4 Simple Steps to Build a Risk Assessment Matrix
Having a clear picture of your company’s risk is critical to the world of internal controls, internal audit, ERM, and more.
Frankly, it's what helps risk professionals sleep better at night.
However, many people feel lost when it comes to the intricate process of evaluating risks. Admittedly, there is a lot to factor in, with layers and layers of people and processes to consider.
That's why the risk assessment matrix is such an important tool.
The risk assessment matrix will help your organization identify and prioritize different risks, by estimating the probability of the risk occurring and how severe the impact would be if it were to happen.
Why use the risk assessment matrix?
A risk assessment matrix is a common tool used by organizations of all sizes for three major reasons:
- To measure the size and scope of risk
- To determine if they have the appropriate resources to minimize the risk
- To triage and prioritize the list of risks in a legible, easy-to-read matrix
The risk assessment matrix can help identify risks at a widespread scope of a company—at the enterprise, business process, and individual process level.
Check out the example of a risk assessment matrix below. This example shows the balance between having enough information for a good analysis without requiring an excessive level of detail.
Get your PDF risk assessment matrix template!
The risk assessment process in 4 steps
The risk assessment process may seem like an intimidating process. But I’d like to offer a simplified view without a bunch of mathematical computations.
Identify the risk universe
Determine the risk criteria
Assess the risks
Prioritize the risks
Step 1: Identifying the risk universe
The goal with this first step is to capture the full scope of the present risk.
To start off, you'll want to make sure you cast as wide a net as possible. The most effective way to do this is with free-flow brainstorming sessions. These brainstorming sessions will generate a list of ideas that will serve as the foundation of the risk assessment matrix.
Now, let's get the creative juices flowing!
From my own personal experience, I like to start with high-level risk categories that align to business functions, and then drill down to specific processes within those functions. This helps me narrow the focus down after a broad brainstorming session.
Additionally, your risk universe will contain concerns specific to your industry, along with concerns unique to your company.
Here's one way that I would organize my risks:
Strategic: Increased competition
Operational: Lack of available resources
Financial: Cost of capital
Market: Social media presence
Technology: Data security
Step 2: Determining the risk criteria
Before assessing each risk, you’ll want to develop a common set of factors to help evaluate your organization's risk universe.
A typical risk assessment matrix uses two main criteria:
- Likelihood (the level of possibility)
- Consequence (the level of impact)
However, some organizations may add other factors such as vulnerability and speed of onset. This is a critical step, as these criteria will drive the discussions throughout the rest of the process.
Beware of underestimating the importance of reaching consensus on the criteria. After all, you can’t manage what you can’t measure.
Step 3: Assessing the risks
This next step is where things start to get fun. (Well, as fun as a risk assessment matrix can be.) We're going to assess the risks based on the criteria we laid out in the previous steps.
If the identification step was qualitative in nature, this step includes a quantitative analysis of the most important risks.
Most organizations use a common, three-part "High, Medium, and Low" scale at this stage, but taking a more granular approach could be beneficial to your organization—expanding the scale to "1–5," for instance.
Step 4: Prioritizing the risks
We're almost there!
In the last step, we're going to compare the different levels of risk (from step three) to the target risk criteria (from step two). In other words, prioritizing risk accounts for the impact, possibility, and importance of the risk, and outputs a plan.
If these last two steps sound subjective—that's because they are. Expert judgment is involved in risk assessment and prioritization techniques to identify potential impacts, define inputs, and interpret the data.
Remember: The risk assessment process should be done multiple times a year. The matrix should be changing consistently with your company's risk environment. Assessments that are only performed once a year, or not at all, have emerging risks that could go unnoticed, undetected, or may not even be considered.
You know the risks—what now?
Now that you have identified the risks, you now need to figure out what to do about them. And, as I mentioned in step four, that requires some expert judgement—some of which might not entirely be up to you.
There are many ways to respond to risk, and each identified risk can be addressed in one of four ways.
Accepting the risk: This risk is tolerable, and our company can surmount it
Reducing the risk: This risk is a little steep, and we should take steps toward minimization ahead of time
Sharing the risk: This risk could be shouldered by multiple teams or groups in the company
Avoiding the risk altogether: Let's not come near this one
Taking care of your risk assessment matrix
Always remember that the risk assessment matrix is a living, breathing document that needs to be nurtured and maintained. Risks are occurring all around us, and the matrix should reflect this.
There are events that may trigger the need for a refresh, such as establishing an enterprise risk management (ERM) program, a major merger or acquisition, or a material weakness within your internal controls environment.
With an airtight risk assessment process and matrix, you'll be equipped to heed any warning signs before they come to fruition.
No more nightmares—try Workiva
Now that you have a clear picture of your company's risk, you don't have to let it keep you up at night.
Workiva offers risk professionals up-to-the-second insight about what's on the horizon while minimizing the tedious manual data management—such as copying and pasting between documents—that you hate.
See how it works for yourself.
Editor's note: This blog post was originally published May 13, 2016, and has been updated.