assessment. But I’d like to offer a simplified view without a bunch of mathematical computations.

The process:

• Identify the risk universe

• Determine the risk criteria

• Assess the risks

• Prioritise the risks

Step 1: Identifying the risk universe 

The goal with this first step is to capture the full scope of the present risk.

To start off, you'll want to make sure you cast as wide a net as possible. The most effective way to do this is with free-flow brainstorming sessions. These brainstorming sessions will generate a list of ideas that will serve as the foundation of the risk assessment matrix. 

Now, let's get the creative juices flowing!

From my personal experience, I like to start with high-level risk categories that align to business functions, and then drill down to specific processes within those functions. This helps me narrow the focus after a broad brainstorming session.

Additionally, your risk universe will contain concerns specific to your industry, along with concerns unique to your company.

Finally, it is essential that the participants consider thought leaders in their spaces and look outside the organisation to identify and assess emerging risks that could make an impact.

Here's one way that I would organise my risks: 

• Strategic: Shifts in key markets (disruptive technology, new competitors, etc.)

• Operational: Constraints or industry inherent factors (lack of available resources, environmental, safety, etc.)

• Financial: Cost of capital, liquidity, etc.

• Market: Social media presence

• Technology: Cybersecurity and data privacy

Step 2: Determining the risk criteria

Before assessing each risk, you’ll want to develop a common set of factors to help evaluate your organisation's risk universe.

A typical risk assessment matrix uses two main criteria:

• Likelihood (the level of possibility)
• Impact (how "big" an event could be)

However, some organisations may consider other risk assessment factors such as vulnerability and velocity (speed of onset). This is a critical step, as these criteria will drive the discussions throughout the rest of the risk evaluation process.

Beware of underestimating the importance of reaching a common understanding on the criteria. After all, if participants are using different measurement scales, for example, aggregating and comparing responses is futile. Remember the old adage “garbage in, garbage out."

Step 3: Assessing the risks

This next step is where things start to get fun. (Well, as fun as a risk assessment can be.) We're going to assess the risks based on the criteria we laid out in the previous steps.

Most organisations begin by applying a qualitative lens to focus their assessment on risks that participants (leaders) consider most significant for the organisation. This is typically done using a common "high, medium, and low" scoring approach or a numerical scale by rating factors, such as a range of “1–5”. 

To determine the top risks for the organisation, many calculate an average score across the respondents. Other organisations use a weighting methodology to bring greater attention to the responses by participants with subject matter expertise in the area. Some go a step further and look at the range or distribution of the responses. By taking a deeper dive into risks with a wider distribution of responses, it’s possible to surface risk factors not broadly understood that warrant deeper consideration.

Once the qualitative assessment has been completed, you can shift your assessment to perform a quantitative analysis of the most important risks. This will create a solid foundation for decision-making in those critical areas.                                                                                                                                                

Step 4: Prioritising the risks

We're almost there!

In the last step, we're going to compare the different levels of risk (from step three) to the target risk criteria (from step two). In other words, prioritising risk accounts for the impact, possibility, and importance of the risk, and outputs a plan.

If these last two steps sound subjective—that's because they are. Expert judgment is involved in risk assessment and prioritisation techniques to identify potential impacts, define inputs, and interpret the data. 

Historically, many organisations performed an annual risk assessment, which may have been adequate at the time but doesn’t allow organisations to keep up with risk in today’s dynamic environment. Many organisations now refresh their risk assessments quarterly or when there is any significant shift in key risks or risks not considered previously. As more and more risks emerge, some organisations are striving to do ongoing risk evaluations to keep their risk assessment “continually” refreshed.

The risk evaluation is complete—what now? 

Now that you have identified the risks, you now need to figure out what to do about them. And, as I mentioned in step four, that requires some expert judgement—some of which might not entirely be up to you.

There are many ways to respond to risk, and each identified risk can be addressed in one of four ways.

• Accepting the risk: This risk is tolerable, and our company can surmount it 

• Reducing the risk: This risk is a little steep, and we should take steps toward minimisation ahead of time

• Sharing the risk: This risk could be shouldered by multiple teams or groups in the company

• Avoiding the risk altogether: Let's not come near this one

Taking care of your risk assessment matrix 

Always remember that the risk assessment matrix is a living, breathing document that needs to be nurtured and maintained. Risks are occurring all around us, and the matrix should reflect this.

Leaders across your organisation should refer back to the risk assessment matrix regularly to make more informed risk-based decisions, update the assessment based on changes they’re seeing in their area of the organisation, and encourage cross-functional conversations on how to work more effectively to improve long-term performance.

Certain events may trigger the need for a refresh, such as a natural disaster that disrupted operations, a significant regulatory change, a major merger or acquisition, a material weakness within your internal controls environment... the list can go on and on. In addition, establishing an enterprise risk management (ERM) program could be a trigger to refine your risk assessment process.

With a mature risk assessment process and matrix, you'll be equipped to heed any warning signs before they come to fruition.

Want to learn more about managing risk?

Speaking of identifying and responding to risk, strategic risk management is a crucial part of ERM. This is often an overlooked aspect of risk management that is far more consequential than anything else. 

From legal and regulatory changes to merger integrations and stakeholder pressure, there are several considerations to effectively manage these strategic risks. Check out our blog to learn the five steps you can take to achieve effective strategic risk management.

No more nightmares—try Workiva

Now that you have a clear picture of your company's risk, you don't have to let it keep you up at night.

With Workiva’s connected GRC platform, you can unite your GRC processes with ESG and financial reporting and bring enterprise risk management, internal controls, internal audit, policies and procedures, and so much more together in one place. Our enterprise risk management software offers risk professionals up-to-the-second insight about what's on the horizon while minimising tedious manual data management such as copying and pasting between documents.

See how it works for yourself. 

Schedule a demo now

Editor's note: This blog post was originally published May 13, 2016, and has been updated. 

Don’t wait! Register for a free Amplify account and stream select sessions until Oct. 31, 2023. Explore how financial reporting, ESG, and GRC intersect.