Key Takeaways
What is a Risk Assessment Matrix?
A risk assessment matrix is a chart used for prioritizing and tracking project risks. It’s a visual aid that provides a complete overview of the risks involved and the likelihood that each one will occur, and it is vital when creating a risk management strategy.
Generally speaking, most projects present several different types of risk. Some common risks include:
- Operational risks: This includes risks that result from poor project implementation. Depending on the project, this could include issues with production, resource allocation, procurement, distribution, and more.
- Technological risks: Risks that affect software and hardware systems include cyber attacks, device failures, virus infections, and any sort of technological failure.
- Performance risks: These risks describe how likely—or unlikely—it is that the project will create the desired results.
- Scheduling risks: Anything that has the potential to disrupt the project timeline is considered a scheduling risk.
- Cost risks: Generally the result of poor project planning or scope creep, these risks either increase project budgets or result in unfinished or incomplete projects.
- Governance risks: These are risks that could affect the company’s reputation, their community, or their ethics, and they generally fall on the shoulders of executive board members and senior managerial staff.
- Scope creep risks: Do your project requirements often expand beyond the initial project scope? If so, you’re probably experiencing scope creep. While it can be controlled, failure to do so could result in complete failure of the project at hand.
- Legal risks: Most projects contain several legal risks, such as contractual and regulatory requirements, that must be followed at all times.
While other risks may exist, specific risks are often grouped into one of four categories or buckets. These buckets include:
- Project management risks: These risks involve your project team members and how they could affect the overall success of the project at hand. Examples include project planning, communications, and project controls.
- Organizational risks: Organizational risks refer to your ability to allocate resources, prioritize tasks, and make key decisions regarding the project.
- Technical risks: This category includes technological risks such as issues with software or hardware. It also includes risks involved in requirements gathering, process documentation, and performance analysis.
- External risks: Risks that are beyond the control of the PM or project team members are considered external risks. This could include weather-related risks, governmental risks, regulatory risks, societal risks, supplier-related risks, and others.
Depending on the project, the exact risks involved, and the components of these risks, some additional risk categories may need to be established.
Why is a Risk Assessment Matrix Important?
The average project is fraught with risk. Not only are there legal risks, like regulatory and contractual responsibilities, but there are also financial concerns that require efficient risk estimation techniques to determine probable loss value, technical and technological risks, external risks, and many more. If ignored, such risks could spell disaster for even the most skilled project managers. When properly analyzed and addressed by a veteran PM, however, many of these risks are easily mitigated.
How to Create a Risk Assessment Matrix
Matrices in project management, like the requirements traceability matrix and dependency structure matrix, or any other important risk management tool like the risk breakdown structure, work best when created properly. So when creating your risk assessment matrix, it is important to follow certain steps.
The very first step involves identifying and isolating any issues that pose a threat to overall project success. For best results, review the above lists and work on identifying project risks with your team. It is worth noting, however, that some risks, such as adverse selection risk, cannot be identified fue to their nature. Either way, including all project stakeholders in this manner will ensure that all of the potential threats are fully uncovered and identified.
Before the identified risks can be added to your risk assessment matrix, you’ll need to establish your risk criteria. This essentially means organizing all risks according to their likelihood and severity. However, the criteria you ultimately use depends on the exact sizing of your risk matrix.
Creating a 5×5 Risk Matrix
One of the most common examples of a risk assessment matrix is the 5×5 risk matrix. In this case, you’ll use five different likelihood ratings. From least likely to most likely, these include:
- Improbable
- Remote
- Occasional
- Probable
- Frequent
Additionally, each likelihood rating corresponds with a numerical value. Risks that are “improbable” are given a value of one, while those identified to be “frequent” are given the maximum value of five. These likelihood ratings comprise the left side of the risk matrix.
Next, you’ll establish five different severity ratings. From least severe to most severe, these include:
- Negligible
- Marginal
- Moderate
- Critical
- Catastrophic
Severity ratings are listed across the top of the matrix. Similar to likelihood ratings, each severity rating is assigned with a numerical equivalent. The least severe “negligible” rating, for example, has a numerical value of one. On the other end of the scale, the “catastrophic” rating has a numerical value of five.
A 5×5 risk matrix then results in one of four different risk impact ratings: low, medium, high, or extreme. Those with the lowest likelihood to occur and the lowest severity rating will be on the low end of the matrix, while risks with the highest likelihood and highest severity will appear on the extreme end of the matrix.
Creating a 4×4 Risk Matrix
The 4×4 risk matrix is very similar to the 5×5 risk matrix, except instead of resulting in a grid that contains 25 squares (5 x 5), it creates a grid with 16 (4 x 4) total squares. While it is functionally identical to the 5×5 risk matrix, the 4×4 matrix has only four different ratings of risk likelihood and severity. From least likely to most likely, the likelihood ratings in a 4×4 risk matrix are:
- Improbable
- Remote
- Probable
- Frequent
Conversely, the four severity ratings are:
- Negligible
- Marginal
- Critical
- Catastrophic
Although a 4×4 risk matrix has fewer grid squares than a 5×5 risk matrix, there are still four different risk impact ratings, which are low, medium, high, and extreme.
Creating a 3×3 Risk Matrix
Best suited for smaller projects, the 3×3 risk matrix only comprises a total of nine grid squares. Likelihood ratings for a 3×3 risk matrix include:
- Improbable
- Occasional
- Probable
Listed in order from least severe to most severe, the severity ratings for a 3×3 risk matrix include:
- Marginal
- Moderate
- Critical
Unlike the 5×5 and 4×4 risk matrices, the 3×3 risk matrix only produces three different risk impact ratings: low, medium, and high.
How to Use Your Risk Assessment Matrix
Now that you’ve brainstormed potential project risks and created your risk matrix, it’s time to begin measuring each risk according to the ratings indicated above. Remember that many of the risks and their respective ratings are highly subjective. Not only do they vary between industries and professions, but they can also vary between projects.
Using a 5×5 Risk Matrix
One of the most common sizes used, most project managers agree that the 5×5 risk matrix offers the perfect mixture of risk detail and clarity. However, it is generally reserved for larger projects. Most small projects can be completed using a 4×4 or 3×3 risk matrix.
When using a risk matrix, regardless of size, it’s important to remember the numerical values assigned to each likelihood and severity rating. This makes it easy to calculate a numerical value for each one of the project’s risks as you simply need to multiply the likelihood that it is to occur by the severity of its impact.
For example, a risk that would have a negligible impact on the project’s success and is considered “improbable” or unlikely to happen would have a risk impact rating of 1 (1 x 1). Any risk that would have a moderate impact and might happen “occasionally” results in an impact rating of 9 (3 x 3). On the highest end of the scale, a risk that would have a “catastrophic” impact on the project and occurs “frequently” ends up with a risk impact rating of 25 (5 x 5).
After you’ve determined the numerical risk impact rating for any given risk, compare it to the list below to determine whether it poses a low, medium, high, or extreme threat to project success.
- Low: 1–3
- Medium: 4–9
- High: 10–16
- Extreme: 15–25
You will notice a bit of crossover between the “high” and “extreme” impact ratings. This is because a risk with “critical” impact (4) that is considered “probable” (4) to happen will have an impact rating of 16 (high), but a risk with “catastrophic” (5) consequences that has a “moderate” (3) chance of occurring will have an impact rating of 15 (extreme).
Using a 4×4 Risk Matrix
Another common sizing, the 4×4 risk matrix is for large projects that don’t require the level of granular detail that the 5×5 risk matrix provides. Depending on its usage, however, the 4×4 risk matrix could result in too many risks falling into a “medium” impact rating. In cases like this, it’s rather easy for risks to be mislabeled, and as such, some mitigation strategies might fall to the wayside.
Other than that, the 4×4 risk matrix functions identically to the 5×5 risk matrix. Once a risk has been placed onto the matrix, its risk impact rating is determined by multiplying the likelihood and severity ratings. Then compare the final sum to the list below to separate risks into the “low,” “medium,” “high,” and “extreme” categories.
- Low: 1–2
- Medium: 3–4
- High: 6–9
- Extreme: 12–16
Using a 3×3 Risk Matrix
Many smaller projects can be completed with a 3×3 risk matrix. While it lacks the specificity of the 5×5 or 4×4 risk matrices, its basic design and straightforward process make it a great solution for novice PMs.
But the biggest drawback of the 3×3 risk matrix also lies in its simplicity. With only three likelihood and severity ratings, it can be difficult to accurately rank certain risks. That’s why large or complex projects often need a 4×4 or 5×5 risk matrix.
After you’ve multiplied the numerical values of the likelihood and severity ratings for each risk, compare the result against the list below in order to further categorize each project risk.
- Low: 1–2
- Medium: 3–4
- High: 6–9
Risk Assessment Matrix Templates
There are a plethora of risk assessment matrix templates available online. While some of these are geared toward one particular industry or toward a specific project type, they all provide a great starting point for novice PMs and project teams who are trying to get started with the risk assessment matrix.
Someka Risk Assessment Matrix Template
Created by the team at Someka, this risk assessment matrix template is available in two different formats: Microsoft Excel and Google Sheets. Referred to as a Hazard Identification & Risk Assessment (HIRA), the document is ideal for tracking cyber threats, internal corruption, and other issues. It consists of three separate parts:
- Risk report: Provides a systematic examination of workplace risks, how to assess personal injuries on the job, and the likelihood of reducing risks.
- Risk list: This section lets the user list specific hazards, including the people who are at risk, the person responsible for overseeing the risk, and any recommended actions.
- Risk matrix: The last section comprises a 4×4 risk matrix for tracking the likelihood and severity of personal injuries in the workplace.
Smartsheet Risk Assessment Matrix Template
The development team at Smartsheet offers a variety of free risk matrix templates that are compatible with Smartsheet, Microsoft Excel, Microsoft Word, and Adobe software (PDF). Moreover, they provide risk matrices in several different sizes including 3×3, 3×4, and 5×5. They also provide more insight into the usage and application of risk assessment matrices in general.
TeamGantt Risk Assessment Matrix Template
Users who need a highly customizable, 3×3 risk assessment matrix template can find a basic version from TeamGantt. Available exclusively for Microsoft Excel, their simplified chart includes three different elements:
- Risk Assessment Matrix: This 3×3 risk matrix is simple to use and easy to customize as needed.
- Risk Assessment List: A pre-formatted list of all potential risks, the areas that are affected by these risks, the severity of each risk, the likelihood of each risk, the total risk impact rating, and any recommended actions
- Lists: A master list with all of the available severity, likelihood, and impact ratings
Risk Assessment Matrix FAQs
While risk assessment matrices tend to be highly accessible and straightforward, some users might have some remaining questions surrounding their usage or application.
Making the Most of Your Risk Assessment Matrix
In project management, a risk assessment matrix helps clarify risks and forecast their potential impact on the project as a whole. Most risk management strategies begin by prioritizing each risk on the matrix and allocating the resources needed to tackle the most impactful ones. Since it is virtually impossible to overcome every single risk, expert PMs need to know how to pick their battles and mitigate those that pose the most threat to overall project success.