#Article
How to Use a Risk Assessment Matrix [with Template]
Learn how to use a risk assessment matrix and organize your risk management process by downloading your risk assessment form and matrix below.
Your organization faces health & safety, HR, fraud, and other types of incidents. Conducting an organizational risk assessment has moral, legal, and financial benefits, and can help you prevent these incidents.
Consider this example: in 2022, a refining company agreed to one of the largest wrongful-death settlements in history, paying $104.9 million to the family of one of its workers.
While working at a facility in Louisiana, the victim was trapped in a fire after a worker used a side grinder above, sending sparks raining down on him. The flames burned through his safety lanyard, causing him to fall 80 feet, hitting his head on scaffolding on the way down.
In addition to the legal settlement, the company was cited with an OSHA violation and fined over $12,000.
Had the company proactively carried out a risk assessment, they would've identified the hazard and avoided the incident altogether. They could would have understood the possibility of rogue sparks and installed barriers to stop them, or not placed another worker below the grinder's workstation.
Instead, they failed to provide a safe workplace and, for that, faced legal repercussions, steep fines, and a hit to their reputation.
To ensure a similar outcome doesn't happen to your company, we've created this step-by-step guide to conducting a risk assessment. Follow along to identify, analyze, and prevent hazards in your workplace so you can protect your employees and your organization.
Don't wait to assess your risks until it's too late. Learn how to create a risk assessment matrix.
Use our free risk matrix template to start your risk assessment right now.
A risk assessment is "a process to identify potential hazards and analyze what could happen if a hazard occurs" (Ready.gov). It aims to help you uncover potential risks your organization could encounter.
Knowing potential hazards makes it easier to either reduce the harm they cause or (ideally) prevent incidents altogether rather than deal with the consequences afterward.
This systematic process can uncover glaring risks of fraud, security gaps, or threats to staff well-being before it's too late. It can also mean the difference between a new project, policy, or process being successful or failing. One catastrophic risk that goes unnoticed could immediately stop project or event.
Benefits of a Risk Assessment (How to use a Risk Assessment Matrix)
Risk assessments cost time and money to conduct. So why should you bother? The benefits of a risk assessment far outweigh any inconvenience because they can help you avoid incidents, fines, lawsuits, and negative media attention.
Benefits of a risk assessment table include:
- Money saved: Picking up the pieces after a cyberattack, break-in, fire, or act of workplace violence is stressful and can cost thousands of dollars; a risk assessment costs far less.
- Fewer lawsuits: By preventing incidents, you won't have to deal with injured or disgruntled employees seeking legal action.
- Lower risk of non-compliance: Eliminate risks above and beyond compliance requirements to avoid penalties from regulatory bodies.
- Safe, happy employees: When employees see their safety and well-being as your top priority, they'll likely want to stick around, which leads to another benefit.
- Lower turnover rate
- Positive organizational reputation: Customers and clients want to do business with companies that operate safely, ethically, and fairly.
If you do identify risks, you'll need to create a prevention plan.
Download our free Root Cause Analysis Tools Cheat Sheet to learn methods for uncovering and preventing the root causes of your workplace incidents.
To conduct your risk assessment, begin by defining its scope.
Maybe you want to improve health and safety measures in the shipping warehouse. Or perhaps you want to identify risk areas in the finance department to better combat potential employee theft and fraud.
Whatever your objective, define it clearly. Conduct separate risk assessments for each goal, department, or project to keep things organized.
Note: Remember to modify the risk assessment forms to include details specific to your field. For example, a data security risk assessment might list hazard locations (e.g., internal or external).
For each hazard, determine the likelihood it will occur, which can be measured as a probability (a 90 per cent chance) or as a frequency (twice a year).
Then, based on the likelihood, choose which bracket accurately describes the probability:
1. Unlikely
An unlikely hazard is extremely rare. There is a less than 10 per cent chance that it will happen. For example, a blizzard is unlikely to occur at your office in Florida.
2. Seldom
Seldom hazards happen about 10 to 35 per cent of the time. For instance, you might determine financial kickbacks seldom happen because you work with very few external vendors.
3. Occasional
An occasional hazard will happen between 35 and 65 per cent of the time. For example, strains from repetitive motions could be occasional for your warehouse employees.
4. Likely
A likely hazard has a 65 to 90 per cent probability of occurring. For instance, employee theft is likely to happen in a retail store that sells high-priced goods.
5. Definite
These hazards will occur 90 to 100 per cent of the time. You can be nearly certain these will manifest. For example, a hurricane will definitely happen at your office in coastal Florida.
Next, in the same fashion as above, calculate potential loss using either quantitative measurements (dollars lost or spent), qualitative measurements (descriptive scale) or a mix of both.
Then, based on the magnitude of the consequences, choose which bracket accurately describes the losses.
1. Insignificant
The consequences are insignificant and may cause a near-negligible amount of damage. This hazard poses no real threat. Examples: loss of $1K, no media coverage, and/or no bodily harm to employees or customers.
2. Marginal
The consequences are marginal and may cause only minor damage. This hazard is unlikely to have a major impact. Examples: loss of $10K, local media coverage, and/or minor bodily harm (e.g. cuts, scrapes, sprains, minor burns).
3. Moderate
The consequences are moderate and may cause a sizeable amount of damage. This hazard cannot be overlooked. Examples: loss of $100K, regional media coverage and/or minor bodily harm.
4. Critical
The consequences are critical and may cause a great deal of damage. This hazard must be addressed quickly. Examples: loss of $1M, national media coverage, major bodily harm and/or police involvement.
5. Catastrophic
The consequences are catastrophic and may cause an unbearable amount of damage. This hazard is a top priority. Examples: loss of $10M+, international media coverage, extreme bodily harm and/or police involvement.
Tap into your best risk-detecting resource: employees
Employees are "on the ground" and might notice issues and risks you're missing. Use this free cultural assessment survey template below to get employees' input on your organization's weak points.
Assign each hazard with a corresponding risk rating, based on the likelihood and impact you've already calculated. For example, a hazard that is very likely to happen and will have major losses will receive a higher risk rating than one that's unlikely and will cause little harm.
Risk ratings are based on your own opinion and divided into four brackets. They are:
1. Low
Low risks can be ignored or overlooked as they usually are not a significant threat. A definite hazard with insignificant consequences, such as stubbing your toe, may be low risk.
2. Medium
Medium risks require reasonable steps for prevention but they’re not a priority. A likely hazard with marginal consequences, such as a small fall, may be a medium risk.
3. High
High-level risks call for immediate action. An occasional hazard with critical consequences, such as a major vehicle crash, may be high risk. Examples: severe bodily harm (e.g. broken bones, third-degree burns, concussions), severe property damage, large data breach, national media coverage.
4. Extreme
Extreme risks may cause significant damage, will definitely occur, or a mix of both. They're top priority. An extreme risk is an unlikely hazard with catastrophic consequences, such as an aircraft crash. Examples: death, property destruction, complete data breach.
Experience a near miss? Don't forget to document that as a risk.
Download the free Near Miss Reporting Form Template to track and manage these safety incidents, then use the data to prevent unsafe conditions in the future.
Your risk management action plan will outline steps to address each hazard, reduce its likelihood, and its impact, and respond if it occurs.
Depending on the severity of the hazard, you may wish to include notes about:
- Key team members (e.g. project manager, PR or Communications Director, subject matter expert) and their responsibilities if the hazard occurs
- Preventative measures
- A response plan for media and stakeholders (e.g. customers, vendors, clients, shareholders, board members)
A risk assessment matrix simplifies the information from the risk assessment form, making it easier to pinpoint major threats in a single glance. This convenience makes it a critical tool in the risk management process, as it helps you make decisions faster and more efficiently.
Every risk assessment matrix has two axes: one that measures the consequence impact and another that measures likelihood.
To use a risk matrix, extract the data from the risk assessment form and plug it into the matrix accordingly. Simply find the square where the hazard's consequence rating and likelihood meet, and you can see the risk level it falls under.
Green is low risk
Yellow is medium risk
Orange is high risk
Red is extreme risk
Anticipating internal and external fraud and theft is a crucial to any company’s antifraud efforts. Developing a risk assessment helps you identify hazards proactively so you can take precautionary measures or, if required, a fraud response plan.
Examples of hazards that may need to be addressed in your fraud risk assessment include:
- Asset misappropriation (check fraud, billing schemes, theft of cash)
- Fraudulent statements (misstatement of assets, holding books open)
- Corruption (kickbacks, bribery, extortion)
- Conflicts of interest
- Data theft
- IP/trade secret theft
RELATED: 41 Types of Fraud and How to Detect and Prevent Them
Don't let a fraud scheme drag on, costing you thousands.
A fraud investigation response plan ensures that when you uncover fraud, you can stop it ASAP. Download our free template to start drafting your plan today.
A health and safety risk assessment is important for industries like construction, manufacturing, or science labs where work takes place in potentially dangerous environments.
In a warehouse, for example, workers are at risk of many hazards such as:
- Severe or fatal injury from falling
- Repetitive strain injuries from manual handling
- Sprains and fractures from slips and trips
- Being crushed by falling objects
- Being hit by (or falling out of) lift trucks
- Crush injuries or cuts from large machinery
- Moving parts of a conveyor belt resulting in injury
- Exposure to hazardous substances
However, workplaces in every industry can benefit from health and safety risk assessments.
These assessments must also include things like workplace violence and other dangerous employee misconduct, infectious disease transmission, air quality, and ergonomic concerns.
Before you kick off any project, event, or activity in your organization, conduct a thorough risk assessment to identify and assess potential hazards. Once these risks are better understood, your team can plan how best to prevent and mitigate the hazard.
Brainstorm hazards in several categories, including:
- Technological (data breach, service outage)
- Cost (funding falls through, go over budget)
- Contractual (modified requirements, contractor pulls out)
- Weather (tornado, wildfire)
- Environmental (oil spill, air pollution)
- People (illness, resignation)
Next Steps & Responding to Risks
Once you have finished your plan, determine how to action each step. What exactly needs to be done to mitigate or prevent the hazard? Who needs to complete these tasks? When should each task be completed?
Harm reduction is a second option. You can choose to "accept" the risk if the cost of countermeasures exceeds the estimated loss. To reduce the consequences of the risk, develop a mitigation plan to minimize the potential for harm.
The third option is to avoid the risk. For catastrophic disasters such as a workplace shooting or a fire, taking every possible step to prevent the risk from occurring at all is the best (and often only) course of action.
However you plan to deal with the risks, your assessment is an ongoing evaluation and must be reviewed regularly. Experts recommend updating your risk assessment matrix at least once a year, and perhaps more often depending on your unique situation.
Frequently Asked Questions
What are the 5 risk rating levels in the risk assessment matrix?
The five risk rating levels in the risk assessment matrix are:
- No risk
- Low risk
- Medium risk
- High risk
- Extreme risk
What are the four levels of severity in a risk assessment matrix?
The four levels of severity in a risk assessment matrix are:
- Insignificant
- Marginal
- Moderate
- Critical
You can also categorize risks as even higher, at catastrophic level.
How do you do a risk matrix?
To do a risk matrix, follow these steps: First, define the scope of your risk assessment. Then, identify hazards and calculate their likelihood and consequences. Next, assign a risk rating to each hazard based on the likelihood and consequences. Finally, create an action plan to address each hazard and plug the data into the risk matrix to visualize the risks.