Building a risk assessment matrix

Building a risk assessment matrix
May 13, 2016
What keeps you up at night?

How many times have you heard this question? Its effectiveness lies in its ability to extract an understanding of what’s important to the person answering the question.

Perhaps, a better question to consider is “What would help you sleep better at night?”

Having a clear picture of your company’s risk should undoubtedly help. However, many people feel lost when it comes to the intricate process of evaluating risks.

Enter the risk assessment matrix

Arguably the most widespread tool used to analyze risks, the Risk Assessment Matrix helps your organization identify and prioritize various risks by estimating the probability of occurrence and severity of impact if they occur.

Companies use the Risk Assessment Matrix to measure the size of a risk and to determine whether they have appropriate controls or strategies to minimize the risk. The scope for a Risk Assessment Matrix varies widely—the exercise may identify risks at the enterprise, business process, or individual project level.

There are many Risk Assessment Matrix templates available online. The example below strikes a balance between having enough information for sufficient analysis without requiring an onerous level of detail.

Download the PDF.

The risk assessment process, simplified

The risk assessment process may seem daunting. But I’d like to offer a simplified view that leverages the Risk Assessment Matrix without complex or problematic mathematical computations. The process:
  1. Identify the risk universe
  2. Determine the risk criteria
  3. Assess the risks
  4. Prioritize the risks
Step 1: Identify the risk universe

To start, you’ll want to cast as wide a net as possible. The goal here is to capture your enterprise’s risk universe. Convergent thinking techniques, such as free-flow brainstorming sessions, are most effective for idea generation. This list will serve as the foundation of the Risk Assessment Matrix.

To help get your creative juices flowing, here's one way to think about organizing risks. I typically like to start with high-level risk categories that align to business functions, then drill down to specific processes within those functions. This helps narrow the focus after broad brainstorming sessions. For example:
  • Strategic: Increased competition
  • Operational: Lack of available resources
  • Financial: Cost of capital
  • Market: Social media presence
  • Technology: Data security
Your risk universe will likely contain items unique to your company in addition to broader, industry-specific concerns.

Step 2: Determine the risk criteria

Before assessing each risk, you’ll want to develop a common set of factors with which to evaluate the risk universe. A typical Risk Assessment Matrix uses “likelihood” and “consequence” as the main criteria. However, some firms may add other factors such as “vulnerability” and “speed of onset.” This is a critical step, as these criteria will drive the discussions throughout the rest of the process. So beware of underestimating the importance of reaching consensus on the criteria. After all, you can’t manage what you can’t measure.

Step 3: Assess the risks

As if the fun hadn’t started yet, this is where the process gets interesting. The next step is to assess the risks based on the predetermined criteria. Whereas the identification step was qualitative in nature, this step includes a quantitative analysis of the most important risks. Consider using a three-tiered scale, such as High, Medium, and Low as you continue to develop the Risk Assessment Matrix.

Step 4: Prioritize the risks

Finally, you can use the Risk Assessment Matrix to compare the different levels of risk based on the criteria against target risk levels and thresholds. These might include any internal policies or company-wide risk appetites.

One thing to note is that the risk assessment process should be an ongoing evolution. The matrix should change at a pace consistent with changes to your company’s risk environment. If assessments are performed only once a year or not at all, emerging risks could go unnoticed, undetected, or may not even be considered.

Closing thoughts and additional information

Congratulations on completing your Risk Assessment Matrix! This was the easy part—now comes the real work. You've got the risks identified and everyone has agreed on the prioritization, so naturally the next step is to figure out what to do about them.

There are many ways to respond to risk, and the next task at hand is to examine your options. Four quick options are accepting the risk, reducing this risk, sharing the risk, or avoiding the risk altogether. Best practices would dictate performing a cost-benefit analysis, formulating a response strategy, and developing risk response plans.

The Risk Assessment Matrix is a living, breathing document that needs to be nurtured and maintained. Risks are constantly evolving and the matrix should reflect these changes to your environment. There are events that may trigger the need for a refresh, such as establishing an Enterprise Risk Management (ERM) program, a major merger or acquisition, or perhaps a significant deficiency or material weakness arises within your internal controls environment. Hopefully, that's not the case, but with a continuous risk assessment process and matrix, you should be equipped to at the very least heed any warning signs.

Finally, if you’re still not convinced by the benefits of conducting risk assessments, I’d like to quote COSO’s thought leadership around Enterprise Risk Management (ERM).
“Every decision either increases, preserves, or erodes value. Given that risk is integral to the pursuit of value, strategic-minded enterprises do not strive to eliminate risk or even to minimize it, a perspective that represents a critical change from the traditional view of risk as something to avoid. Rather, these enterprises seek to manage risk exposures across all parts of their organizations so that, at any given time, they incur just enough of the right kinds of risk-no more, no less-to effectively pursue strategic goals.”
For more information on ERM, check out this blog post on a practitioner’s view on ERM strategy.
Ernest Anunciacion

About the author

Ernest Anunciacion is a Senior Product Marketing Manager at Workiva. He brings to this role over 15 years of experience in internal audit, risk management, and business advisory consulting. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive MBA from the Carlson School of Business at the University of Minnesota.