glossary
Risk Matrix with Examples
Governance GlossaryPublished: June 6, 2024
Jump to Section
The risk matrix is an indispensable approach to understanding the risks involved with not-for-profit work and a useful tool for conducting assessments and setting priorities as a not-for-profit organisation.
It can provide more rigour in risk management processes and assist your team in presenting and understanding complex information about risks.
There are many factors that can affect the decisions you make about services and programs. Having a clear understanding of the risks involved can help inform conversations about where to invest resources. This can guide managers in choosing and implementing strategies that best respond to the needs of the organisation or a particular project.
What Is a Risk Matrix?
A risk matrix is an assessment tool for analysing risks related to projects and is based on the likelihood and severity of their occurrence. Mapping out risks can assist in calculating the impact of certain risk areas and re-allocating resources to certain activities as needed.
The purpose of a risk matrix is to help managers and teams within an organisation to understand how certain risks can affect their projects. This tool documents essential information about high-risk activities and issues to give managers and senior executives the ability to respond to them more effectively.
A risk matrix can improve transparency in decision making and offer common points of discussion during meetings. Like any other tool, a risk matrix should capture the key risk areas and factors most relevant to the work you do. This tool can assist in reducing risks related to partnerships, conflicts of interest, technology, non-compliance, and more.
Advantages and Disadvantages
Using a risk matrix has several advantages. It can improve an organisation’s ability to identify and reduce the negative impact of risks when they occur. As an informational tool, it informs risk management strategies and increases risk oversight capacity. The risk matrix allows its users to prioritise more severe risks and better allocate human and financial resources. It provides a visual representation of risks across an organisation or large project, improving communication and collaboration between departments and partners.
The risk matrix approach has a few disadvantages. It can sometimes generate unclear or unspecific information, depending on the quality of the scoring system and analysis. The information can be subjective or even unreliable if the calculation is not correctly. Some people may exclude certain factors such as the timing of a risk or omit less severe risks, assuming they won’t have an impact. This is because human perception can sometimes outweigh fact-based information during the decision-making process.
Designed to equip you with practical knowledge and tools to confidently navigate the complexities of risk at the board level.
How to Create a Risk Matrix
A risk matrix can look different depending on the sector or organisation. Yet, there are common elements such as measuring the probability or likelihood of a risk occurring and the possible impact on the organisation. Mapping out these elements can aid in setting priorities for high-risk areas. Risk Expert David McLachlan suggests that a risk matrix can provide leaders with options for visualising the overall impact and probability of risks.
5x5 Matrix
One of the most common ways of creating a risk matrix. Using a spreadsheet application, create a horizontal X axis in the first or last row of your table and add the values that will measure the likelihood: very unlikely, unlikely, possible, likely and very likely. Next, add values to the vertical axis in the first column that indicate the severity of the consequences (impact): negligible, minor, moderate, high, critical. For each risk, assign a likelihood and impact score and find the point of intersection. This will be your overall risk score. You can use this tool across projects and teams.
Risk Assessment Matrix
Used to describe the causes and consequences of each risk and serves as a catch-all document that lists all risks and their assigned score. Using a word processing or spreadsheet application, create a table with column headings that include ‘risk description’, ‘causes’, ‘consequences’, ‘person responsible’, ‘probability score’, ‘impact score’, ‘risk rating’, and ‘control’. Your control section should list the strategies you plan to use to mitigate each risk.
Example Risk Assessment Matrix
| Risk Area | Description | Likelihood & Impact Scores | Risk Rating (0 to 5) | Controls |
|---|---|---|---|---|
| Harm to reputation | The charity wants to avoid associating with organisations that are unregistered or currently under investigation for fraud. | Likelihood: Low (Green)Impact: High (Orange) | Moderate 3 out of 5 | - Review existing partnership agreements and introduce a new requirement for partnerships.- Conduct an impact assessment for any projects involving high-risk organisations.- Request confirmation of charity registration and good standing. |
How to Use a Risk Matrix
A helpful formula for calculating the risk rating based on the likelihood and impact scores is to assign a point or percentage system to each and multiply the two scores. For example, if the risk likelihood is 1 (very low) and the potential impact is 5 (very high), the risk rating could be set at moderate to high (5). If both the probability and impact scores are high, the risk may be critical. On the other hand, if the probability of occurrence and the potential consequences are moderate to low, the risk rating will be low to sustainable.
There are three steps to using a risk matrix:
-
Identify Risks by reviewing the project budget, scope, objectives, and resources, conducting a SWOT analysis or other review of threats, opportunities, strengths, and weaknesses.
-
Analyse the risks, measuring the probability of occurrence and potential impact, asking stakeholders and team members for feedback. Assign values of a probability of occurrence and potential impact.
-
Prioritise risks with high impact and high likelihood of occurring. Assign zones using colours and text to make the ranking obvious (green for low, yellow for medium, orange for high, red for critical).
Risk matrix calculations are not an exact science, and a good practice is to research existing templates that can work for your organisation and the type of work you do. Once you assign your risk rating, you can begin to prioritise critical risks, gradually moving down the list from high to low. Use a risk matrix to set priorities and guide resource allocation, and be aware that what is acceptable for one organisation may not be for the other, says Professor Nijs Jan Duijm of the Technical University of Denmark.
Risk Matrix Tips
-
Focus on the high likelihood of harm and biggest scope projects first, but don’t ignore low and limited risk areas related to compliance activities.
-
Include a column that captures the improved probability and impact scores you estimate after controls are put in place.
-
Assigning risk ratings may require a more in-depth evaluation and analysis of the available information. Use tools such as a SWOT or PESTLE analysis to flesh out the cause, consequence, and probability of each risk.
-
Avoid oversimplified explanations that omit the full picture and don’t consider the interrelatedness of risks.
-
Adapt your risk matrix to external and internal changes such as recent technologies or government policies.
Podcast Episode: Power of the Risk Matrix
Prefer to listen?
Check out the Our Cat Herder Herding Cats discussion on The Power of the Risk Matrix.
Frequently Asked Questions
What are common mistakes when using a risk matrix?
- Over-reliance on the matrix: Using the risk matrix as the sole tool for risk assessment without considering other qualitative factors.
- Poor scoring system: Assigning inaccurate scores for likelihood and impact, leading to misleading results.
- Ignoring interdependencies: Failing to account for how different risks may interact or compound each other.
- Lack of regular updates: Not revisiting and updating the risk matrix to reflect changes in the project or external environment.
- Subjective judgments: Allowing personal biases to influence the assessment of risks instead of relying on objective data.
- Incomplete risk identification: Overlooking certain risks due to inadequate risk identification processes.
- Inadequate communication: Not effectively sharing the risk matrix findings with all relevant stakeholders.
How does a risk matrix benefit not-for-profit organisations?
For not-for-profit organisations, a risk matrix helps in identifying and prioritising risks related to their projects and operations. It assists in making informed decisions about resource allocation, enhances transparency in risk management, and ensures that the organisation can effectively respond to potential challenges, thereby supporting its mission and objectives.
What are the main advantages of using a risk matrix?
- Improves the ability to identify and mitigate risks.
- Enhances transparency and communication within the organisation.
- Facilitates prioritisation of risks based on their severity and likelihood.
- Assists in the effective allocation of resources.
- Provides a visual representation that aids in decision-making processes.
What are the main disadvantages of using a risk matrix?
- Can produce unclear or unspecific information if the scoring system is poor.
- May rely on subjective judgments, leading to unreliable assessments.
- Risk of omitting less severe risks, potentially overlooking important factors.
- Human perception might bias the evaluation, reducing objectivity.
How do you create a risk matrix?
To create a risk matrix, follow these steps:
- Identify the risks by reviewing project details and conducting analyses like SWOT.
- Assess each risk by determining its likelihood of occurrence and potential impact.
- Assign scores to each risk based on the probability and severity.
- Plot the risks on the matrix grid to visualise their priority.
- Develop mitigation strategies for high-priority risks.
How do you use a risk matrix in risk assessment?
Using a risk matrix in risk assessment involves:
- Identifying all potential risks associated with a project or operation.
- Assessing each risk's likelihood and potential impact.
- Plotting each risk on the matrix to determine its priority level.
- Focusing on high-priority risks for mitigation and monitoring.
- Reviewing and updating the matrix regularly to reflect any changes.
What tips should be considered when using a risk matrix?
- Focus on high likelihood and high impact risks first.
- Include improved probability and impact scores after implementing controls.
- Use in-depth evaluations like SWOT or PESTLE analyses for accurate assessments.
- Avoid oversimplifying by considering all relevant risk factors.
- Adapt the matrix to account for external and internal changes, such as new technologies or policies.
Related Terms
Additional Resources
Practical Risk for Company Directors Course
Excel Risk Assessment Template (Video)
Joint Commission International ‘Safer Matrix’
Study: ‘Decisions Rely on Reducing Most Unwanted Outcome’
Enterprise Risk Management Toolkit for Charities
Recommended Reading
Recommended Viewing
Author
- About
-
Better Boards connects the leaders of Australasian non-profit organisations to the knowledge and networks necessary to grow and develop their leadership skills and build a strong governance framework for their organisation.
Found this article useful or informative?
Join 5,000+ not-for-profit & for-purpose directors receiving the latest insights on governance and leadership.
Receive a free e-book on improving your board decisions when you subscribe.
Unsubscribe anytime. We care about your privacy - read our Privacy Policy .