risk assessment matrix methodology

Popular Insights:

Best Project Management Software

Mind Mapping Software

Risk Assessment Matrix: What It Is and How to Use It

Share this Article:

Our content and product recommendations are editorially independent. We may make money when you click links to our partners. Learn more in our  Editorial & Advertising Policy .

Key Takeaways

Featured Partners

{{ POSITION }}. {{ TITLE }}

What is a Risk Assessment Matrix?

A risk assessment matrix is a chart used for prioritizing and tracking project risks. It’s a visual aid that provides a complete overview of the risks involved and the likelihood that each one will occur, and it is vital when creating a risk management strategy .

Generally speaking, most projects present several different types of risk . Some common risks include:

• Operational risks: This includes risks that result from poor project implementation. Depending on the project, this could include issues with production, resource allocation, procurement, distribution, and more.
• Technological risks: Risks that affect software and hardware systems include cyber attacks, device failures, virus infections, and any sort of technological failure.
• Performance risks: These risks describe how likely—or unlikely—it is that the project will create the desired results.
• Scheduling risks: Anything that has the potential to disrupt the project timeline is considered a scheduling risk.
• Cost risks: Generally the result of poor project planning or scope creep, these risks either increase project budgets or result in unfinished or incomplete projects.
• Governance risks: These are risks that could affect the company’s reputation, their community, or their ethics, and they generally fall on the shoulders of executive board members and senior managerial staff.
• Scope creep risks: Do your project requirements often expand beyond the initial project scope? If so, you’re probably experiencing scope creep. While it can be controlled, failure to do so could result in complete failure of the project at hand.
• Legal risks: Most projects contain several legal risks, such as contractual and regulatory requirements, that must be followed at all times.

While other risks may exist, specific risks are often grouped into one of four categories or buckets. These buckets include:

• Project management risks: These risks involve your project team members and how they could affect the overall success of the project at hand. Examples include project planning, communications, and project controls.
• Organizational risks: Organizational risks refer to your ability to allocate resources, prioritize tasks, and make key decisions regarding the project.
• Technical risks: This category includes technological risks such as issues with software or hardware. It also includes risks involved in requirements gathering, process documentation, and performance analysis.
• External risks: Risks that are beyond the control of the PM or project team members are considered external risks. This could include weather-related risks, governmental risks, regulatory risks, societal risks, supplier-related risks, and others.

Depending on the project, the exact risks involved, and the components of these risks , some additional risk categories may need to be established.

Why is a Risk Assessment Matrix Important?

The average project is fraught with risk. Not only are there legal risks, like regulatory and contractual responsibilities, but there are also financial concerns that require efficient risk estimation techniques to determine probable loss value, technical and technological risks, external risks, and many more. If ignored, such risks could spell disaster for even the most skilled project managers. When properly analyzed and addressed by a veteran PM, however, many of these risks are easily mitigated.

How to Create a Risk Assessment Matrix

Matrices in project management, like the requirements traceability matrix and dependency structure matrix , or any other important risk management tool like the risk breakdown structure , work best when created properly. So when creating your risk assessment matrix, it is important to follow certain steps.

The very first step involves identifying and isolating any issues that pose a threat to overall project success. For best results, review the above lists and work on identifying project risks with your team. It is worth noting, however, that some risks, such as adverse selection risk , cannot be identified fue to their nature. Either way, including all project stakeholders in this manner will ensure that all of the potential threats are fully uncovered and identified.

Before the identified risks can be added to your risk assessment matrix, you’ll need to establish your risk criteria. This essentially means organizing all risks according to their likelihood and severity. However, the criteria you ultimately use depends on the exact sizing of your risk matrix.

Creating a 5×5 Risk Matrix

One of the most common examples of a risk assessment matrix is the 5×5 risk matrix. In this case, you’ll use five different likelihood ratings. From least likely to most likely, these include:

Additionally, each likelihood rating corresponds with a numerical value. Risks that are “improbable” are given a value of one, while those identified to be “frequent” are given the maximum value of five. These likelihood ratings comprise the left side of the risk matrix.

Next, you’ll establish five different severity ratings. From least severe to most severe, these include:

• Catastrophic

Severity ratings are listed across the top of the matrix. Similar to likelihood ratings, each severity rating is assigned with a numerical equivalent. The least severe “negligible” rating, for example, has a numerical value of one. On the other end of the scale, the “catastrophic” rating has a numerical value of five.

A 5×5 risk matrix then results in one of four different risk impact ratings: low, medium, high, or extreme. Those with the lowest likelihood to occur and the lowest severity rating will be on the low end of the matrix, while risks with the highest likelihood and highest severity will appear on the extreme end of the matrix.

Creating a 4×4 Risk Matrix

The 4×4 risk matrix is very similar to the 5×5 risk matrix, except instead of resulting in a grid that contains 25 squares (5 x 5), it creates a grid with 16 (4 x 4) total squares. While it is functionally identical to the 5×5 risk matrix, the 4×4 matrix has only four different ratings of risk likelihood and severity. From least likely to most likely, the likelihood ratings in a 4×4 risk matrix are:

Conversely, the four severity ratings are:

Although a 4×4 risk matrix has fewer grid squares than a 5×5 risk matrix, there are still four different risk impact ratings, which are low, medium, high, and extreme.

Creating a 3×3 Risk Matrix

Best suited for smaller projects, the 3×3 risk matrix only comprises a total of nine grid squares. Likelihood ratings for a 3×3 risk matrix include:

Listed in order from least severe to most severe, the severity ratings for a 3×3 risk matrix include:

Unlike the 5×5 and 4×4 risk matrices, the 3×3 risk matrix only produces three different risk impact ratings: low, medium, and high.

How to Use Your Risk Assessment Matrix

Now that you’ve brainstormed potential project risks and created your risk matrix, it’s time to begin measuring each risk according to the ratings indicated above. Remember that many of the risks and their respective ratings are highly subjective. Not only do they vary between industries and professions, but they can also vary between projects.

Using a 5×5 Risk Matrix

One of the most common sizes used, most project managers agree that the 5×5 risk matrix offers the perfect mixture of risk detail and clarity. However, it is generally reserved for larger projects. Most small projects can be completed using a 4×4 or 3×3 risk matrix.

When using a risk matrix, regardless of size, it’s important to remember the numerical values assigned to each likelihood and severity rating. This makes it easy to calculate a numerical value for each one of the project’s risks as you simply need to multiply the likelihood that it is to occur by the severity of its impact.

For example, a risk that would have a negligible impact on the project’s success and is considered “improbable” or unlikely to happen would have a risk impact rating of 1 (1 x 1). Any risk that would have a moderate impact and might happen “occasionally” results in an impact rating of 9 (3 x 3). On the highest end of the scale, a risk that would have a “catastrophic” impact on the project and occurs “frequently” ends up with a risk impact rating of 25 (5 x 5).

After you’ve determined the numerical risk impact rating for any given risk, compare it to the list below to determine whether it poses a low, medium, high, or extreme threat to project success.

• Medium: 4–9
• High: 10–16
• Extreme: 15–25

You will notice a bit of crossover between the “high” and “extreme” impact ratings. This is because a risk with “critical” impact (4) that is considered “probable” (4) to happen will have an impact rating of 16 (high), but a risk with “catastrophic” (5) consequences that has a “moderate” (3) chance of occurring will have an impact rating of 15 (extreme).

Using a 4×4 Risk Matrix

Another common sizing, the 4×4 risk matrix is for large projects that don’t require the level of granular detail that the 5×5 risk matrix provides. Depending on its usage, however, the 4×4 risk matrix could result in too many risks falling into a “medium” impact rating. In cases like this, it’s rather easy for risks to be mislabeled, and as such, some mitigation strategies might fall to the wayside.

Other than that, the 4×4 risk matrix functions identically to the 5×5 risk matrix. Once a risk has been placed onto the matrix, its risk impact rating is determined by multiplying the likelihood and severity ratings. Then compare the final sum to the list below to separate risks into the “low,” “medium,” “high,” and “extreme” categories.

• Medium: 3–4
• Extreme: 12–16

Using a 3×3 Risk Matrix

Many smaller projects can be completed with a 3×3 risk matrix. While it lacks the specificity of the 5×5 or 4×4 risk matrices, its basic design and straightforward process make it a great solution for novice PMs.

But the biggest drawback of the 3×3 risk matrix also lies in its simplicity. With only three likelihood and severity ratings, it can be difficult to accurately rank certain risks. That’s why large or complex projects often need a 4×4 or 5×5 risk matrix.

After you’ve multiplied the numerical values of the likelihood and severity ratings for each risk, compare the result against the list below in order to further categorize each project risk.

Risk Assessment Matrix Templates

There are a plethora of risk assessment matrix templates available online. While some of these are geared toward one particular industry or toward a specific project type, they all provide a great starting point for novice PMs and project teams who are trying to get started with the risk assessment matrix.

Someka Risk Assessment Matrix Template

Created by the team at Someka, this risk assessment matrix template is available in two different formats: Microsoft Excel and Google Sheets. Referred to as a Hazard Identification & Risk Assessment (HIRA), the document is ideal for tracking cyber threats, internal corruption, and other issues. It consists of three separate parts:

• Risk report: Provides a systematic examination of workplace risks, how to assess personal injuries on the job, and the likelihood of reducing risks.
• Risk list: This section lets the user list specific hazards, including the people who are at risk, the person responsible for overseeing the risk, and any recommended actions.
• Risk matrix: The last section comprises a 4×4 risk matrix for tracking the likelihood and severity of personal injuries in the workplace.

Smartsheet Risk Assessment Matrix Template

The development team at Smartsheet offers a variety of free risk matrix templates that are compatible with Smartsheet, Microsoft Excel, Microsoft Word, and Adobe software (PDF). Moreover, they provide risk matrices in several different sizes including 3×3, 3×4, and 5×5. They also provide more insight into the usage and application of risk assessment matrices in general.

TeamGantt Risk Assessment Matrix Template

Users who need a highly customizable, 3×3 risk assessment matrix template can find a basic version from TeamGantt. Available exclusively for Microsoft Excel, their simplified chart includes three different elements:

• Risk Assessment Matrix : This 3×3 risk matrix is simple to use and easy to customize as needed.
• Risk Assessment List : A pre-formatted list of all potential risks, the areas that are affected by these risks, the severity of each risk, the likelihood of each risk, the total risk impact rating, and any recommended actions
• Lists : A master list with all of the available severity, likelihood, and impact ratings

Risk Assessment Matrix FAQs

While risk assessment matrices tend to be highly accessible and straightforward, some users might have some remaining questions surrounding their usage or application.

What is the significance of risk severity levels in the matrix?

Risk severity levels provide a quantifiable measurement of the threat posed by any given risk. In a 5×5 risk matrix, there are five different severity levels (negligible, marginal, moderate, critical, and catastrophic). A 4×4 risk matrix has four different severity levels (negligible, marginal, critical, catastrophic), while a 3×3 risk matrix has three different severity levels (marginal, moderate, and critical).

Classifying risks in this manner makes it easy to see which risks need to be addressed immediately and which ones can be delayed to a later date (if at all).

How often should a risk assessment matrix be updated?

While risk matrices should be updated over the course of time, there is no right or wrong answer regarding the frequency of these updates. It is worth noting, however, that regular updates give you the opportunity to remove any resolved risks and add any new risks that have been uncovered since the project began. Moreover, updating the risk matrix at regular intervals is a great way to give novice PMs and new project teammates more experience with the entire process.

Can a risk assessment matrix be used in different industries?

Absolutely! Risk matrices aren’t limited to one specific industry, field, or profession. In fact, they are often customized in order to meet the user’s exact needs. Feel free to customize your risk assessment matrix by adding more risk categories, modifying the scoring criteria, or by using a different sized matrix altogether. The most important thing to remember here is that the risk matrix needs to work for you and your team. If it doesn’t or if it’s confusing to your project teammates, then it’s time to make a change.

Is risk assessment matrix sizing really important?

Yes and no. Generally speaking, smaller risk matrices work better for smaller projects. However, depending on the size and scope of the project, any matrix size should do. Most professionals don’t recommend going any larger than 5×5, however, as this often results in more complexity than it’s worth. For best results, stick to a 3×3, 4×4, or 5×5 risk assessment matrix.

Making the Most of Your Risk Assessment Matrix

In project management , a risk assessment matrix helps clarify risks and forecast their potential impact on the project as a whole. Most risk management strategies begin by prioritizing each risk on the matrix and allocating the resources needed to tackle the most impactful ones. Since it is virtually impossible to overcome every single risk, expert PMs need to know how to pick their battles and mitigate those that pose the most threat to overall project success.

Join our newsletter

Subscribe to Project Management Insider for best practices, reviews and resources.

By clicking the button you agree of the privacy policy

{{ TITLE }}

You should also read.

Asana vs Jira: Which Is Best In 2024?

Essential Project Management Guidelines & Rules to Follow

5 Ethical Issues in Project Management & How to Handle Them

Get the Newsletter

You might also like.

Senior Project Manager Job Description and Responsibilities

Vertical vs Horizontal Project Management

How to Delegate for Project Management: Step-by-Step Guide

Risk Assessment Matrix: Overview and Guide

Vice Vicente

February 15, 2024

In today’s modern threat landscape, compliance risk, cybersecurity risk , fraud risk , and even climate change risk can have a significant impact on your company’s reputation and bottom line. External risk events like the COVID-19 pandemic point to an increasing need for businesses to develop a  risk assessment plan that helps them execute certain strategies and achieve objectives effectively, even in the face of an unprecedented risk landscape.

While you’ll never be able to eliminate business risk entirely, prevention is the best insurance against loss. By defining, assessing, and analyzing risk with a risk assessment matrix, you’ll cultivate a solid understanding of your risk environment and be able to accurately measure and manage risk before it occurs — saving your company time, money, and resources.

In this article, we break down how to create a risk assessment matrix in four easy steps and how to monitor your risk matrix so you can continue to identify emerging threats.

What Is a Risk Assessment Matrix?

A risk assessment matrix, also known as a Probability and Severity or Likelihood and Impact risk matrix, is a visual tool depicting potential risks affecting a business. The risk matrix is based on two intersecting factors: the likelihood the risk event will occur and the potential impact the risk event will have. In other words, it’s a tool that helps you visualize the probability versus the severity of a potential risk.

Depending on likelihood and severity, risks can be categorized as high, moderate, or low. As part of the risk management process , companies use risk matrices to help them prioritize different risks and develop an appropriate mitigation strategy. Risk matrices work on large and small scales; this system of risk prioritization can be applied at the discrete project level, or the enterprise level.

Take the risks of the COVID-19 pandemic as a risk assessment matrix example. Supply-chain disruption might be classified as a high-level risk — an event with a high probability of occurring and a significant impact on the business. This risk affects the entire organization and would be an example of an enterprise-level risk. Meanwhile, at the project level, COVID-19 could pose a “key person” and timeline risk if a team member crucial to the project contracts COVID-19 and is unable to work for a significant period of time. This risk may not affect the entire organization but significantly impact the project. At the project risk level, this might also be an event with a high probability of occurring and a significant impact on the project.

Still, even unusual risk events can have a significant impact on business outcomes. While it’s uncommon in many industries, a fatal workplace injury would be high-impact and reportable to OSHA. That’s why it’s so critical to have an accurate picture of all the potential risks your business faces so you can assess their impact and create a successful risk management plan.

How Does a Risk Matrix Work?

Risks come in many forms: strategic, operational, financial, and external. The risk assessment matrix works by presenting various risks as a chart, color-coded by severity: high risks in red, moderate risks in yellow, and low risks in green. Every risk matrix also has two axes: one measuring the likelihood of occurence and one measuring impact.

Likely risk events may have a  61 to 90 percent chance of occurring , while highly unlikely events are extremely rare, with a less than 10 percent chance of occurring. Depending on the business and its risk appetite, an insignificant impact may cause a negligible amount of damage — such as a loss of less than $1K — while a catastrophic impact might create losses of $1M or more.

By grading the risk event’s likelihood and impact, the risk matrix provides a quick snapshot of the threat landscape. Visualizing the threat landscape in this way, audit, risk, and compliance professionals can more easily foresee and determine how to minimize events that can have a substantial impact on the company.

Why Is a Risk Matrix Important?

A risk matrix can help businesses cultivate a solid understanding of the risk environment, helping them manage and mitigate risks before they occur. The magnitude and complexity of business risks continue to grow. KPMG’s  Internal Audit: Key Risk Areas 2024 , outlines ten key and emerging risks that set the stage for a new normal that will impact businesses for years to come:

Image: KPMG 2024 Key Risk Areas

Now more than ever, companies must meet the challenges of the present — and the future — with risk-informed decision-making.

The risk assessment matrix is a crucial tool in risk management for three reasons:

1. Easy Prioritization of Risks

All risks aren’t equal. A risk matrix allows you to prioritize the most severe risks your company faces. As mentioned previously, having a comprehensive view of today’s modern threat landscape is critical for preventing value losses. All companies must take on some level of risk in order to succeed, but calculated risks based on a robust risk analysis will help businesses take on risks in a way that helps achieve objectives.

While it may be tempting to allocate resources to all potential business risks, some operational risks — such as major reputational damage due to a breach of private data, or an excessive increase in operating costs due to a natural catastrophe — must be prioritized before others.

By rating and color-coding these risks in a risk assessment matrix, audit, risk, and compliance professionals can identify the most pressing threats to the business and plan for them.

2. Targeted Strategy for Managing Risks

Just as all risks aren’t equal, all risks don’t carry the same impact. With its prioritization of the most pressing threats, the risk assessment matrix enables professionals to craft a targeted strategy for managing high-risk events. Focusing your attention and resources on the highest risks will benefit your overall business strategy since these risks have the biggest impact and can pose the greatest value losses.

From a project management perspective, for example, a brief bottleneck in the project workflow would create little impact, provided there was enough float built in at the beginning of the project design. During the project planning phase, utilizing a risk assessment matrix helps managers systematically identify potential risks and their severity, enabling proactive measures to mitigate impacts on the project’s success. A cost risk that significantly escalates the project cost would have a severe impact, however, and requires a targeted management plan.

As any project manager knows, Murphy’s law is inevitable: what can go wrong, will go wrong. Appropriately planning for cost risk due to factors like scope creep will ensure a project’s success. With the help of the risk matrix, planning for Murphy’s law becomes a lot easier.

3. Real-Time View of the Evolving Risk Environment

Audit, risk, and compliance professionals know risks can be emergent and recurring. The risk assessment matrix enables you to identify specific types of risk, their probability, and their severity, and maintain a real-time view of the evolving risk environment.

Though emergent risks are by definition unknowable, businesses can identify areas of vulnerability at the strategic level by strengthening their  enterprise risk management processes. By looking at early warning signs or trigger events indicating something is amiss, companies can maintain business continuity in an increasingly dynamic and complex risk landscape.

Strategic risk assessment tools like the risk matrix also enable companies to track patterns of risk — threats that are likely to reoccur and therefore require a year-over-year mitigation strategy.

How to Make a Risk Assessment Matrix

Although the magnitude and complexity of business risks continue to grow, creating a risk assessment matrix doesn’t have to be a complicated process. Aside from specific software or ready-made templates, a simple spreadsheet tool such as Google Sheets or Microsoft Excel can be used to create the risk matrix. There are four basic steps to making a risk assessment matrix:

Step 1: Identify the Risk Landscape

Because the magnitude and complexity of business risks continue to grow, it’s essential you develop a comprehensive picture of the total risk landscape. Project risks vary in category and remediation strategy compared to enterprise-level or macro-level risks. Project teams should tailor their focus based on the scope of their risk assessment.

To begin the assessment process , hold brainstorming sessions with key stakeholders in your organization so you can mine insights and start generating a list of ideas that will serve as the foundation of your risk assessment matrix. Since risk analysis is subjective, it’s vital to get a wide variety of stakeholder input — doing so minimizes the chances of missing something valuable.

Start your brainstorming session by categorizing risks according to the following criteria:

• Strategic Risk : risks associated with failed business decisions.
• Operational Risk : risks associated with breakdowns in internal processes/procedures.
• Financial Risk : risks associated with financial loss.
• External Risk : risks associated with uncontrollable sources.

Begin with the highest-level risks related to business functions, such as operations, and then narrow your focus to specific processes within those functions, such as supplier management. Don’t forget to take into account prior risks that have already been identified!

Step 2: Determine the Risk Criteria

After brainstorming risks associated with the larger risk landscape, determine the criteria by which you’ll be evaluating these risks. As mentioned earlier, risk assessment matrices typically use two intersecting criteria:

• Likelihood : the level of probability (x-axis)  the risk will occur or be realized.
• Impact : the level of severity (y-axis)  the risk will have if the risk is realized.

It’s critical to achieve consensus on the risk criteria, as this will affect not only the way you calculate your risk matrix but also the discussions you’ll have on how to mitigate your risks. Accurate measurement is the key to successful risk management!

Step 3: Assess the Risks

Now, assess the risks based on your risk criteria, providing a qualitative risk analysis according to a predefined scale. Most organizations use the following, three-part scale to assess severity:

• Moderate/Medium risk

A more granular approach could prove useful as well. Expanding the scale to a 5×5 matrix is common, where 1 is extremely low-risk and 5 is extremely high-risk, providing more insight into levels of severity and helping companies allocate resources more efficiently.

Organizations can opt to adopt either the 3×3 or 5×5 risk assessment matrix template or develop their own. Best practices require at least three categories for each of the risk’s probability of occurrence and impact/severity.

Organizations may also opt to give a risk a cumulative “Risk Score” which is usually derived by adding or multiplying the risk’s Likelihood score by the risk’s Impact score. “Weighting” is another option businesses can use to customize or adjust their risk scoring – perhaps the identified risks associated with a certain project or department take priority, and so they could be weighted heavier in a risk assessment. To avoid confusion, the company’s risk assessment matrix methodology should be formally documented in policy and procedure documents, including any weighting and any changes to the risk process or approach.

Step 4: Prioritize the Risks

Finally, compare the different risk rankings (high, medium, or low) to the risk criteria (likelihood and impact). Prioritize those risks that pose the highest likelihood and impact, and create a risk assessment plan to effectively mitigate them.

Keep in mind, the risk landscape is constantly evolving, and the risk assessment matrix should be updated multiple times a year (annually at minimum) in order to reflect the changing risk environment. Failure to update the risk assessment strategy could result in missing emerging risks that may disrupt business objectives and continuity.

How to Determine the Likelihood of a Risk Occurring

An essential component of the risk assessment matrix is determining the likelihood of a risk occurring. After all, if you incorrectly determine the probability of a risk, you’ll be missing a critical opportunity to prevent unnecessary value losses.

Most companies use the following five categories to determine the likelihood of a risk event:

5: Highly Likely. Risks in the highly likely category are almost certain to occur. Typically, risks with  91 percent or more likelihood fall into this category.

4: Likely. A likely risk has a 61-90 percent chance of occurring. These risks need regular attention, as they are bound to reoccur and therefore require a consistent mitigation strategy.

3: Possible. Possible risks may happen about half the time — they have a 41-60 percent chance of occurring and need attention.

2: Unlikely. Risks in the unlikely category have a relatively low chance of occurring — 11 to 40 percent. But they may still affect your business, so it’s a good idea to keep an eye on them.

1: Highly Unlikely. Highly unlikely risks are exactly as they sound, with a low probability of occurring.

If the business is using a 3×3 risk matrix, the following three categories of likelihood suffice:

1: Unlikely. Risks in this category have a relatively low chance of occurring.

2: Likely. Risks in this category are predicted to occur and require a mitigation strategy.

3. Highly Likely. Risks in this category are almost guaranteed to occur and require a mitigation strategy.

An example of using a risk matrix : Suppose an organization identifies a risk of data breach. After assessment, the likelihood is determined as ‘Possible,’ and the impact is considered ‘Major’ due to potential financial losses and reputational damage. This risk would be plotted on the matrix in the corresponding ‘Possible’ and ‘Major’ cell, likely falling into the ‘High’ risk category, indicating that mitigation strategies should be developed and implemented.

How to Take Care of Your Risk Assessment Matrix

Since the modern threat landscape is constantly changing, your risk assessment matrix needs regular attention and iteration to meet the challenges of today and tomorrow. Whether your business needs to establish a solid  enterprise risk management program, cybersecurity risk management program, or strengthen  internal risk controls to prevent fraud ; risk events, both external and internal, will require regular assessment in order to determine their likelihood and risk impact successfully.

It is recommended for organizations to schedule periodic risk assessments by either internal or external parties, such as IT risk assessments , and incorporate those findings into the central risk matrix. Likewise, it’s crucial to get management and leadership buy-in to risk management and mitigation, so an appropriate manager should review and sign off on the risk assessment matrix whenever it is updated. I suggest setting up a regular schedule or cadence for reviewing the risk assessment matrix at least quarterly, though the minimum for most frameworks is at least annually.

Additionally, risk mitigation or action plans should be updated along with the risk assessment matrix. Various risks will resurface or change in nature, prompting a commensurate change in mitigation strategy. Risks can go up or down in their impact or likelihood scoring, and the mitigation strategies of yesterday may no longer be sufficient for today’s environment. It’s important to take into account regulatory, economic, geopolitical, and technological changes that can have a major impact on your risk plan.

With the help of an up-to-date risk assessment matrix, you’ll be more easily equipped to identify emerging threats and properly allocate resources to mitigate their impact.

Ready to Reduce the Likelihood of Risks?

Using the risk assessment matrix for risk management will reduce not only the likelihood of the risks your business faces but also the magnitude of their impact on business operations. Effectively managing risk has always been critical for success in any business endeavor, but never more so than today. An important part of your risk strategy should involve managing your company’s risks by using integrated risk management software that facilitates collaboration and risk visibility to increase the effectiveness of your risk management programs.

Begin mitigating risk with a single click — get started with  RiskOversight today!

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn .

Related Articles

Risk Assessment Matrix: Definition, Examples, and Templates

Fahad Usmani, PMP

November 28, 2022

A risk assessment matrix is a tool for assessing and prioritizing risks in risk management .

This blog post will discuss the risk assessment matrix, how to create a risk assessment matrix, and provide examples and a template you can use to create your risk assessment matrix.

What is a Risk Assessment Matrix?

Project managers evaluate and prioritize risks using a risk assessment matrix . Many experts refer to this matrix as either a probability and severity risk matrix or a risk matrix.

The matrix allows project managers to plot the severity of the consequences and the likelihood of the event occurring from low to high. This information helps rank the risk.

Creating a risk assessment matrix can be done in various ways; however, the most important things to keep in mind are that it should be concise, simple, and adapted to the project’s particular circumstances.

Risk ranking helps project managers separate high and low-rank risks. They can develop a risk management plan for high-ranked risks and keep low-level risks on a watchlist. Prioritizing helps the project management team focus on high-priority risks and saves resources in investing in low-priority risks.

The higher the severity and likelihood of an event, the greater the risk. Many factors influence the decision of what is high-risk. For example, if the consequences of an event are not severe, it may be considered a low-ranking risk.

How Does a Risk Matrix Work?

Risk assessment is the probability of an event multiplied by its impact. You can break probability and impact levels into verbal and numerical scales.

Risks can be grouped into three zones:

• The High Risk (Red Color) – Unacceptable
• Moderate Risk (Yellow Color) – May or May Not Be Acceptable
• The Low Risk (Green Color) – Considered Acceptable

Determining whether a risk is acceptable often comes from a cost/benefit calculation . For instance, it is difficult to justify paying millions of dollars to prevent an injury caused by ergonomics, yet investing the same millions of dollars in preventing a chemical explosion might be worth it.

Benefits of a Risk Assessment Matrix

The benefits of the risk assessment matrix include the following:

• It Prioritizes Risks: Project managers can prioritize and focus on high-ranking risks by assessing their probability and impact.
• It Improves Communication: A risk assessment matrix improves communication between different departments and stakeholders by providing a common language for discussing risks.
• It Facilitates Decision Making: The matrix helps develop risk response plans.
• It Improves Risk Understanding: The risk assessment matrix creation process helps the project team understand the risks and their interrelationships.
• It Helps Develop Budgets: Project managers can calculate contingency reserves and plan the budget after identifying and assessing the risks.

How To Create A Risk Assessment Matrix

The steps to create a risk assessment matrix are as follows: 

Risk Identification

The first step in creating a risk assessment matrix is risk identification. To acquire a range of perspectives, identify as many risks as possible.

Some organizations have risk checklists based on past project experiences. These checklists help identify risks quickly for new projects. 

Afterward, project managers can find more risks by brainstorming with the team, reviewing project documents , and talking to stakeholders .

The different types of risks include:

• Internal Risks: These risks come from within the company, and the project team has some control over them. For example, an ineffective team member, unrealistic deadlines, or a lack of resources.
• External Risks: These risks come from outside the company, and the project team has no control over them. For example, natural disasters, supplier problems, or changes in the market.
• Strategic Risks: These risks come from the organization’s strategy. For example, a new product launch might fail, or a competitor might release a similar product.
• Operational Risks: These risks are caused by day-to-day operations. For example, equipment breakdown, sick leave, mistakes, process errors, etc.
• Financial Risks: These risks come from the organization’s finances. For example, a decrease in sales, an increase in costs, or a change in interest rates.

Risk Analysis

The project team analyzes the likelihood of each risk after identifying those risks. They need to conduct a risk assessment to determine how likely they are to cause damage.

There are several ways to perform a risk analysis. One popular method is a SWOT analysis, which stands for Strengths, Weaknesses, Opportunities, and Threats. Another common method is PESTLE analysis , which stands for Political, Economic, Social, Technological, Legal, and Environmental factors.

Assessing Risk Impact

After analyzing the risks for their probabilities, the project management team will assess their impact severity and the potential loss incurred if the risk occurs.

There are a lot of different approaches to determining the seriousness of the possibility and the impact. One of the more prevalent approaches is using a scale that ranges from one to five, with one denoting the smallest probability and five denoting the greatest probability.

In addition, the impact intensity is graded on a scale from one to five, with one being the least significant impact and five representing the most significant impact. After estimating the severity of probability and impact of the risk, team members multiply them to get the risk ranking.

Risk Prioritization

The last step in creating a risk assessment matrix is prioritizing the risks. This is done by ranking them from highest to lowest.

Risks can be divided into four levels: high-priority risks, major risks, moderate risks, and minor risks.

• High Priority Risks: These risks have a high probability of occurring and could significantly impact the project.
• Major Risks: These risks have a moderate probability of occurring and could impact the project.
• Moderate Risks: These risks have a low probability of occurring and could moderately impact the project.
• Minor Risks: These risks have a very low probability and impact and a minor effect on the project. These risks are mentioned in the watchlist for monitoring.

The project manager will develop risk response plans for all risks except those on the watchlist.

How to Categorize Risks in a Risk Assessment Matrix

You can define risk assessment matrixes differently, but the most common is plotting risks on the x-axis and probabilities on the other.

This results in a matrix with four quadrants, each representing a distinct risk level. The dangers located in the upper left quadrant have a high chance as well as high severity, and they are considered to be the most severe.

The dangers located in the bottom right quadrant have a low likelihood and severity, and they are the hazards that are regarded as the least serious.

How to Use the Result of a Risk Matrix

You use the output of the risk matrix to develop a risk management plan, more specifically, a risk response plan.

You have a list of prioritized risks. Therefore, you will begin by formulating a response strategy for high-level risks and move on to medium-level threats.

You won’t bother developing a reaction plan for low-level risks; instead, you’ll keep track of them on a watch list and continue monitoring them until the project is through.

You will work on developing a risk response strategy if the severity of any low-risk situation increases from a low level to a high level.

In addition, you can maintain a high-priority risk on a watchlist even if its severity level decreases and it transitions into a low-priority risk if the situation warrants it.

Example Of a Risk Assessment Matrix

Here is an example of a simple risk assessment matrix to evaluate the risks.

The matrix shows the risk associated with returning to work during the pandemic.

Risk: Flawed policies to prevent the spread of the virus to employees and visitors.

What Can Go Wrong?

• Employees feel uncomfortable wearing masks for a long period and remove them while talking with colleagues. The virus spreads throughout the team.
• The customer refuses to wear a mask and is asked to leave the premises.
• Employees and customers not staying six feet apart.

Mitigation(s)

• Apply penalties for not wearing masks. 
• Assign places where employees can remove the masks, finish breakfast, lunch, etc.
• Keeping signs on the front door that refuse people entry without a mask. 
• Placing dots six feet apart to instruct people on where to stand in line and prevent crowding.

Risk Assessment Matrix Template

Let’s review risk assessment matrix templates.

The risk categories range from low to high, and probability ranges from highly likely to very unlikely. The risk rating can be seen by finding the intersection of both criteria.

The following example shows the risk assessment matrix template 4X4.

Limitations of Risk Matrix

A risk matrix is useful in risk management but has some limitations. These limitations are:

• Inefficient Decision-Making: Sometimes, poor categorization of risk can cause poor assessment of risks, leading to poor decision-making.
• Biased Assessment: Many times, due to biases in risk assessment, risk levels can be miscalculated, and it can affect the risk management plan.
• Can Consume Time: Sometime, over-analysis can lead to a waste of time and resources.
• No Consideration for Timeframe: The risk matrix does not consider how risk can change during the project life cycle.

One of the most important tools in risk management is a risk assessment matrix. The management team for the project can conduct an effective risk analysis and establish a priority order for the risks associated with the project because they created a risk assessment matrix.

A risk assessment matrix is a living document that should be regularly reviewed and updated as new risks arise or the likelihood or impact of existing risks changes.

I am Mohammad Fahad Usmani, B.E. PMP, PMI-RMP. I have been blogging on project management topics since 2011. To date, thousands of professionals have passed the PMP exam using my resources.

PMP Question Bank

This is the most popular Question Bank for the PMP Exam. To date, it has helped over 10,000 PMP aspirants prepare for the exam. 

PMP Training Program

This is a PMI-approved 35 contact hours training program and it is based on the latest exam content outline applicable in 2024.

Similar Posts

Introduction to Waterfall Project Management

Waterfall methodology is the most popular project management methodology for managing traditional projects. This methodology is suited for projects that require a sequential approach.  This is the oldest form of project management that provides expected results with the least hassle. In today’s post, I will explain the Waterfall project management methodology and its pros and…

What is RAID in Project Management?

A project environment is dynamic and involves a lot of uncertainties. To successfully complete a project, a project manager must proactively manage risks, uncertainties, assumptions, issues, dependencies, etc. In such situations, RAID analysis is a helpful tool in project management that allows project managers to achieve project success with minimal obstruction. The project management team…

monday.com vs Jira: Which is the Best PM Software

I assume you are aware of monday.com and Jira, as you are looking for monday.com vs Jira post. monday.com and Jira are renowned project management software that helps businesses with their day-to-day tasks, manage their teams, run operations smoothly, have easy access to important attachments, documents, and files, communicate with the team in real-time, and…

What is a Program in Project Management?

If an organization has multiple similar projects, they will manage them under a program to effectively use resources and provide better management. A program consists of multiple similar or related projects. In this blog post, I will discuss the program in project management and explain how it differs from project and portfolio. Let’s get started….

Agile Vs Scrum

Many project management professionals use the terms “Scrum” and “Agile” interchangeably, but they are different. Agile is a collection of frameworks that emphasize completing projects in incremental steps. These methodologies are useful for unpredictable projects, and Scrum is one of many different Agile frameworks. In today’s blog post, I will explain Agile and Scrum and…

Estimate at Completion (EAC) and Estimate to Complete (ETC) are two terms everyone working on project management has probably heard. These forecasting metrics in cost management provide information on budget requirements to complete the project. In today’s post, we will discuss EAC and EAC and their differences. Estimate at Completion (EAC) Estimate at Completion (EAC)…

Good explanation !

Thank you for the brief-yet-thorough explanation, Fahad. Really helpful. Best of luck!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Amplify is almost here! Join thousands of accounting, finance, ESG, audit and risk pros from 9/9-9/11 in Denver or virtually.  Learn More

What’s a Risk Assessment Matrix? And How to Build One in 4 Simple Steps

Grant Ostler Industry Principal

Having a clear picture of your company’s risk profile is critical to the world of internal controls, internal audit, ERM, and more.

Frankly, it's what enables risk professionals to focus their efforts on the most impactful risk areas—and help their leaders (and themselves) sleep better at night.

However, many people feel lost when it comes to the intricate process of evaluating risks. Admittedly, there is a lot to factor in, with layers and layers of people and processes to consider.

That's why the risk assessment matrix is such an important tool.

The risk assessment matrix will help your organization identify and prioritize different risks, by estimating the probability of the risk occurring and how severe the impact would be if it were to happen.

Planning, Managing and Addressing Internal Audit Risks

What is a risk assessment matrix.

So what exactly is a risk assessment matrix? A risk assessment matrix is a widely used tool that organizations implement as a part of their risk assessment process to define risks and categorize them based on the likelihood of occurrence and level of impact.

Organizations can use different terms to describe their matrix. You might hear risk control matrix (sometimes called a risk control table or risk control chart) or risk and control matrix (RACM), or simply risk matrix. Regardless of what an organization calls the risk matrix, it’s referring to that holistic matrix that summarizes risks, how significant those risks could be (usually measured by likelihood, impact, etc.), what mitigating factors are in place, and the “residual” or unmitigated risk.

So no matter what you call your matrix—a risk matrix, risk assessment matrix, risk control matrix, or a RACM—this post is relevant for you. We’ll walk through the steps you can take to build a risk matrix that summarizes your risks and create a process to identify and assess those risks.

The importance of risk assessments—why use a risk matrix?

Organizations of all sizes use a risk matrix for three major reasons:

• To measure the size and scope of risk
• To determine if they have the appropriate resources to minimize the risk
• To triage and prioritize the list of risks in a legible, easy-to-read matrix

The purpose of a risk assessment matrix is to help teams identify, evaluate, and prioritize risks for their organization—at the enterprise, business process, and individual process levels. In addition, a risk assessment matrix is a key tool to help organizations build risk resilience and stay ahead of risk in this ever-changing business climate.

Check out the example of a risk assessment matrix below, which shows the balance of having enough information for a good analysis without requiring an excessive level of detail.

Get your PDF risk assessment matrix template!

How to perform a risk assessment in 4 steps

It may seem like an intimidating process when you think about how to write a risk assessment. But I’d like to offer a simplified view without a bunch of mathematical computations.

The process:

• Identify the risk universe
• Determine the risk criteria
• Assess the risks
• Prioritize the risks

Step 1: Identifying the risk universe

The goal with this first step is to capture the full scope of the present risk.

To start off, you'll want to make sure you cast as wide a net as possible. The most effective way to do this is with free-flow brainstorming sessions. These brainstorming sessions will generate a list of ideas that will serve as the foundation of the risk assessment matrix.

Now, let's get the creative juices flowing!

From my personal experience, I like to start with high-level risk categories that align to business functions, and then drill down to specific processes within those functions. This helps me narrow the focus after a broad brainstorming session.

Additionally, your risk universe will contain concerns specific to your industry, along with concerns unique to your company.

Finally, it is essential that the participants consider thought leaders in their spaces and look outside the organization to identify and assess emerging risks that could make an impact.

Here's one way that I would organize my risks:

• Strategic: Shifts in key markets (disruptive technology, new competitors, etc.)
• Operational:  Constraints or industry inherent factors (lack of available resources, environmental, safety, etc.)
• Financial: Cost of capital, liquidity, etc.
• Market: Social media presence
• Technology: Cybersecurity and data privacy

Step 2: Determining the risk criteria

Before assessing each risk, you’ll want to develop a common set of factors to help evaluate your organization's risk universe.

A typical risk assessment matrix uses two main criteria:

• Likelihood (the level of possibility)
• Impact (how "big" an event could be)

However, some organizations may consider other risk assessment factors such as vulnerability and velocity (speed of onset). This is a critical step, as these criteria will drive the discussions throughout the rest of the risk evaluation process.

Beware of underestimating the importance of reaching a common understanding of the criteria. After all, if participants are using different measurement scales, for example, aggregating and comparing responses is futile. Remember the old adage “garbage in, garbage out."

Step 3: Assessing the risks

This next step is where things start to get fun. (Well, as fun as a risk assessment can be.) We're going to assess the risks based on the criteria we laid out in the previous steps.

Most organizations begin by applying a qualitative lens to focus their assessment on risks that participants (leaders) consider most significant for the organization. This is typically done using a common "high, medium, and low" scoring approach or a numerical scale by rating factors, such as a range of “1–5”.

To determine the top risks for the organization, many calculate an average score across the respondents. Other organizations use a weighting methodology to bring greater attention to the responses by participants with subject matter expertise in the area. Some go a step further and look at the range or distribution of the responses. By taking a deeper dive into risks with a wider distribution of responses, it’s possible to surface risk factors not broadly understood that warrant deeper consideration.

Once the qualitative assessment has been completed, you can shift your assessment to perform a quantitative analysis of the most important risks. This will create a solid foundation for decision-making in those critical areas.

Step 4: Prioritizing the risks

We're almost there!

In the last step, we're going to compare the different levels of risk (from step three) to the target risk criteria (from step two). In other words, prioritizing risk accounts for the impact, possibility, and importance of the risk, and outputs a plan.

If these last two steps sound subjective—it's because they are. Expert judgment is involved in risk assessment and prioritization techniques to identify potential impacts, define inputs, and interpret the data.

Historically, many organizations performed an annual risk assessment, which may have been adequate at the time but doesn’t allow organizations to keep up with risk in today’s dynamic environment. Many organizations now refresh their risk assessments quarterly or when there is any significant shift in key risks or risks not considered previously. As more and more risks emerge, some organizations are striving to do ongoing risk evaluations to keep their risk assessment “continually” refreshed.

The risk evaluation is complete—what now?

Now that you have identified the risks, you need to figure out what to do about them. And, as I mentioned in step four, that requires some expert judgement—some of which generally is not entirely up to you.

There are many ways to respond to risk, and each identified risk can be addressed in one or a combination of the following four ways:

• Accepting the risk: This risk is tolerable, and our company can surmount it
• Reducing the risk: This risk is a little steep, and we should take steps toward minimization ahead of time
• Sharing the risk: This risk could be shouldered by multiple teams or groups in the company
• Avoiding the risk altogether: Let's not come near this one

Taking care of your risk matrix

Always remember that the risk assessment matrix is a living, breathing document that needs to be nurtured and maintained. Risks are occurring all around us , and the risk matrix should reflect this.

Leaders across your organization should refer back to the risk assessment matrix regularly to make more informed risk-based decisions, update the assessment based on changes they’re seeing in their area of the organization, and encourage cross-functional conversations on how to work more effectively to improve long-term performance.

Certain events may trigger the need for a refresh, such as a natural disaster that disrupted operations, a significant regulatory change, a major merger or acquisition, a material weakness within your internal controls environment... the list can go on and on. In addition, establishing an enterprise risk management (ERM) program could be a trigger to refine your risk assessment process.

With a mature risk assessment process and risk matrix, you'll be equipped to heed any warning signs before they come to fruition.

Want to learn more about managing risk?

Speaking of identifying and responding to risk, strategic risk management is a crucial part of ERM. This is often an overlooked aspect of risk management that is far more consequential than anything else.

From legal and regulatory changes to merger integrations and stakeholder pressure, there are several considerations to effectively manage these strategic risks. Check out our blog to learn the five steps you can take to achieve effective strategic risk management .

No more nightmares—try Workiva

Now that you have a clear picture of your company's risk, you don't have to let it keep you up at night.

With Workiva’s connected GRC platform, you can unite your GRC processes with ESG and financial reporting and bring enterprise risk management, SOX and internal controls , internal audit , policies and procedures, and so much more together in one place. Our enterprise risk management software offers risk professionals up-to-the-second insight about what's on the horizon while minimizing tedious manual data management such as copying and pasting between documents.

See how it works for yourself.

Schedule a demo now

Editor's note: This blog post was originally published May 13, 2016, and has been updated.  

Join us for Amplify this Sept 9–11 to unite with audit and risk professionals. Access interactive workshops and be the first to see the future of the Workiva platform in action. Register today!

Internal Audit’s Guide to Planning, Managing and Addressing Risks

This e-book from MISTI and Workiva explains best practices on internal audit.

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years.

You May Also Like

When an SEC Enforcer Says Your Auditor Is a Sham Audit Mill

Clients of the audit firm BF Borgers have scrambled to find new auditors. Learn more

Building a Fraud Risk Management Program

What is the gen ai governance framework, no ordinary spreadsheet: from csi to forensic accounting, an extraordinary conversation with the worldcom whistleblower, online registration is currently unavailable..

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at [email protected]

• Creative & Design
• See all teams

For industries

• Manufacturing
• Professional Services
• Consumer Goods
• Financial Services
• See all industries
• Resource Management
• Project Management
• Workflow Management
• Task Management
• See all use cases

Explore Wrike

• Book a Demo
• Take a Product Tour
• ROI Calculator
• Customer Stories
• Start with Templates
• Gantt Charts
• Custom Item Types
• Project Resource Planning
• Project Views
• Kanban Boards
• Dynamic Request Forms
• Cross-Tagging
• See all features
• Integrations
• Mobile & Desktop Apps
• Resource Hub
• Educational Guides

Upskill and Connect

• Training & Certifications
• Help Center
• Wrike's Community
• Premium Support Packages
• Wrike Professional Services

What is a risk matrix?

June 27, 2024 - 10 min read

Imagine you’re the assigned project manager on a high-stakes project. The project scope is defined, key stakeholders are in agreement, you’re confident you can stay within the budget, and the project team is ready to dive in.

They start working tirelessly to meet the agreed-upon objectives — and then an unexpected risk meets you midway through the project. You never saw this one coming, so you have no idea how you’re going to get the project back on track and see it through to success. 

If only you had identified and assessed the risk during the project planning phase , you might have felt more prepared to overcome it. That’s what a risk assessment matrix is used for and why you need this strategic risk analysis tool for your projects.

Get started right away with Wrike’s risk management tools.

What is a risk assessment matrix in project management?

Risks in project management are unexpected events that may or may not occur and impact your project outcome in some way. According to the Project Management Institute (PMI) , analyzing and managing risks is a key practice in project management . It improves the chances of successful project completion while reducing the risk impact and any resulting consequences.

Risks can appear related to any aspect of a project, including the budget, resources, processes, or technology, to name just a few. For instance, you may experience operational risks like a breakdown in team communication, technical risks such as a data breach, or even external risks like natural disasters. While it can be easy to assume that all risks bring negative consequences to the table, it’s essential to understand that positive risks can also occur during the project lifecycle. 

A risk assessment matrix (sometimes called a risk control matrix) is a tool used during the risk assessment stage of project planning. It identifies and captures the likelihood of project risks and evaluates the potential damage or interruption caused by those risks. 

The risk assessment matrix offers a visual representation of the risk analysis and categorizes risks based on their level of probability and severity or impact. This comprehensive tool is a simple, effective way to get a holistic view of the project risks for all team members and key stakeholders.

Risk matrix example

Let’s take a look at the framework of a simple risk assessment matrix template for a project. We’re using a 5x5, five-point scale for the impact and probability of occurrence in this matrix example, but use a scale system that works best for your team. For example, you can use a 3x3 matrix for less granularity.

In this color-coded example, you see risk categories ranging from low to high and likelihood ranging from very likely to very unlikely. Using it is as simple as any other matrix: You look for where both of your criteria meet to get your risk rating. 

Let’s say you’re the project manager for a new organization-wide software tool rollout and will be working with a consultant to implement it. For this project, consultant delays are possible due to a lack of resources on their end — if a delay happens, the impact would be major because it would impact the entire rollout plan. We’d categorize this risk as medium-high based on the example matrix. 

Ready to plan out your project and assess the level of risk? Test your mitigation strategies with Wrike.

What are the benefits of a risk assessment matrix?

You might be wondering if it’s worth spending the time to assess risks and create a matrix for all of your projects. Well, the benefits of a risk assessment matrix in the workplace speak for themselves:  

• You can prioritize all risks with an understanding of the level of severity. Having an overview of all potential risks allows you to prioritize them against one another if there is more than one risk occurring .  This prioritization will benefit your project team and help keep them on track if the project does go awry.
• You can devise strategies and allocate resources for the unexpected. While it’s impossible to fully plan for uncertainty, acknowledging and understanding what risks could occur provides an opportunity to create action plans for those unexpected events. Appropriately planning for risks may increase the likelihood of project completion and success.
• You’ll reduce or neutralize the impact of risks that occur. The unexpected consequences of a risk that’s not thought about in advance might feel more severe and damaging than a risk identified and analyzed early on. Having an awareness of the potential impact may reduce or neutralize the effect of a project risk before it occurs. Hope for the best, but prepare for the worst. 

What are the challenges of a risk matrix?

While risk matrices can be very useful for identifying and preparing for project risks, they are not an answer to all your project problems. Here are some of the challenges of risk matrices:

• Inaccurate assessments:  The risk matrix categories may not be specific enough to compare and differentiate between risk levels accurately. The likelihood and severity of certain risks are often subjective and therefore unreliable.
• Poor decision making: Incorrectly categorized risks can lead to poor decision making since you do not have an accurate picture of potential issues.
• Doesn't account for time frames: Risk matrices don't differentiate between risks that could occur two weeks from now and risks that could occur in two years’ time. There is no consideration of how risks could change over the years.
• Can oversimplify risks: The complexity and volatility of risks can be oversimplified — some risks remain the same over time, while others can change overnight.

How do you calculate risk in a risk matrix?

A risk matrix is a valuable tool for your project planning, and creating one doesn’t have to be complicated. Follow these steps to calculate risk for a project of your own. 

Step 1: Identify the risks related to your project

To complete your risk assessment matrix, you need to start by having an in-depth understanding of your project — the scope, budget, resources, timeline, and goal. You’ll need this information to help you spot the potential risk(s).

Identify as many risks as you can with your project team. Consider aspects like scope creep , budgetary constraints , schedule impacts, and resource allocation as the starting points for your risk identification process. Create a risk register complete with all of the identified risks, as it will make it easier to create your matrix. 

Step 2: Define and determine risk criteria for your project 

No two risks and no two risk matrices are alike, which means you’ll need to work with your project team and key stakeholders to define and determine the risk criteria you’ll use to evaluate each risk you’ve identified. 

Remember that two intersecting criteria need to be specified, each with its levels: the probability or likelihood that the risk will occur and the severity or impact the risk will have. 

Step 3: Analyze the risks you’ve identified 

After you’ve identified and described all of the potential risks, the next step is to analyze them. In your analysis, use your risk criteria to categorize each risk within its appropriate severity level and probability. 

Many matrices assign a number value to criteria. So, sticking with our example, you might rate the impact ranging from one (insignificant) to five (catastrophic) and do the same with likelihood, where one represents very unlikely, and five represents very likely.

Using the matrix, it’s then easy to multiply severity times likelihood to get an impact score in the form of a number value. A risk that’s catastrophic and very likely would rank as a 25, whereas one that’s insignificant and very unlikely would rank as a one. It’s a simple and intuitive way to compare and understand risks. 

Step 4: Prioritize the risks and make an action plan

The last part of your risk assessment matrix is to prioritize the risks and create a risk management plan to mitigate or neutralize them, with your risks categorized accordingly. You’ll want to outline the steps you’ll take if the risk does occur and the strategies you’ll deploy to help get the project back on track . 

A risk matrix helps with effectively performing risk assessments and risk mitigation. Create one with Wrike today.

How do you create a risk matrix in Excel?

Wondering how to make a risk matrix in Excel? Start by building a table that reflects the probability and severity scales you’ve defined for your risk assessment. Here are a few tips and best practices to help you get started: 

• After you’ve created your table, add your labels to the rows and columns. Use the columns for severity and rows for the likelihood of occurrence.
• Once you’ve labeled all of your column and row headers, add the definitions for each probability and risk severity level you’ve outlined with your team beneath the header title. This helps ensure the team is on the same page when ranking risks within the matrix.
• Use formatting options to color-coordinate the matrix for the best visual representation. You can use the stoplight system (red, yellow, green) for high, medium, and low risks, respectively. Color-coding allows any viewer to easily distinguish the risks based on the likelihood that they will occur and the amount of damage or interruption they’ll cause. 

How do you create a risk matrix in Wrike? 

If an Excel sheet isn’t your jam when it comes to tracking and monitoring risks, you can use Wrike to customize and develop a comprehensive  risk matrix. Some of the key features Wrike has that you can use to assess project risk include: 

• Custom fields that allow you to build out the severity and probability any way you want to. You could turn these into drop-down rankings on a one-to-five scale or use the text option to label your categories.
• Table view to provide greater visibility into the risks and a similar table to the one you can create in Excel.
• Reports and calculated fields to automate the data associated with your assessed risks.
• Interactive Gantt charts that allow you to create task dependencies and streamlined automation of changing project dates and deadlines. Project progress can be monitored in real time, which allows your team to keep risks top of mind, so the important stuff doesn’t get overlooked.

The best part about using a platform like Wrike is that it can automatically update and adjust as your project progresses, saving you from the manual work required in Excel. 

What do you do with risk matrix results?

So, what does a risk matrix accomplish for you? The short answer is that your matrix results help you create a risk response plan. 

To start with, it’s crucial to address anything that is high risk. Depending on the project and your team’s resources, you may only need to monitor the medium and low-risk categories rather than taking immediate action. 

Finally, reference your risk matrix throughout the project until it’s marked complete and successful. Don’t make the mistake of not committing to risk management as an ongoing process. Using these risk assessment tools is a powerful , proactive way to support your project team and mitigate any bottlenecks that stand in the way between them and a winning project.

Are you ready to get ahead of the game and stop losing sleep over project risks? Sign up for a free trial of Wrike’s work management software to  simplify your workflow and  s tart building risk matrices with your team today.

Kat Boogaard

Kat is a Midwest-based contributing writer. She covers topics related to careers, self-development, and the freelance life. She is also a columnist for Inc., writes for The Muse, is Career Editor for The Everygirl, and a contributor all over the web.

Related articles

How to build a robust risk management framework

When things veer off track, does your organization have a backup plan? If not, you need to check out Wrike’s guide to creating a risk management framework.

How Gantt charts help with risk management

Here’s how to use Gantt charts to manage risks for smoother project execution.

How To Mitigate Risks With an Effective ERM Framework

Gain valuable insights into an effective ERM framework and mitigate business risks efficiently.

Get weekly updates in your inbox!

You are now subscribed to wrike news and updates.

Let us know what marketing emails you are interested in by updating your email preferences here .

Sorry, this content is unavailable due to your privacy settings. To view this content, click the “Cookie Preferences” button and accept Advertising Cookies there.

Being risk-conscious is not just about protecting a business from unfavorable events — it helps you stay ahead by making fine-tuned tactical choices. A recent PwC survey also noted that 81% of businesses that quantify risks see better productivity and more time to focus on strategic initiatives.

If you want to reap these benefits, visualizing your risk posture through a risk assessment matrix (RAM) is ideal. It’s a popular risk quantification mechanism, with many organizations using it for grading, prioritizing, and managing risks. 

This guide outlines the different types of matrices you can use for specific scenarios. You’ll also learn how to create a risk matrix from scratch in a few simple steps.

What is a risk assessment matrix?

A risk assessment matrix is a grid-based, typically color-coded visualization of the potential risks an entity faces, graded against the likelihood of each risk scenario as well as the impact of its consequences. The matrix presents each risk alongside its allocated numerical value, giving decision-makers a convenient bird’s-eye view of risks.

How does a risk assessment matrix work?

A risk matrix supports the measurement of risks across two dimensions:

• Likelihood/probability (X-axis)
• Impact/severity (Y-axis)

For any risk event, you have to quantify each of these two factors to calculate its final risk score and place it in the matrix accordingly. Typically, scores within a specific risk grade are color-coded. For example:

• Low risk — Green
• Medium risk — Orange
• High risk — Red

When done, you’ll have an at-a-glance view of risks that makes prioritization and mitigation easier.

What are the types of risk assessment matrices you can use?

Depending on the number of levels you add to categorize each dimension/axis, you can have several types (sizes) of risk matrices, such as:

Many risk experts consider 5x5 matrices a sweet spot. They’re not too complex to set up while still being detailed enough to let an organization define precise levels of risk acceptability, including negligible and extreme risks. However, you can stick to a smaller 3x3 matrix in the following scenarios:

• You don’t have sufficient data to develop granular scales and criteria.
• You’re assessing smaller, low-impact risks that won’t require in-depth analyses.
• You’re new to risk assessments and want to start with a basic setup.

As your risk management processes mature, you can consider using more elaborate matrices like 7x7. Bigger matrices require a great deal of precision and abundant data, so it’s best suited for complex projects or larger organizations that need to analyze sensitive risks.

Another way to classify risk matrices is according to the type of risk you’re assessing, such as vendor and supplier , legal, or third-party risk . It’s a good idea to create dedicated matrices for different risk categories, as doing so ensures comprehensive coverage of your risk landscape.

Benefits of using a risk assessment matrix

One of the main advantages of a risk assessment matrix is that it enables the quantification of business risks according to a tailored scaling system. Other benefits include:

• Easier risk prioritization : Qualitative risk assessments can be highly subjective, where certain team members might consider specific risks more or less severe than they actually are. A risk matrix promotes objectivity by providing a more data-driven and quantitative overview of your risk posture, which allows you to group and prioritize risks effectively.
• Real-time monitoring : Risk matrices are updated periodically to account for newer risks, outdated threats, or changes in impact levels. The ongoing monitoring and fresh scoring offer real-time insights that help keep your risk posture relevant.
• Improved implementation of compliance standards : Risk assessments are essential requirements of many compliance standards (e.g., ISO 27001), and a risk matrix helps you conduct them more accurately.
• Strategic risk responses : Once risks are placed in the appropriate segments of the matrix, fine-tune your risk management strategy to develop specific remediation plans. You can also see which events call for the most resources, ensuring you don’t waste them on negligible or tolerable risks.
• Better team alignment : Risk matrices help stakeholders, including employees, understand risks better, which allows them to calibrate their actions with more clarity.

{{cta_withimage4="/cta-modules"}}

Five steps to creating and using a risk assessment matrix

To create an effective risk assessment matrix, you need to take the following steps:

• Identify risks
• Determine the likelihood of each risk occurring
• Assess the impact of each risk
• Assign a risk score
• Map out and prioritize risks

Step 1: Identify risks

Before you can quantify risks through a matrix, you must define your entire risk landscape. The best way forward is to hold brainstorming sessions with relevant stakeholders (like department heads) to get their input.

Some of the main categories of risks you may want to identify are outlined in the following table:

After you gather the necessary data, organize the risk scenarios in a centralized document like a risk register.

Step 2: Determine the likelihood of each risk occurring

Once you’ve identified your risk list, it’s time to define the first risk matrix criterion — likelihood or probability. We recommend defining a scale that aligns with your preferred matrix size. The number of levels in your scale will determine the size of your matrix.

Imagine you’re assessing a minor project-specific risk that doesn’t have an organization-level impact. Because of the limited assessment scope, your scale can have three levels for a 3x3 matrix:

For more sensitive risks, however, it’s ideal to expand the scale to five levels and create a 5x5 matrix, such as:

• Highly unlikely
• Highly likely

Consider adding percentage/probability ranges here so that you can further quantify your risk’s likelihood of occurring.

Once the scale is defined, determine the likelihood of each risk and grade it accordingly. Assign numerical values to levels (e.g., 1–5), as doing so will help you calculate the final risk score in later steps.

Step 3: Assess the impact of each risk

After determining the likelihood of a risk occurring, you need to define the second criterion — i.e., the impact a realized risk event could have on your organization. You can outline a custom scale depending on your risk profile. Assuming you choose a 5x5 matrix, here’s a sample impact scale with five levels:

• Catastrophic

Aim to add numerical values here as well so that you can weigh the risks in clear terms, preferably using quantifiable metrics like revenue or customer loss.

Determining a risk’s tangible impact isn’t always simple, though. You’ll sometimes have to account for risks that aren’t as easily quantifiable (e.g., reputation damage). In such cases, experts advise collecting input from high-level stakeholders or risk consultants.

Step 4: Assign a risk score

If you’ve assigned numerical values to a risk’s likelihood and impact, calculating the risk score is easy — all you need to do is multiply the two. Here’s the formula:

• Risk score = Likelihood x Impact

Repeat the calculation for every item in your risk register and simultaneously record the values for easy plotting in the next step.

In some cases, you may want to introduce additional weights to the equation for a more precise risk score. For example, you can add double weightage to a risk that has both financial and operational implications. While this might complicate the assessment process, it could be worth the effort when you’re dealing with highly complex or sensitive risk scenarios.

Step 5: Map out and prioritize risks

After you’ve assigned final scores to risks, the last step is to map them out in the matrix based on predetermined ranges. Then, color-code the matrix to simplify visual navigation.

Keep in mind that risk ranges aren’t universal — it all comes down to your organization’s risk appetite. For example, if you use a 5x5 matrix, you can describe the overall risk levels within the following ranges:

• Medium : 5–9
• High : 10–17
• Extremely high (or critical) : 18–25

It’s possible to have more than four risk levels, depending on how deep and complex you want your risk calculation and measuring models to be.

Once you define the final risk levels, you can use the matrix to highlight the most pressing risks and areas for improvement.

Let’s understand the plotting process through an example. Let’s say you’re in the medical industry and have taken various precautions to protect patient data. You may determine that a breach is unlikely and give it a likelihood score of 2. Still, the consequences of such a breach would be catastrophic, so the impact score is 5. As a result, the overall risk level is (5 x 2) or 10, which translates to a “high” category risk. Since the likelihood is already low, you can mitigate the risk by taking steps to reduce the potential impact of the breach.

{{cta_simple1}}

Why continuous tracking of your risk assessment matrix is crucial

Your organization's risk landscape evolves constantly, so your risk matrices need to follow suit. Revisit your matrices at predefined intervals to account for external and/or internal changes — the cadence depends on the volatility of your risk space.

Tracking risk matrices is especially important when executing risk mitigation strategies through intricate internal controls and security programs. Updated risk scores help you evaluate the efficacy of your measures and implement changes to tackle new risks.

You can review your risk matrices either internally or with the help of third-party assessors. Whatever you choose, make sure to collaborate with key stakeholders in your organization across departments to ideate on risk scenarios. Finally, designate someone to sign off and make the changes official.

A common setback many organizations face is that continuous risk tracking becomes laborious and time-consuming. This is true especially if the process is full of inefficiencies, such as manually calibrated matrices, evidence-gathering through screenshots, or tracking updates through endless email threads.

The good news is that you don’t need to put up with scattered and inefficient risk assessment processes anymore. With the right risk management platform, you can streamline and retain complete control over your risk assessment workflows.

Simplify risk assessment and management with Vanta

Vanta is a robust Trust Management Platform offering functionalities that streamline GRC processes . The platform’s comprehensive Risk Management solution gives you a centralized hub for assessing, tracking, and managing risks. You can also utilize AI and automation to enhance operational predictability with minimal manual work.

With Vanta, you can create a color-coded risk assessment matrix with a few clicks. By default, the platform helps score risks for likelihood and impact on a scale of 1–5 . However, you can use custom categories and scoring options to build a tailored matrix. Access several other features to support your risk assessment team , such as:

• Automated risk scoring and prioritization
• Pre-built content for 50+ common risk scenarios
• Customizable risk register
• Real-time tracking of risk scenarios
• Risk mitigation suggestions and controls linking
• Risk assessment reports and time-specific snapshots for evidence collection

The platform lets you auto-update your risk policy to sync with any change in the scoring parameters. You can also explore over 300 integrations with popular platforms to boost productivity and free up more time for high-value work.

Vanta’s Risk Management solution leverages the ISO 27005 risk assessment guidelines by default and helps you stay compliant with 20+ frameworks and standards, including SOC 2 and ISO 27001 — explore the product page for more details.

You can also schedule a custom demo and get a more personalized experience for your team.

{{cta_testimonial8="/cta-modules"}}

What is risk management?

Vendor risk management: what it is and how to do it effectively, what is third-party risk management (tprm), what is a risk management strategy, how to automate vendor risk management, user access reviews: a step-by-step guide, an essential guide to establishing a risk management framework (rmf), seven risk assessment methodologies, a comprehensive guide to using a risk assessment matrix, risk management automation: a how-to guide for optimizing your processes.

Webinar: Scaling your GRC program with automation and AI

Learn how to automate compliance processes, strategies to streamline risk assessments and ways to use automation and AI on vendor security reviews.

See how VRM automation works

Let's walk through an interactive tour of Vanta's Vendor Risk Management solution.

Explore more GRC articles

Introduction to grc, implementing a grc program, optimizing a grc program, get started with grc.

Start your GRC journey with these related resources.

How Vanta combines automation & customization to supercharge your GRC program

Vanta pairs deep automation with the flexibility and customizability to meet the unique needs of larger, more complex businesses. Read more.

How to build an enduring security program as your company grows

Join Vanta's CISO, Jadee Hanson, and seasoned security leaders at company's big and small to discuss building and maintaining an efficient and high performing security program.

Growing pains: How to update and automate outdated security processes

Has your business outgrown its security processes? Learn how to update them in this guide.

Get compliant and build trust—fast

• Product overview
• All features
• Latest feature release
• App integrations

CAPABILITIES

• project icon Project management
• Project views
• Custom fields
• Status updates
• goal icon Goals and reporting
• Reporting dashboards
• workflow icon Workflows and automation
• portfolio icon Resource management
• Capacity planning
• Time tracking
• my-task icon Admin and security
• Admin console
• asana-intelligence icon Asana AI
• list icon Personal
• premium icon Starter
• briefcase icon Advanced
• Goal management
• Organizational planning
• Project intake
• Resource planning
• Product launches
• View all uses arrow-right icon

Featured Reads

• Work management resources Discover best practices, watch webinars, get insights
• Customer stories See how the world's best organizations drive work innovation with Asana
• Help Center Get lots of tips, tricks, and advice to get the most from Asana
• Asana Academy Sign up for interactive courses and webinars to learn Asana
• Developers Learn more about building apps on the Asana platform
• Community programs Connect with and learn from Asana customers around the world
• Events Find out about upcoming events near you
• Partners Learn more about our partner programs
• Asana for nonprofits Get more information on our nonprofit discount program, and apply.
• Project plans
• Team goals & objectives
• Team continuity
• Meeting agenda
• View all templates arrow-right icon
• Project planning |
• Risk matrix template: How to assess ris ...

Risk matrix template: How to assess risk for project success (with examples)

A risk matrix analyzes project risks based on likelihood and severity. Once you map your risks, you can calculate overall impact and prioritize risks accordingly. In this piece, you’ll learn how to create a risk matrix template and how to use the information from this analysis tool to develop a comprehensive risk management plan.

Risks are a part of any project, and there’s no surefire way to know which ones will occur and when. Sometimes, you'll get through an entire project without experiencing a single hiccup. Other times, you’ll feel like all the odds are against you. Without the help of a crystal ball, the only way to prevent project risks is to proactively prepare for them. 

A risk matrix helps you analyze risk by assigning each event as high, medium, or low impact on a scale of one through 25. Once you assess the severity and likelihood of each risk, you’ll prioritize your risks and prepare for them accordingly. In this article, we’ll explain how to create a risk matrix template and offer helpful tools for turning your results into action.

What is a risk matrix in project management?

Types of risks.

As part of the process, you’ll need to brainstorm a list of risks to chart in your risk matrix. The risks you may face will likely fall into these categories:

Strategic risk : Strategic risks involve performance or decision errors, such as choosing the wrong vendor or software for a project.

Operational risk : Operational risks are process errors or procedural mistakes, like poor planning or a lack of communication among teams.

Financial risk : Financial risk can involve various events that cause a loss of company profit, including market changes, lawsuits, or competitors.

Technical risk: Technical risk may include anything related to company technology, such as a security breach, power outage, loss of internet, or damage to property.

External risk: External risks are out of your control, like floods, fires, natural disasters, or pandemics. 

There are other risk categories to consider depending on your work industry. For example, if you have government clients, then you also want to brainstorm legal risks. If your company sells a physical product, you may have to think about manufacturing risks.

How to create a risk matrix template

When creating your risk matrix template, you’ll first identify your scale of severity, which you’ll place in the columns of your matrix. ​​The scale of severity measures how severe the consequences will be for each risk. In a five-by-five matrix, there are five levels in your scale of severity. 

Negligible (1): The risk will have little consequences if it occurs.

Minor (2): The consequences of the risk will be easy to manage.

Moderate (3): The consequences of the risk will take time to mitigate.

Major (4): The consequences of this risk will be significant and may cause long-term damage.

Catastrophic (5): The consequences of this risk will be detrimental and may be hard to recover from.

You’ll then identify your scale of likelihood, which you’ll place in the rows of your risk matrix template. The scale of likelihood identifies the probability of each risk occurring.  

Very likely (5): You can be pretty sure this risk will occur at some point in time.

Probable (4): There’s a good chance this risk will occur.

Possible (3): This risk could happen, but it might not. This risk has split odds.

Not likely (2): There’s a good chance this risk won’t occur.

Very unlikely (1): It’s a long shot that this risk will occur.

When you place a risk in your matrix based on its likelihood and severity, you’ll find the level of risk impact. The risk impact is both color-coded from green to red and rated on a one through 25 scale. 

Low (1-6): Low-risk events likely won’t happen, and if they do, they won’t cause significant consequences for your project or company. You can label these as low priority in your risk management plan .

Medium (7-12): Medium-risk events are a nuisance and can cause project hiccups, but if you take action during project planning to prevent and mitigate these risks, you’ll set yourself up for project success. You shouldn’t ignore these risks, but they also don’t need to be a top priority.

High (13-25): High-risk events can derail your project if you don’t keep them top of mind during project planning. Because these risks are likely to happen and have serious consequences, these are most important in your risk management plan.

 You don’t have to stick to the labels above for your risk matrix template if they don’t feel right for your company or project. You can customize the size and terminology of your matrix to your needs.

How to use a risk matrix

Once you’ve created a risk matrix, you can use it as a comprehensive analysis tool. The best part about a risk matrix template is that you don’t need to change it for every project. Once you have one, you can reuse it and share it with others. 

1. Identify project risks

You’ll need a list of potential risks to make use of your risk matrix. In this step, you’ll determine what risks may affect the specific project you’re working on. 

To come up with relevant risks for your project, you’ll need to understand your project scope and objectives. This includes the project’s:

Constraints

Using your project scope as a guide, think of risky situations that might affect your project. If you’re not sure where to start, try brainstorming techniques like mind mapping or starbursting to list as many risks as you can under each risk type. 

2. Determine severity of risks

When you created your risk matrix, you defined the criteria for your risk severity and likelihood. Now that you have a list of project risks, categorize them using the matrix criteria. Start with the scale of severity and go through each risk you’ve listed. Consider the following questions:

What is the most negative outcome that could come from this risk?

What are the worst damages that could occur from this risk?

How hard will it be to recover from this risk?

Which of the five severity levels most closely matches this risk?

You may not always have the perspective you need to know how severe the consequences of a risk are. In that case, work with other project stakeholders to determine the potential risk impact.

3. Identify likelihood of risks

Once you’ve defined the severity of each risk, you’ve completed half of the risk analysis equation. Next, identify the likelihood of each risk. To do this, consider the following questions:

Has this risk occurred before and, if so, how often?

Are there risks similar to this one that have occurred?

Can this risk occur, and if so, how likely is it to occur?

Team collaboration is also crucial in this step because you may not have a good idea of similar risks that have occurred in past projects. Make sure to reference past projects and analyze the probability of each risk with your team in order to create a more accurate mitigation plan.

4. Calculate risk impact

The last part of your risk analysis equation is to calculate risk impact. The equation you’ll use is:

Likelihood x severity = risk impact  

Place each risk in your matrix based on its likelihood and severity, then multiply the numbers in the row and column where it lands to find the level of risk impact. For example, if you think the risk of a data breach is of major severity (4) and probable likelihood (4), you’d multiply four by four to get a risk impact of 16. This is considered a high-risk impact. 

5. Prioritize risks and take action

You should now have a risk impact level on a scale of 1–25 for each risk you’ve identified. With these number values, it’s easier to determine which risks are of top priority. When you have risks with the same risk impact score, it will be up to you and your team to determine which risk to prioritize. Risks with equal risk impact may require equal attention as you create your action plan. 

Your risk response plan should include steps to prevent risk and ways to mitigate risk if unfortunate events occur. Because so much goes into project planning, the best strategy when tackling risks may be to divide and conquer.

Risk assessment matrix template

The size of your risk matrix template determines how closely you can analyze your project risks. A larger risk matrix template offers more room on the risk impact spectrum, while a smaller risk matrix template keeps your risk impact rating simpler and less subjective. 

Each square in your matrix represents a risk level of likelihood and severity, so you shouldn’t make your risk matrix smaller than three squares in length and width.

A five-by-five risk matrix is ideal so you can further analyze each risk. Once you chart your risks along your finished risk matrix template, this matrix creates a larger color spectrum to see the impact of each risk as high, medium, or low. 

The example below shows a five by five risk matrix template.

You can download a free risk matrix template using the link below. Use this template to chart your project risks and determine their overall level of risk impact.

Pair your risk matrix template with a work management tool

You can use the same risk matrix template when measuring risk across multiple projects. However, it’s important to remember that the risks you face will evolve. The environment changes, technology becomes smarter, and the workplace grows. Every project faces unique risks, and you must reevaluate these risks year after year.

When you pair your risk matrix template with work management software , you can use past data to inform current processes. Asana helps you share the results of your risk matrix with stakeholders so you can collaborate on a risk management plan. Once you have a solid plan in place, you can monitor your team in real-time as they take action.

Related resources

New site openings: How to reduce costs and delays

Provider onboarding software: Simplify your hiring process

15 creative elevator pitch examples for every scenario

Timesheet templates: How to track team progress

• Sign up for free
• SafetyCulture
• Risk Assessment

How to Perform a Risk Assessment

Identify, analyze, and mitigate potential hazards and the risks associated with them by conducting risk assessments.

What is a Risk Assessment?

A risk assessment is a systematic process used to identify potential hazards and risks in a situation, then analyze what would happen should these hazards take place. As a decision-making tool, risk assessment aims to determine which measures should be implemented to eliminate or control those risks, as well as specify which of them should be prioritized according to their likelihood and impact on the business.

Risk assessment is one of the major components of a risk analysis . Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business or enterprise .

Why is it Important?

Risk assessments are essential to identify hazards and risks that may potentially cause harm to workers. Identifying hazards by using the risk assessment process is a key element in ensuring the health and safety of your employees and customers. OSHA requires businesses to conduct risk assessments. According to regulations set by OSHA, assessing hazards or potential risks will determine the personal protective gears and equipment a worker may need for their job.

Risk Analysis Framework

When Do You Perform a Risk Assessment?

Beyond complying with legislative requirements, the purpose of risk assessments is to eliminate operational risks and improve the overall safety of the workplace. It is the employer’s responsibility to perform risk assessments when:

• new processes or steps are introduced in the workflow;
• changes are made to the existing processes,
• equipment, and tools; or new hazards arise.

Risk assessments are also performed by auditors when planning an audit procedure for a company.

Create your own Risk Assessment checklist

Build from scratch or choose from our collection of free, ready-to-download, and customizable templates.

HSE distinguishes three general risk assessment types:

Large Scale Assessments

This refers to risk assessments performed for large scale complex hazard sites such as the nuclear, and oil and gas industry. This type of assessment requires the use of an advanced risk assessment technique called Quantitative Risk Assessment (QRA).

Required specific assessments

This refers to assessments that are required under specific legislation or regulations, such as the handling of hazardous substances (according to COSHH regulations, 1998) and manual handling (according to Manual Handling Operations Regulations, 1992).

General assessments

This type of assessment manages general workplace risks and is required under the management of legal health and safety administrations such as OSHA and HSE.

Here is an example of a completed risk assessment. See more risk assessment examples in various industries.

How to Perform Risk Assessment in 5 Steps

Below are the 5 steps on how to efficiently perform risk assessments :

1. Identify hazards

Survey the workplace and look at what could reasonably be expected to cause harm. Identify common workplace hazards . Check the manufacturer’s or suppliers’ instructions or data sheets for any obvious hazards. Review previous accident and near-miss reports.

2. Evaluate the risks

Risk evaluation helps determine the probability of a risk and the severity of its potential consequences. To evaluate a hazard’s risk, you have to consider how, where, how much, and how long individuals are typically exposed to a potential hazard. Assign a risk rating to your hazards with the help of a risk matrix.

3. Decide on control measures to implement

After assigning a risk rating to an identified hazard, it’s time to come up with effective controls to protect workers, properties, civilians, and/or the environment. Follow the hierarchy of controls in prioritizing implementation of controls.

4. Document your findings

It is important to keep a formal record of risk assessments . Documentation may include a detailed description of the process in assessing the risk, an outline of evaluations, and detailed explanations on how conclusions were made.

5. Review your assessment and update if necessary

Follow up with your assessments and see if your recommended controls have been put in place. If the conditions in which your risk assessment was based change significantly, use your best judgment to determine if a new risk assessment is necessary.

Risk Assessment Tools and Techniques

There are options on the tools and techniques that can be seamlessly incorporated into a business’ process. The four common risk assessment tools are: risk matrix, decision tree, failure modes and effects analysis (FMEA), and bowtie model. Other risk assessment techniques include the what-if analysis, failure tree analysis , Layer of Protection Analysis (LOPA) and Hazard and Operability (HAZOP) analysis.

Improve your GRC management

Simplify risk management and compliance with our centralized platform, designed to integrate and automate processes for optimal governance.

How to use a Risk Matrix?

A risk matrix is often used to measure the level of risk by considering the consequence/ severity and likelihood of injury to a worker after being exposed to a hazard. Two key questions to ask when using a risk matrix should be:

• Consequences: How bad would the most severe injury be if exposed to the hazard?
• Likelihood: How likely is the person to be injured if exposed to the hazard?

The most common types are the 3×3 risk matrix, 4×4 risk matrix, and 5×5 risk matrix .

How to Assess Consequences?

It is common to group the injury severity and consequence into the following four categories:

• Fatality – leads to death
• Major or serious injury – serious damage to health which may be irreversible, requiring medical attention and ongoing treatment
• Minor injury – reversible health damage which may require medical attention but limited ongoing treatment). This is less likely to involve significant time off work.
• Negligible injuries – first aid only with little or no lost time.

How to Assess Likelihood?

It is common to group the likelihood of a hazard causing worker injury into the following four categories:

• Very likely – exposed to hazard continuously.
• Likely – exposed to hazard occasionally.
• Unlikely – could happen but only rarely.
• Highly unlikely – could happen, but probably never will.

We recommend OSHA’s great learning resources in understanding how to assess consequence and likelihood in your risk assessments.

Risk Assessment Training

“Safety has to be everyone’s responsibility… everyone needs to know that they are empowered to speak up if there’s an issue.” – Captain Scott Kelly, at the SafetyCulture Virtual Summit.

A good and effective hazard identification and risk assessment training  should orient new and existing workers on various hazards and risks that they may encounter. It should also be able to easily walk them through safety protocols. With today’s technology like SafetyCulture’s Training feature, organizations can create and deploy more tailored-fit programs based on the needs of their workers.

Risk Assessment Templates

Risk assessments are traditionally completed through checklists, which are inconvenient when reports and action plans are urgently needed. Streamline the process with SafetyCulture, a mobile app solution. Get started by browsing this collection of customizable Risk Assessment templates that you can download for free.

Perform Effective Risk Assessments with SafetyCulture

Why use safetyculture.

SafetyCulture is a mobile-first operations platform adopted across industries such as manufacturing, mining, construction, retail, and hospitality. It’s designed to equip leaders and working teams with the knowledge and tools to do their best work—to the safest and highest standard.

Promote a culture of accountability and transparency within your organization where every member takes ownership of their actions. Align governance practices, enhance risk management protocols, and ensure compliance with legal requirements and internal policies by streamlining and standardizing workflows through a unified platform.

✓ Save time and reduce costs ✓ Stay on top of risks and incidents ✓ Boost productivity and efficiency ✓ Enhance communication and collaboration ✓ Discover improvement opportunities ✓ Make data-driven business decisions

FAQs About Risk Assessment

What is the difference between risk assessment and job safety analysis (jsa).

The key difference between a risk assessment and a JSA is scope. Risk assessments assess safety hazards across the entire workplace and are oftentimes accompanied with a risk matrix to prioritize hazards and controls. Whereas a JSA focuses on job-specific risks and is typically performed for a single task, assessing each step of the job.

What are the 3 main tasks of risk assessment?

The three main tasks of risk assessment include identifying the hazards, assessing the risks that come along with them, and placing control measures to either eliminate them totally or at least minimize their impact on the business and its people.

What are the top 5 operational risk categories?

The five most common categories of operational risks are people risk, process risk, systems risk, external events risk or external fraud, and legal and compliance risk. Operational risks refer to the probability of issues relating to people, processes, or systems negatively impacting the business’s daily operations.

How often should risk assessments be performed?

As stated above, risk assessments are ideally performed when there’s a new process introduced or if there are changes to the existing ones, as well as when there are new equipment or tools for employees to use. Outside of these instances, however, it is recommended that businesses schedule risk assessments at least once a year so that the procedures are updated accordingly.

Who should perform risk assessments?

Risk assessments should be carried out by competent persons who are experienced in assessing hazard injury severity, likelihood, and control measures.

Jairus Andales

Related articles

• Layer of Protection Analysis

Discover the key aspects of and strategies for LOPA to effectively evaluate and enhance safety systems in high-risk industries.

• Find out more

• Dust Hazard Analysis

Explore the essential components of DHA, its significance, and the strategies for ensuring industrial safety.

• Reputational Risk

Learn more about reputational risk, why it’s important that businesses properly manage it, and how to effectively implement risk mitigation strategies.

Related pages

• Hazard Assessment Software
• Process Hazard Analysis Software
• EHS Risk Assessment Software
• Integrated Risk Management Software
• Operational Risk Management Software
• Reputation Management
• Environmental Aspects and Impacts
• Safety Improvement Plan Template
• Contract Risk Assessment Checklist
• Point of Work Risk Assessment Template
• 7 Best Risk Assessment Templates
• 5×5 Risk Matrix Template

• Contact sales

Start free trial

Using a Risk Assessment Matrix (Template Included)

All projects have risks, but not all risks are the same. There are many potential risks that can affect a project plan and you need to have a risk management process in place to manage them.

This risk management process consists of risk identification, assessment, mitigation and monitoring. To assess the level of risk, use a risk matrix. Creating a risk assessment matrix gives you a tool to perform qualitative risk analysis and increases the quality of your decision-making.

What Is a Risk Assessment Matrix?

A risk assessment matrix (also called a probability and severity risk matrix) is a visual tool project managers use to assess a risk’s potential impact on their project. A risk matrix is a project management grid , with the probability of a risk represented on the left, and the severity of the risk represented on the top.

All this informs your risk management plan because you have prioritized the risks and created a framework to respond quickly. It also lets you create risk mitigation strategies to manage any impact from high probability, high impact risks.

Get your free

Risk Matrix Template

Use this free Risk Matrix Template for Excel to manage your projects better.

Why Is It Important?

Risk assessment is one of the most important steps in the risk management process because this is when you prioritize the project risks you’ve previously identified. A risk assessment matrix is a great tool to keep the focus on risks that are more likely to impact the time, cost and scope of your project. The risk matrix also gives you time in the planning phase to create risk mitigation plans for responding to risks that are more likely to happen.

Using a risk matrix to assess and prioritize risks is key to creating a risk mitigation strategy. If you’re using a risk assessment matrix, you can identify project risks and their severity faster. Live project tracking lets you view the evolving risk environment, letting you catch risks early and monitor your team’s progress in mitigating them.

How to Create a Risk Assessment Matrix

Follow these four steps, and remember to constantly review and revise your risk assessment matrix throughout the project life cycle:

• Identify Risks: Start by looking at the entire risk landscape. That is, view the whole project and discuss things that could potentially impact the project with your team. Don’t be afraid to seek out historical data from previous projects, as well. Break down the identified risks into four categories: strategic, operational, financial and external.
• Set Risk Criteria: Once you identify risks, the next step is to determine their probability and their impact, assigning values to those variables. Risk criteria let you place the risk on the risk assessment matrix. Spend time on each decision, and get feedback from your team to make sure your placement is accurate.
• Assess Risk: Next, analyze the risk according to your risk criteria. This is a three-tier assessment; high, medium or low. The more detail, the better the analysis of the risks to your project.
• Prioritize Risk: Now that you have this data, prioritize the risks that are most dangerous to the success of the project. This is also the first step in developing a risk assessment plan and figuring out what to do if these risks occur.

Risk Assessment Matrix Template

We’ve created a risk assessment matrix template for Excel to help you get started with the risk analysis process. Simply download the file and start prioritizing your project risks in minutes.

Using a Risk Matrix for Qualitative Risk Analysis

A risk assessment matrix works well with qualitative risk analysis, which is a risk management technique to prioritize risk. In fact, qualitative risk analysis is what a risk matrix visualizes!

Qualitative risk analysis provides a structure to use your risk matrix within. For example, it helps you assemble a team to identify risks. Then, have the team document every risk they identify. It doesn’t matter how small or insignificant the risk might appear. It’s best to cast a wide net at this point in the risk management process. You can reevaluate later as you analyze and determine how impactful each risk could be.

Next, rate and prioritize each risk based on the likelihood it might happen. Prioritize the risk however you want, but remember—the larger the range, the more accurate the risk assessment. Now you can develop strategies to address risks if they do occur.

A risk matrix is just a visual representation of a qualitative risk analysis. Use qualitative risk analysis to fill out your risk assessment matrix and make your findings more helpful.

Once you’ve made a risk assessment, ProjectManager helps you plan and track it in real time. You can create a risk card, which resembles our task cards, to assign the risk, prioritize it and even add a matrix widget to assess the risk level against the likelihood and impact. That gives you the risk level at a glance, allowing you to quickly resolve issues that arise. Get started with ProjectManager today for free.

How ProjectManager Helps with Risk Management

ProjectManager is online project management software, which means it delivers real-time data to help you identify risk quickly when it appears in your project. The quicker you identify risk, the faster you can resolve it before it becomes a problem.

Track Risk in Multiple Project Views

The risk assessment matrix prepares you for risk, and ProjectManager gives you the tools to address it. You can gather, prioritize and assign risks using the Gantt chart view, and track them on a task list, calendar or kanban board. Project data is updated across the software, so no matter which project view you’re working on, the information is current.

Collaborate in Real-Time with Your Team

Teams are often distributed, which is why ProjectManager offers collaboration features. Once an issue is worked on, team members can comment at the task level as they resolve it. Remote can work together with teams in the office. Automated notifications alert you whenever a task’s status updates to keep things moving forward quickly.

Track Risks on Intuitive Dashboards

To track progress, use our live dashboard. Data is collected and automatically calculated to display in easy-to-read charts and graphs that capture risks when they first appear. Unlike other software, ProjectManager is already set up and ready to give you instant status reports when you need them.

ProjectManager is award-winning software that helps you plan, monitor and report on risk. Our resource management tools make it simple to allocate resources and respond to issues so they’re resolved before they become problems. Get real-time data to capture risks fast and make more insightful decisions when working to resolve them. Try ProjectManager free today.

Deliver your projects on time and on budget

Start planning your projects.

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• Int J Environ Res Public Health

Risk Assessment Matrices for Workplace Hazards: Design for Usability

Associated data.

The following are available online at Tables S1–S3 .

In occupational safety and health (OSH), the process of assessing risks of identified hazards considers both the (i) foreseeable events and exposures that can cause harm and (ii) the likelihood or probability of occurrence. To account for both, a table format known as a risk assessment matrix uses rows and columns for ordered categories of the foreseeable severity of harm and likelihood/probability of that occurrence. The cells within the table indicate level of risk. Each category has a text description separate from the matrix as well as a word or phrase heading each row and column. Ideally, these header terms will help the risk assessment team distinguish among the categories. A previous project provided recommended sets of header terms for common matrices based on findings from a survey of undergraduate OSH students. This paper provides background on risk assessment matrices, discusses usability issues, and presents findings from a survey of people with OSH-related experience. The aim of the survey was to confirm or improve the prior recommended sets of terms. The prior recommendations for severity, likelihood, and extent of exposure were confirmed with minor modifications. Improvements in the probability terms were recommended.

1. Introduction

1.1. background on risk assessment.

The practice of occupational safety and health (OSH) has undergone a 50-year transition from being a mostly rule-following practice into a multi-faceted profession blending rules and risk management processes to achieve effective and feasible protection for employees, property, environment, and other business interests [ 1 , 2 , 3 ]. Risk management today involves several processes, repeated periodically, to identify hazards, evaluate the associated risks, and assess various tactics for preventing and mitigating harm from those risks [ 2 , 3 , 4 ]. A tool used for assessing and evaluating risks is referred to in the OSH field as a risk table, risk grid, risk matrix, or (our preference) risk assessment matrix (RAM) [ 2 , 3 , 5 , 6 , 7 , 8 , 9 , 10 , 11 ].

RAMs appear as a two-dimensional grid with one axis having categories of harmful consequence and the other axis with categories for likelihood or probability. The cells inside the grid are used to indicate risk. Risk-assessment teams use RAMs as part of an organization-specific risk management process [ 2 , 3 , 5 , 7 , 8 , 11 ]. Although the details differ somewhat, a risk-management process involves: (1) identifying hazards and the associated risks, (2) determining tactics for reducing/mitigating each risk, also called risk treatment, (3) assessing the risks in terms of credible harmful consequences and likelihood of occurring, (4) evaluating each hazard-specific risk in terms of the organization’s tolerance for risk, (5) communicating with those affected, (6) implementing the approved risk-reduction tactics, and (7) following up by monitoring implementation and effectiveness. RAMs are tools used in Process 3 (risk assessment) and Process 4 (risk evaluation).

A RAM can be used in Process 3 to analyze risks of a specific hazard, document effect from each risk-reduction tactic, and provide useful information for Process 4. This involves following steps that can later be used to document having used due diligence or reasonable care (depending on the applicable legal system). The hazard-specific assessment process described by Jensen [ 2 ] begins by using a RAM to establish a baseline risk by assuming the hazard has not yet incorporated any attempt to prevent or mitigate the harm. It involves judging the consequence of one or more foreseeable harmful event and the likelihood of occurrence. For each risk-reduction tactic added, the RAM is used to document the effect of that tactic by reducing severity or likelihood. This process is performed again and again, each time an additional risk-reduction tactic is considered, thereby, providing a documented trail of having taken safety seriously [ 2 ]. Thus, an organization’s RAM serves as a core tool for use by risk-assessment teams to characterize risk in a systematic manner. Completed RAMs provide information in a visual format for Process 4 involving the evaluation of the risks and deciding if the organization can tolerate the remaining risks [ 2 , 3 , 5 , 6 , 8 , 9 , 10 , 11 ].

This paper provides background on the numerous variations in RAM designs, the means for characterizing level of risk, and options for helping the individuals who use RAMs to achieve reasonable accuracy and precision. A typical use of a RAM is to have a small team use it as a tool for assessing various hazards. In OSH, the people who serve on risk-assessment teams have varying backgrounds in education, experience with the types of hazards being assessed, and experience applying RAMs. Thus, in selecting an appropriate RAM for use by an organization involves recognizing that a RAM is a tool for use by people and should, therefore, be designed for human usability. At the very least, a RAM should be designed for usability by engineers, operations personnel, and others likely to be assigned to risk-assessment teams.

The substantial body of literature about RAMs reflects articles based on reasoning, experience, and expert opinion [ 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 ]. Few papers on RAMs report empirical research. The authors of this paper have identified four empirical studies on RAMs. Two studies examined how health service providers conduct risk management [ 19 , 20 ]. Card, Ward, and Clarkson reported a content analysis of health services organizations in the East of England area of the British National Health Service. They found the risk management systems were weak in two main areas: (i) guidance to support risk evaluation methods, including use of a RAM, and (ii) organizational guidance to support risk control [ 19 ]. In a second empirical study, Kaya, Ward, and Clarkson sent requests to 160 hospitals in England for descriptions of the RAMs they use [ 20 ]. Out of 100 responses, 99 used a 5-row by 5-column matrix similar to the one in Figure 1 . The 99 RAMs used the order number of rows and order of columns to fill the cells in the matrix with numbers obtained by multiplying the applicable order numbers. These numerals were used to sort cells with similar risk into bands identified by a particular color. In the study, each cell had a number ranging from one to 25; however, the healthcare providers differed in how cells were assigned to the colored levels of similar risk. This resulted in 28 different RAMs. The 99 hospitals used three, four, or five colored risk bands in their matrices [ 20 ]. The number of bands and number of hospitals were as follows: three bands (23), four bands (70), and five bands (6).

One of many possible designs of a risk assessment matrix. It uses five rows and five columns with three color-coded bands for cells with similar risk levels. Both axes were normalized to the range 0–10. The two iso-risk lines indicate risks from Row × Column = 20 and 45.

In a third empirical study, Ball and Watt reported a campus study of using a 5 × 5 RAM to assign a risk score to three photos of public places with unprotected edges where deadly falls could occur [ 12 ]. Their students had received basic instruction on the use of a RAM, but no specific training on how to judge likelihood or severity [ 12 ]. They found students had poor accuracy and precision. In a fourth study, Jensen and Hansen surveyed undergraduates studying OSH to determine how they understand various words and phrases used in RAMs [ 21 ]. Using results, the researchers identified sets of terms most suitable for naming the row and column categories in RAMs [ 21 ]. This article provides background on RAMs followed by a description of this follow-on survey of individuals with at least two years of OSH-related experience undertaken with the aim to reexamine the prior recommended word sets to determine if the prior recommendations are confirmed, or if improvements are desirable.

1.2. Diverse Options for Design

Organizations may design and use a RAM of their choosing. This has the advantage of allowing organizations to match their needs and values. There are, however, many RAMs that contain inherent pitfalls, inconsistencies, and difficulties in usability [ 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 ]. To explain the various ways that RAMs can differ, some terms need clarification. Figure 1 serves as a point of reference RAMs come in different sizes, commonly described by the number of rows and number of columns. The size of the example in Figure 1 is a 5 × 5. The size of a RAM affects the resolution—more categories mean greater resolution. While it appears desirable to have large resolution, the RAM designer should recognize that assigning categories for likelihood and severity is a subjective process that is not well suited for making fine distinctions between adjacent categories [ 8 , 12 ]. Therefore, as Baybutt advises, the number of levels “should be consistent with the ability of practitioners to discriminate between levels” [ 8 ].

RAMs are presented in different orientations. Figure 2 depicts possible orientations of a 3 × 3 RAM using the Cartesian coordinate system to establish the positive and negative directions of rows and columns. In each RAM, the green colored cell is the lowest risk; the red cell is the greatest risk. Panel a depicts a RAM in quadrant II. This is illustrated by MIL-STD-882E [ 22 ] and others [ 11 , 14 , 22 ]. This quadrant fits activities for which the horizontal axis applies to expected loss; the business community assigns a negative value to losses. Figure 3 b depicts a RAM in quadrant I. That is the location of RAMs emphasized in this paper and others [ 6 , 10 , 12 , 13 , 16 , 17 , 18 , 19 ]. Figure 3 c is a location where both axes are negative. The authors did not find any examples of a RAM located in quadrant III. Figure 3 d depicts a RAM in quadrant IV. Three examples have been found [ 7 , 8 , 23 ].

Positive and negative axes of RAMs presented in quadrants of Cartesian coordinate system. Panels ( a – d ) depict quadrants II, I, III, and IV, respectively.

Examples of three distinct methods for assigning risk indicators to the cells of risk matrices. Panels are: ( a ) multiplication of order numbers, ( b ) addition of order numbers, ( c ) multiplication of the midpoint values of the applicable row and column categories.

The columns in Figure 1 are for amount of harm—commonly called severity or consequence. Severity and consequences may relate to either financial loss or harm to personnel or other. For OSH practice, the term severity is most conventional and is used throughout this paper. Columns are for distinguishing ordered categories of severity

A RAM needs a key containing a text description of each severity category to explain and illustrate what makes each column different from adjacent columns. Another essential attribute of the severity categories is that they must be put in order such that each is clearly greater than the next lower category [ 8 , 11 , 13 , 15 ]. In addition to the text description, each column has a header term at the top. In Figure 1 , the five column headers are indicated by variables C1, C2, C3, C4, and C5. The project described in this paper explored various terms for these column headers.

The rows in Figure 1 are for the ordered categories of how likely the hazardous event or exposure will occur. Four ways to describe the row categories were used in this paper. Probability was used for quantitative ratings with values in the range 0.0–1.0 or a multiple of 10. Likelihood refers to qualitative judgments expressed numerically or nominally (without numbers). A third dimension included in the present study is extent of exposure, a term that includes measures used to account for employees very rarely exposed to a hazard versus employees regularly exposed to the hazard. Extent of exposure is expressed by the frequency or duration of employee exposures to the hazard per a specific unit of time, e.g., three times per year, three exposure-hours per week, 80 uses per month. Extent of exposure may be used as a third dimension of a RAM or may be incorporated within the rows of a 2-dimensional RAM by inclusion in the descriptions provided in the key. A dimension not studied in this survey is frequency; it is used in the process industries to distinguish rows categories in a RAM. Common uses include 1 death/10 years, 1 death per 100 years, and 1 death per thousand years. This project addressed sets of terms to replace the generic row headers in Figure 1 (R1, R2, R3, R4, and R5).

For a specified hazard, the individuals participating in a risk assessment are expected to both foresee possible hazard scenarios and estimate how likely each may occur [ 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 ]. These projections must then be put into the column and row categories of the applicable RAM. Two aids for helping risk assessment team members select column and row categories that match their projections are, first, explicit descriptions in the RAM’s key, and second, the terms used to label each column and row category. The authors developed this project with intent to help RAM designers with the second of these aids—selecting sets of terms for both column and row headers.

The cells in a RAM indicate level or risk. Colors are often used to show groups of cells with similar risk levels, known as risk bands. In Figure 1 , red cells denote the highest risk band and green cells denote the lowest risk band. Yellow cells are those separating green and red cells. For OSH, a hazard rated in the green band is generally considered tolerable or acceptable, and a hazard in the red band is typically considered highly undesirable or not tolerable [ 5 , 6 , 7 , 8 , 9 , 10 ]. While the decisions associated with red and green cells are often stated as clear-cut rules, the preferred practice is to consider these as indicators to assist with making decisions [ 8 , 9 , 10 , 11 , 12 , 13 , 14 , 24 ]. Cells rated in the yellow band indicate a need for additional attention in order to reduce the risk to as low as reasonably practicable (ALARP) prior to deciding on tolerability. After achieving ALARP, the organization’s risk-assessment team uses the final RAM as a visual tool to communicate with the organization’s decision makers about tolerability [ 18 ].

The basic definition of risk in Equation (1) provides the basis for using a table format [ 2 , 3 , 6 , 8 , 9 , 10 , 11 , 13 ]. According to Equation (1), the probability of a harmful event B occurring ( P B ) is multiplied by expected loss, given that B occurred.

A risk assessment matrix provides an easily understood depiction of risk being based on the product of applicable values in the row (probability or likelihood) and column (severity). Although this approach has been a tradition in the field of system safety, the OSH community has, for various reasons, sought a less quantitative approach [ 5 , 7 , 8 , 9 , 10 , 11 , 15 , 19 , 20 ].

The risk matrices in Figure 3 illustrate three ways to express risk within the cells. Each matrix uses rows for likelihood and columns for severity. In Figure 3 a,b, the rows are numbered 1–5 in order from lowest to highest likelihood, and the columns are numbered 1–5 in order from least to greatest severity of harm. With that start, there are two ways to assign numerical risk indicators (RI ij ) to the cells. Using the notation that subscripts i and j refers to row and column, respectively, R refers to rows, and C refers to columns, one method is to determine the RI values in cells is RI ij = R i × C j . That yields the values in the Figure 3 a matrix. The other method is to add the values using RI ij = R i + C j . That yields the values in the Figure 3 b matrix [ 6 , 11 ]. The approach in Figure 3 a assumes the category-to-category increases are basically linear. The approach in Figure 3 b assumes the categories in both the rows and columns are spaced logarithmically so that each category is approximately 10 times greater than the next lower category [ 6 , 10 , 11 ].

The third approach to quantify a risk matrix is to take the established row and column values, normalize each to a common scale (e.g., 0–1, 0–10, or 0–100), and use the normalized row and column matrix for establishing a less complex RAM, for which Figure 3 c is an example. The row and the column categories are then defined in terms of those values. In the Figure 3 c example, a 5 × 5 matrix may have a 10-point axis divided so that five equal width categories have upper bounds at 2, 4, 6, 8 and 10. The risk indicators in each cell are the product of the mid-range value of the respective row category (1, 3, 5, 7, 9) and the mid-range value of the respective column (1, 3, 5, 7, 9). This mid-point approach corresponds to instructing a RAM assessment team to assign severity categories based on the most representative sort of harm the team members can foresee, and likelihood categories based on the reasonably foreseeable chance of occurrence.

Several insightful papers have been positive on the approach of using the framework depicted in Figure 3 c [ 8 , 11 , 12 , 13 , 17 , 19 , 20 ]. These authors of these papers expressly recognize the approach as being a simplified version of an underlying quantitative matrix. Mathematical justification for the approaches in Figure 3 b and Figure 3 c have been provided by Rausand [ 6 ] (pp. 102–103) and Cox [ 13 ], respectively.

The next challenge is to determine how to distinguish the cells for highest risk (colored red) from cells with lower risks (colored green). One approach is to follow the axioms developed by Cox [ 13 ]; the other approach is to use the iso-risk contour-based method [ 14 , 24 ]. The RAM in Figure 1 was created using the iso-risk contour method by which green cells were located below or left of the iso-risk line 20, and red cells were located above and right of the iso-risk line 45. For cells bifurcated by an iso-risk line, color was assigned based on the side of the line with the largest area of the cell.

Referring to the RAM in Figure 1 , the cells colored green have risk values per Equation (1) in the range 0–24, while the red cells have risk values in the range 36–100. The red-color band includes the upper right cell plus three adjacent cells. All cells not colored green or red are assigned the color yellow.

Breaking each axis into categories defined as portions of the full range helps with usability by the risk-assessment teams, first, by not asking assessors to understand the underlying mathematics, and, second, by not expecting them to spend countless hours discussing the precise number to use for each row and column value. Discussions of RAMS frequently include a distinction between qualitative and quantitative forms. A quantitative RAM, for example, has probability values for the row categories, monetary values for the columns, and the cells values are computed with Equation (1) resulting in risk values in monetary units. Qualitative RAMs have rows and columns defined nominally and cells assigned risk categories such as high, medium, and low [ 2 , 17 ]. Cox, Babayev, and Huber [ 17 ] provide examples of regulatory agencies that use this approach. A third form of RAM, often called semi-quantitative, has each axis divided into ordered categories and assigned numerical values based on their order. Figure 3 a,b are examples. A fourth type of RAM, illustrated in Figure 1 and Figure 3 c, consists of (i) both axes using linear scaling and the same range (e.g., 0–10), and (ii) risk indicated by the product of the respective row and column values. Appendix A provides a conceptual explanation of how this fourth type of RAM can approximate an underlying quantitative relationship based on Equation (1).

The domain of application may, or may not, warrant different matrices. Employers using, or planning to adopt, a RAM need to ponder some things about the hazards involved [ 8 , 11 ]. In what kind of industry will the RAM be used? For what types of hazards will the RAM be used as a tool for risk assessment? Related to this issue is the temptation to have one RAM for all applications in the organization. This approach has been criticized by multiple authors who recommend different RAMs for different consequences, e.g., employee safety, property damage, environmental harm, business interruption, or community relations [ 9 , 14 , 15 ]. Baybutt [ 10 ] recognized the pitfalls of using one matrix for diverse domains and proposed a method for calibrating the matrix for different domains within an organization.

Another domain-related matter is defining the role of risk-scoring using the RAM to drive the decision on tolerability of a particular risk. Multiple authors advise against using locations on a RAM (risk band) as the decision maker for tolerability of a hazard [ 8 , 11 , 12 , 13 ]. The concern about this is it extends the responsibility of risk-assessment team members to doing both the risk assessments (Process 3) and making decisions about tolerability (Process 4) without having all the information needed such as cost-benefit information.

1.3. Usability Issues

Members of a risk-assessment team will likely have differing opinions on assigning a hazard to a specific cell in their matrix. For that reason, RAMs should be designed to help the team members decide on the most appropriate row and column category. Three matrix attributes for helping risk-assessment team members make accurate and precise assignments to row and column categories are having: (i) a clear order to categories in each axis, (ii) descriptions of each category so that categories are distinguishable, and (iii) header terms that are clearly ordered and distinguishable. The third of these attributes has been the subject of only one previous study [ 21 ], and that was based on a survey of undergraduate OSH students. That left open an issue of how closely results of the undergraduate survey might correspond to ratings by individuals with OSH-related work experience.

Multiple usability issues involve the accuracy and precision of risk based on the judgment of risk-assessment teams. These estimates of risk are used by some organization to help set priorities for corrective actions A second use is to help decide if the risk-reduction tactics have reduced the risk of a hazard to the level of being tolerable or acceptable. Both uses are important to employee safety and health [ 9 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 ]. An example opinion expressed by Ale, Burnup, and Slater [ 9 ] is that using RAMs to prioritize risk-reduction processes may provide informative input, but should not be taken as a primary driver for prioritization. Similar opinions by other authors are that risk levels resulting from a risk-assessment team are not sufficiently accurate or precise to rely on as a sole determinant of risk tolerability [ 12 , 13 ]. Four implications of these opinions are that organizations need to make strong efforts to achieve accurate and precise entries into RAMs by (i) assigning competent individuals to risk-assessment teams, (ii) training risk-assessment team members for improving both accuracy and precision of assessments, (iii) providing team members with adequate time to do their assessments well, and (iv) adopting RAMs designed for usability.

The complexity of RAMs can contribute to usability. The form used in Figure 1 of this paper was based on both axes being linear and having equal ranges. Cox [ 13 ] presents justification for using that form of RAM for reasons including understandability, simplicity, and usability by risk assessors dealing with occupational hazards. He advises that three colored bands should be enough for RAMs designed for people estimating the row and column categories for a particular hazard. Cox also explained a rule to avoid having a green cell share an edge with a red cell. This reflects the reality that a risk-assessment team cannot be expected to reliably distinguish between adjacent categories of either scale. Having green and red cells share an edge invites misclassification errors, or what the human factors practitioners call design-induced errors.

The matrix format in Figure 3 c has been discussed by numerous authors in papers about the spacing of categories [ 8 , 9 , 10 , 11 , 12 , 13 , 14 ]. A strength of this format is providing flexibility for a RAM designer to define the number of categories in each row and each column. While the common practice is to make equal width categories, unequal width categories may be used. For example, a five-category severity axis could be grouped so that the least harm category has the narrowest range while the greatest harm category has the widest range. Another example is setting the upper bounds of five likelihood categories at 1, 3, 5, 7, 10 [ 23 ]. Pons proposed simplifying required risk assessments by defining severity categories to align with those found in the applicable legislation [ 15 ].

Thus far in this article, the topic has been exclusively about two-dimensional risk matrices. These have been criticized for not including enough factors; in particular, the dimension of exposure is not included [ 11 , 21 ]. This concern may be addressed by either incorporating exposure into the likelihood dimension or adding a third dimension to account for extent of exposure. Terms for such a dimension were included in both the earlier study [ 21 ] and this follow-on study.

Another usability issue for RAM designers—selecting the terms for row and column headers—is an important attribute of RAMs that has received little attention. Duijm [ 11 ] commented that “the ways axis categories are defined and described” effects the subjective row and column category assignments. Baybutt [ 8 ] states that “different terms should not be used when the same meaning is intended”. He offered as an example naming adjacent severity categories with terms having essentially the same meaning, citing as examples significant injury and major injury. Duijm [ 11 ] pointed out the need to name categories on a single axis with clearly different descriptors and offered the following examples of misnaming adjacent categories by using terms that are listed as synonyms in a dictionary.

• Improbable and seldom.
• Often, frequent, and probable.
• Disastrous and catastrophic.

Although Duijm’s examples were based on synonyms found in a dictionary, further support was subsequently provided by the survey of undergraduate OSH students reported by Jensen and Hansen [ 21 ]. They found that ratings on a 100-point likelihood scale were very close for the words improbable and seldom (mean 18.7 vs. 19.7 and median 20 vs. 18) as well as for frequent and probable (mean 72.0 vs. 68.2 and median 72.5 vs. 70.0). These authors also pointed out that MIL-STD-882E [ 22 ] uses the synonyms frequent and probable as labels for adjacent probability categories [ 21 ].

1.4. Reasons for a Second Survey

The previous recommendations were based on a survey completed by 84 undergraduate OSH students. The authors of that paper used the results to develop multiple sets of recommendations for RAMs of different sizes. Table 1 enumerates the number of categories and recommended word sets for each of the matrix axes studied. Examples of word sets are in Figure 4 along with mean ratings on a 100-point scale.

Example sets of terms based on means; adapted from prior study by Jensen and Hansen [ 21 ]: ( a ) set of four for severity, ( b ) set of four for probability, ( c ) set of four for likelihood, and ( d ) set of three for extent of exposure.

Word sets recommended are adapted from the paper by Jensen and Hansen [ 21 ] and organized in this table by number of categories in the axis.

We undertook this survey with the aim of confirming or improving the prior recommended sets of terms [ 21 ] by using findings from a survey of people experienced in an OSH-related field and enrolled in an online graduate level course in industrial hygiene.

2. Materials and Methods

2.1. the survey instrument.

An online survey was developed for this project. It asked respondents to rate various terms using a 100-point semantic differential scale available in the survey platform Qualtrics (Provo, Utah). It involved a linear rating scale with a mouse-controlled slide for indicating a rating from zero to 100. The end points were labeled with the bipolar descriptors below.

• For rating severity terms, the end points were No harm and Worst harm.
• For likelihood and probability terms, the end points were Impossible and Certain.
• For extent of exposure terms, the end points were No exposure and Constant exposure.

The survey instrument was designed to present sequential screens known as blocks. Figure 5 depicts how the blocks were arranged. Respondents were instructed to respond to a single item before advancing to another item. Respondents were not allowed to go backward to reconsider a term already rated.

Organisation of survey instrument.

Two surveys, identified as A and B, were created with identical material in Blocks 1 through 10. The terms rated were the same in both surveys with one unintended exception. One survey used minor harm, the other used minor damage. Within the categories (likelihood/probability, severity, and extent of exposure), the order of presentation was randomized for each survey. For example, the severity terms in Survey A were presented in random order, and the severity terms in Survey B were determined by a different random order.

The study was conducted according to the guidelines of the Declaration of Helsinki and approved by the Institutional Review Board of the University of Montana (protocol code 39-21, dated 21 February 2021). The approval was under the exempt category according to the U. S. Code of Federal Regulations, Part 42, section 104 (d).

2.2. Rationale for Terms Included in the Survey

The terms selected for this follow-on survey included a mix or identical terms, different terms, and some modified words. Table 2 lists the probability-based terms on the left and the likelihood terms on the right. Three probability-based terms were highly probable, probable, and improbable. The fourth term, remote, was in both surveys but, in the first survey, it was among the extent of exposure terms using a scale with end points No exposure and Constant exposure. In addition to remote, this second survey had six terms not previously studied. The term almost incredible was omitted from both lists for two reasons. One was that incredible means not credible and, according to Baybutt [ 8 ], events that are not credible should be excluded from risk analysis. Two, the prior study [ 21 ] found incredible had a very large standard deviation resulting from confusion among respondents as to whether it means near zero or near 100. In search of terms to replace almost incredible, we added extremely unlikely and extremely improbable to the second survey. In the prior survey, the lowest mean rating for a probability scale (14.3) was highly improbable. We sought an alternative term that would receive lower ratings, so we added extremely improbable, and, to mirror that on the high end of the rating scale, we added extremely probable.

Probability-based terms and likelihood-based terms in the survey and whether the terms are the same or different from the prior survey by Jensen and Hansen [ 21 ].

Table 3 lists severity terms on the left and extent of exposure terms on the right. All severity terms were the same in both surveys with minor modifications. Among the extent of exposure terms in Table 3 , a group of five were modified by adding “ly” to the end. A second group of four terms were modified by adding “exposed” to clarify that the intended meaning was how often exposure to the hazard occurred.

Terms in the survey for severity of harm and extent of exposure along with indicating if same or changed from prior survey by Jensen and Hansen [ 21 ].

1 Prior survey used the term “Death of one person”.

A third group of exposure terms consisted of four calendar-related terms (daily, weekly, monthly, annually). These were unchanged, because the authors of the earlier paper suggested that mixing these terms randomly within all the other extent of exposure terms might have influenced rating. In order to check this, the four terms were presented together as the final four rating items. Survey A and Survey B presented these four terms in different orders.

2.3. Procedures

An invitation to participate in a survey was extended to 98 individuals who were: (i) taking a Montana Technological University online course in industrial hygiene during spring semester 2021, (ii) engaged in a Master of Science program in industrial hygiene, and (iii) met the admission requirement of having at least two years of experience working in an occupational safety and health related job. In order to increase the response rate, the course instructors emailed their enrollees to watch for an invitation. None of the online courses were being taught by any of the researchers.

About two days after the notification emails, each student was sent a personal email invitation from the researchers to participate. The invitation did not contain any inducement to participate, such as points in their course grade, money, or other. Six or seven days after the invitation emails, the course instructors sent a second email to all their enrollees reminding them to consider participating if they had not already done so.

The 98 individuals were listed in a numbered order. Those with an odd number were sent a link to Survey A, while those with an even number were sent a link to Survey B. The individuals who chose to participate took the survey online. After starting the survey, respondents could stop at any point and their ratings were retained in the data set.

Analyses included reporting means, standard deviations, and medians for each term. Ratings for identical terms used in both surveys were compared using the Mann–Whitney test of medians [ 25 ]. The null hypothesis was the two data sets had equal medians while the alternate hypothesis was the two medians were not equal.

3.1. Demographics of Respondents

The survey contained questions asking respondents for information about their personal attributes, most experience area of practice, and their present employment sector. For the personal attribute questions, items asked for first language, gender, and the ethnicity they most identify with. The age distribution, in decades, is provided in the left side of Table 4 . The ages ranged from 26 to 60 with a mean of 38.9. For the question asking about language, 34 of 37 (91.1%) reported having English as their first language. For the three who reported other than English, their reported languages were Spanish, Chinese, and Yoruba.

Attributes of respondents.

1 The category included native Americans and native Alaskans. 2 Not precisely 100.0 due to rounding.

When asked what ethnicity they identified with, the options were White/Caucasian, Hispanic/Latinx, Asian, Black/African-American, Native American/Native Alaskan, Hawaiian/Pacific Islander, and Other. One respondent provided no answer making a total of 36. A respondent who chose “Other” reported being African. No respondents chose Black/African American or Hawaiian/Pacific Islander. The numbers and percentages are listed in the right side of Table 4 .

For their OSH-related work experience, the survey asked respondents for the practice area where they had the most experience. Responses are in the left side of Table 5 . The first three experience areas listed in Table 5 are traditional categories of practice of occupational safety and health. These three accounted for 29 of the 37 (78.4%) respondents. Six others chose environmental protection. The survey category “Responder” was further defined in the survey to include emergency medical technicians, police, and firefighters. One respondent selected this area of practice.

Most experience area of practice and current employment sector.

1 Not precisely 100.0 due to rounding.

The survey asked respondents about their current sector of employment. Results are in the right side of Table 5 . The government category included Federal military (3) and Federal Non-Military (7). The latter consisted of six in other-than-public health and one in public health. The employment category Non-Federal Government had seven respondents, three employed in local (city/county) and four in state/provincial governments. The survey had options for healthcare and for environmental restoration that received zero responses. When asked about experience participating on a risk-assessment team, 27 of 37 (73.0%) reported having served on a risk-assessment team.

3.2. Ratings of Terms in Present Survey

Rating of the terms are in Table 6 , Table 7 , Table 8 and Table 9 for severity terms, probability terms, likelihood terms, and extent of exposure terms, respectively. All tables list the number of ratings (N), mean, standard deviation, and median. The order is according to the median. Where terms had equal medians, their order is according to mean rating.

Ratings of severity terms ordered by median.

1 All ratings for Death of a person were 100 or 99 except one extreme outlier of 3 was removed from the data set prior to analyses.

Ratings for probability terms ordered by median.

Ratings for likelihood terms ordered by median.

Ratings of extent of exposure ordered by median.

1 Calendar-based Terms.

Four terms were included in both Table 6 and Table 7 because these terms have meanings equally applicable to likelihood and probability. These terms were Certain, Almost Certain, Remote, and Fairly Normal.

Terms in each survey for extent of exposure are listed in Table 9 Four terms are expressed in terms of typical exposures (regularly exposed, occasionally exposed, seldom exposed, and rarely exposed). Five terms are for calendar-based exposures (daily, weekly, monthly, and annually). Four terms are for frequency-based exposures (very frequently, somewhat frequently, somewhat infrequently, infrequently, and very infrequently).

3.3. Parallel Wording

A consideration for selecting terms for likelihood and probability scales may include using one or more of the seven pairs of terms having parallel versions. All seven pairs of terms were rated using the same rating scale. The horizontal bar chart in Figure 6 provides a visual comparison, with the upper bar (gray) for the likelihood term and the lower bar (blue) for the comparable probability term. Four of the seven terms had closely matched medians.

Bar chart comparing median ratings of likelihood and probability terms obtained in two surveys.

• Extremely improbable and extremely unlikely: (median 6, 7|mean 15.2, 15.9).
• Somewhat improbable and somewhat unlikely: (median 22, 25.5|mean 28.5, 24.8).
• Moderately probable and moderately likely: (median 57.5, 55|mean 61.1, 56.9).
• Probable and likely: (median 67, 65|mean 65.3, 67.2).

The three parallel terms listed below had medians that were not as closely matched as the four above.

• Highly probable and highly likely: (median 88.5, 81|mean 87.1, 84.2).
• Improbable and unlikely: (median 10, 20|mean 14.1, 20.8).
• Somewhat probable and somewhat likely: (median 56, 40|mean 57.2, 45.6).

3.4. Rating from Two Surveys Compared

Comparisons between median ratings from the undergraduates in the prior study [ 21 ] with ratings of corresponding terms in the present survey are provided in three tables— Table 10 for severity, Table 11 for probability and likelihood terms, and Table 12 for extent of exposure terms. Each table includes term-specific means, medians, difference in medians, and percentage difference, The Mann–Whitney test of medians identified different medians using the 0.05 level of significance (adjusted for ties) [ 25 ]. The order of terms in each table was based on difference in medians. For terms with equal differences, the order was based on largest to smallest p -value from the Mann–Whitney test. Each table presents term-specific means, medians, difference in medians, and percentage difference.

Ratings for severity terms from the prior survey of undergraduates by Jensen and Hansen [ 21 ] compared to present survey of experienced graduate students, ordered by difference (∆) in median rating.

1 Previous survey median minus present survey median. 2 Percent difference = 100 ((Median1 − Median2)/Median1). 3 Present survey used “Death of a person” whereas prior survey used “Death of one person”. This may be the reason the difference tested significant. * indicates significant difference at p < 0.05 according to Mann–Whitney test of medians.

Ratings for likelihood and probability terms from the prior survey of undergraduates by Jensen and Hansen [ 21 ] compared to present survey of experienced graduate students, ordered by difference (∆) in median rating.

1 Previous survey median minus present survey median. 2 Percent difference = 100 ((Median1 − Median2)/Median1). * indicates significant difference at p < 0.05 according to Mann–Whitney test of medians.

Ratings for extent of exposure terms from the prior survey of undergraduates by Jensen and Hansen [ 21 ] compared to present survey of experienced graduate students, ordered by difference (∆) in median rating.

1 Previous survey median minus present survey median. 2 Percent difference = 100 ((Median1 − Median2)/Median1). 3 Remote rated on likelihood scale in previous survey, but on extent of exposure scale in present survey. * indicates significant difference at p < 0.05 according to Mann–Whitney test of medians.

4. Discussion

This study was undertaken with the primary aim of confirming or improving the initial sets of terms [ 21 ] recommended for naming the rows and columns of risk assessment matrices by using findings from a survey of people experienced in an OSH-related field and enrolled in a graduate level course in industrial hygiene. Their recommendations were based on a survey of undergraduate OSH students. In contrast, this follow-on study was used to survey a sample of people with OSH-related experience. Based on findings of the follow-on survey, the authors (i) discuss their rationale for selectively removing some terms from further consideration due primarily to weak consistency between the two surveys (ii) considering calendar-based terms, and (iii) commenting on limitations of the investigation.

4.1. Selectively Removing Terms

A desirable attribute of terms to recommend for RAMs is consistency among different populations. For this study, a measure of consistency is the difference in medians between the prior and the present surveyed populations. Medians have an advantage over means by minimizing the contribution of outlier ratings. To help make decisions about retaining or removing terms, results of the two surveys were compared with a view toward consistency. Data in Table 10 , Table 11 and Table 12 show results of comparing the two surveys. Although there is no natural difference in medians for separating those consistent versus inconsistent, after examining the comparison in those tables, the authors used judgment to sort terms into strong, moderate, and weak consistency, with the goal of removing those with weak consistency from recommendations.

Severity terms are in Table 10 along with term-specific differences in median (∆). Severity terms we classified as strongly consistent are: minor, catastrophic, minor damage, negligible, moderate, death of a person, serious, permanent injury/illness, severe, insignificant, and severe loss. These terms had differences in medians in the 0–5 range. Terms with moderate consistency were: critical and marginal with differences of nine and ten, respectively. Terms with weak consistency were: first aid only case (∆ = 13) , medical treatment case (∆ = 14) , and major damage (∆ = 16) with a difference greater than ten. We elected to remove the weak consistency terms for labeling the columns in a RAM. In addition, the terms major damage and minor damage were removed, however, if major damage is omitted, there is no need to retain minor damage, because it is redundant to the term minor as both have medians of 20.

Likelihood terms and probability terms used in both surveys are in Table 11 . Terms we classified as strongly consistent were: certain, highly likely, unlikely, probable, likely and remote. These terms had differences in medians in the 0–5 range. Terms we classified as moderately consistent were: highly probable, somewhat unlikely, almost certain, and improbable. These terms had median differences in the 6–10 range. The only term in Table 11 considered weak in consistency, somewhat likely, had median ratings of 60 in the prior survey and 40 in the present survey (∆ = 20). This term was not preferred but was retained among terms to consider if no suitable alternative is identified.

4.2. Calendar-Based Terms

The four terms that express extent of exposure using calendar-based terms (daily, weekly, monthly, and annually) are appropriately considered as a group rather than being intermixed with other terms. The findings from the present survey show consistent spacing between these terms, specifically, the space between daily and weekly was 23.5, between weekly and monthly 26.5, and between monthly and annually 25. The authors of the prior paper [ 21 ] suggested that these terms might be rated differently if presented as a group, as was done in this survey. Table 13 provides comparative results. The difference supports consistency in order of medians and substantial consistency in median values. Differences between categories in the prior study were consistently 20 and 21. Those in the present survey were in the mid-twenties (23–27). It is concluded that these terms could be used to label a RAM with four categories and doing so would create acceptable spacing between categories.

Comparison of median ratings from the prior survey by Jensen and Hansen [ 21 ] and this follow-on survey for calendar-based terms.

4.3. Limitations

The survey described in this paper, and the prior survey, were based on target populations of people taking university courses. Because of that, we cannot generalize the findings to the diverse population of employed people who perform risk assessments in industry. For those actively involved in industrial risk assessment, their experience will have been influenced by their understanding of risk-related terminology. Moreover, because the risk-assessment terminology used in different industrial sectors is not uniform, we have no basis for expecting experienced risk assessors to have uniform or consistent understanding of the terms used in RAMs.

Another limitation is the number or respondents ( n = 37). We have no way of knowing if those who responded are representative of the 98 invited to take the survey. What we do know is the 37 who responded are, as a group, more experienced in OSH-related jobs than the undergraduates who typically have an internship or no experience working in OSH. The findings that the two responder groups were, for the most part, consistent in their median rating of most terms adds confidence in the recommendations developed from the prior study.

5. Recommendations

Recommendations are presented in Table 14 , Table 15 , Table 16 and Table 17 for severity terms, likelihood terms, probability terms, and extent of exposure terms, respectively. Each table lists the recommended sets of terms from the survey of undergraduates [ 21 ], the mean the median of each term, the mean and median found in the present survey findings, and recommendations from the authors on each set. For severity sets in Table 14 , findings from this follow-on survey are consistent with those of the prior survey [ 21 ], Two changes for consideration are: in the second set replace severe loss with severe, and in the third set replace major damage with severe loss.

Sets of three, four, and five terms for severity as recommended in prior paper [ 21 ] compared to present survey with comments by the research team. Prior survey data adapted from Jensen and Hansen [ 21 ].

Sets of three, four, five and six terms for likelihood recommended in prior paper [ 21 ] compared to present survey with recommendations by the research team. Prior survey data adapted from Jensen and Hansen [ 21 ].

1 A concern with the term somewhat likely is it had inconsistent ratings from the two survey populations (medians of 60 and 40). If an alternative is desired, the term moderately likely (mean 56.9, median 55) would be suitable. 2 A term for the lowest likelihood category in a RAM could be any of three: very unlikely (11), extremely unlikely (7), or highly unlikely (10). Median ratings are in parentheses. The authors see no clear preference.

Sets of three, four, five, and six terms for probability recommended in prior paper [ 21 ] compared to present survey with comments by the research team. Prior survey data adapted from Jensen and Hansen [ 21 ].

1 The term occasionally is a better fit for extent of exposure than it is for probability. For the probability sets, the authors recommend somewhat improbable with median 22. 2 The term highly improbable had a median of 10 in the prior survey. If an alternative is desired, either improbable (10) or extremely improbable (6) would be suitable.

Sets of two and three terms for extent of exposure recommended in prior paper [ 21 ] compared to present survey with recommendations by the present research team. Prior survey data adapted from Jensen and Hansen [ 21 ].

1 Added in present survey “exposed” after Regularly, Seldom, Occasionally, and Rarely. 2 Added in present survey “ly” to the words frequent and infrequent.

For severity terms, nine of the 15 terms in Table 11 had median differences in the 0–5 range while six had large differences. Undergraduate rating of severity was higher than those of the graduate students for all difference over five. Three terms are not recommended: first aid cases (15.9), medical treatment cases (16.6), and major damage (12.9).

The ratings for likelihood terms in the prior and the present survey are presented in Table 15 . Each of the sets included highly likely. It had similar ratings from both surveyed populations for means (80.7 and 84.2) and medians (80.5 and 81.0). The term somewhat likely appears to fill a gap in the middle range of likelihood. A concern about this term is the inconsistent rating between the prior survey and present survey, with means of 53.6 and 45.5 and medians of 60 and 40, respectively. In the set of three, there was no better term in these survey for naming the middle category of a likelihood axis in a RAM. The lowest term in the set of three (very unlikely) was among those recommended in the prior paper. A footnote indicates there are three terms suitable for the lowest category of a likelihood scale. The three terms with their medians are very unlikely (11),highly unlikely (10), and extremely unlikely (7). The research team suggests any of the three would be suitable. The sets of four and five in Table 16 have desirable spacing between them. The set of six, however, has two terms with minimal spacing, somewhat unlikely (25.5) and unlikely (20). The conclusion of the research team is that terms recommended in the prior paper are suitable for sets of three, four, and five. The set for six categories is sufficient, but not as well spaced as those in the other likelihood sets.

The ratings for probability terms in the prior and the present survey are presented in Table 16 . The prior survey had only five probability terms (highly probable, probable, possible, improbable, and highly improbable). One consequence of that was lack of a probability term for the middle range. The prior authors decided to borrow the term occasionally from the extent of exposure terms. It had a mean rating of 40.2 using the extent of exposure rating scale. This was not an ideal solution. For the present survey, occasionally exposed was kept among the extent of exposure terms. In order to find terms to fill mid-range of the 100-point scale, the present survey included fairly normal, somewhat probable, and somewhat improbable. These terms are mentioned in the Recommendations column of Table 16 .

The primary conclusion of the research team is that probability terms recommended in the prior paper had insufficient options for creating categories with appropriate spacing. The rational for improvements are provided in Table 16 .

The ratings for extent of exposure terms in the prior and the present survey are presented in Table 17 . Minimal modifications to the prior recommended terms were made before conducting the present survey. One such modification was adding the word ”exposed” after regularly, seldom, occasionally, and rarely. The reason was to help survey respondents think about how the term is to be used. The other modification was to add “ly” to the words frequent and infrequent. Other than those changes, the prior sets of terms were confirmed and supported by findings from the present study. The set of two would be suitable as a third axis in a RAM. It could be operationalized as two traditional RAMs set side by side, one for regularly exposed and one for seldom exposed. The sets of three could also be operationalized in that way as well. The present authors agree with the prior authors that extent of exposure is best regarded as a set of only two or three categories.

Findings for severity indicated a few terms that should not be used for naming the rows and columns of risk assessment matrices. Do not use first aid case only or medical treatment case because ratings of these terms appear to be influenced by reporting requirement and workers’ compensation laws. These terms would fit better in the text descriptions of the severity categories.

Findings for likelihood indicated the adjectives “very” and “extremely” have similar meanings when used to modify likely and probable. Therefore, using one of these but not both is recommended. Some adjectives produced similar effects when used to modify the terms likely and probable. Extremely improbable and extremely unlikely produce ratings of 6 and 7. Moderately probable and moderately likely received median ratings of 67 and 65. Somewhat improbable and somewhat unlikely received median ratings of 22 and 25.5. Highly probable and highly likely had median ratings of 88.5 and 80.5. The bar chart in Figure 6 facilitates comparison.

6. Conclusions

The aim of this project was to confirm or improve the prior recommended word sets for headers of the columns and rows in RAMs. Findings led to the following conclusions.

• The survey confirmed the prior recommendations for severity terms. However, the authors recommend limiting use of the set containing the word “damage” to hazards concerned with harm to equipment, facilities, products and the environment.
• The survey confirmed the prior recommendations for likelihood terms with some suggestions. The term somewhat likely had a median in this survey of 40, but a median of 60 in the prior survey. That does not negate use of the term, but due to the inconsistent ratings, we suggest using moderately likely with a median rating of 55.
• Based on ratings in both surveys, the ratings for the terms for the lowest likelihood category did not produce a winner. Three terms intended for naming the lowest category, with their medians, are: very unlikely (11), extremely unlikely (7), or highly unlikely (10). We express no preference.
• The survey found concerns with some terms in the probability sets. The prior survey did not include terms with rating in the middle range of probability, so four terms were added to the survey: fairly normal, moderately, somewhat probable, and somewhat improbable. Rating for these terms provides alternatives for the word occasionally in the sets found in Table 16 . The authors recommend replacing occasionally in the upper set with fairly normal, and in the three lower sets with somewhat improbable.
• The survey confirmed the prior recommendations for extent of exposure with small changes. An improvement incorporated into the present survey was adding the word “exposed” to four words in the prior survey to make four terms—regularly exposed, occasionally exposed, seldom exposed, and rarely exposed.

Supplementary Materials

The following are available online at https://www.mdpi.com/article/10.3390/ijerph19052763/s1 , Table S1: Ratings of Probability and Likelihood Terms, Table S2: Ratings of Exposure Terms, Table S3: Ratings of Severity Terms.

Appendix A. Rationale for Normalized, Equal-Axis Risk Matrices

The quantitative risk matrix used in the system safety profession has rows with numerical values for probability defined to fit the situation of concern. The columns have numerical values of consequence, commonly in expected dollar value of loss, or, in some domains, consequence may be in number of lives lost. In the practice of occupational safety and health, the values required for both probability and severity are imprecise estimates made by people. For example, should the probability of a particular hazardous event be 10 −3 or 10 −6 ? What amount should be used for the death of one employee? What is needed for OSH is a RAM formatted to accommodate human estimates of both axes.

The RAM in Figure 1 of the main article is based on a framework with both axes having a 0–10 range, and the whole space divided into cells based on the intersection of row and columns. Tony Cox explained the mathematical and statistical rationale in a 2008 paper [ 13 ]. An attempt to explain the rationale in a less rigorous manner follows.

Figure A1 depicts three planes analogous to a three-floor building. The ground floor represents the underlying quantitative relationship between probability and severity as an X-Y graph. A plot of the X-Y space on log-log paper can be used to plot lines of equal risk using Equation (1). These iso-risk lines run straight from the upper left toward the lower right.

A 3-floor building analogy depiction of how an underlying quantitative relationship using logarithmic scaling (ground floor) may be normalized to form a quantitative matrix using linear scaling (middle floor). The top floor is carpeted using rectangular pieces of carpeting colored red, yellow, and green, arranged in a pattern to identify spaces of similar risk.

The next floor up is based on changing the logarithmic axis scales into linear scales by normalizing each to a specified range. The linear range of each axis described by Cox was 0–1. Equivalent scales may use 0–10 or 0–100. On this floor, bands of similar risk are defined by curved iso-risk lines plotted in this X-Y space like those shown in Figure 1 of the main article. For example, the iso-risk line at 45 in Figure 1 defines a space above and right of the line as a high-risk region, and the iso-risk line 20 defines the space to its left and below as the low-risk region. This is all good technically, but a typical risk assessment team in industry using this approach needs to reach agreement on numerical values for both axes in order to determine the point in the X-Y space where a particular hazard belongs. This could take a lot of time and possibly lead to bickering among the team members. For that reason, a RAM format that is more accommodating for human judgment is desirable.

The upper floor in the building represents the usable risk matrix for assessing hazards. It uses the same axes as the floor below, including the iso-risk lines. The building owner may retain a RAM designer to install rectangular pieces of colored carpet to lay in a grid pattern. If carpet colors are red, yellow, and green, the pattern could mirror the layout in Figure 1 , or a different pattern preferred by the building owner or RAM designer.

Author Contributions

Conceptualization, R.C.J.; methodology, R.C.J., R.L.B. and. B.W.N.; software, R.L.B. and B.W.N.; validation, R.C.J.; formal analysis, R.C.J.; investigation, R.L.B. and B.W.N.; resources, R.C.J.; data curation, R.C.J.; writing—original draft preparation, R.C.J.; writing—review and editing, R.L.B. and B.W.N.; visualization, R.C.J.; supervision, R.C.J.; project administration, R.C.J.; funding acquisition, R.C.J. All authors have read and agreed to the published version of the manuscript.

This research received no external funding. Internal funding was through Montana Technological University’s Research Assistant Mentorship Program.

Institutional Review Board Statement

The study was conducted according to the guidelines of the Declaration of Helsinki, and approved by the Institutional Review Board of the University of Montana (protocol code 39-21, dated 21 February 2021). The approval was under the exempt category according to the U. S. Code of Federal Regulations, Part 42, section 104 (d).

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

Conflicts of interest.

The authors declare no conflict of interest. No funders had a role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

• Our websites:
• Healthy Workplaces Campaign
• OSH Barometer

Occupational safety and health risk assessment methodologies

Published on: 28/02/2012

Latest update: 20/09/2022

This article is not available in other languages

Introduction

Workers should be protected from occupational risks they could be exposed to. This could be achieved through a risk management process, which involves risk analysis, risk assessment and risk prevention and control practices. In order to carry out an effective risk management process, it is necessary to have a clear understanding of the legal context, concepts, risk analysis, assessment and prevention and control processes and the role played by all involved. It is also desirable to base risk management on solid and tested methodologies.

Prevention of occupational risks

Employers have to take the necessary measures for the safety and health protection of workers, including prevention of occupational risks. This is a basic legal obligation in all EU Member States. This basic legal obligation is stated in Council Directive of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive 89/391/EEC [1] ), which was transposed by Member States’ into national laws. It should be noted that Member States can introduce more rigorous provisions to protect their workers.

For preventing occupational accidents and ill health, employers must carry out a risk assessment, and decide on prevention measures and, if necessary, to use personal protective equipment . It is recommended to review the risk assessment on a regular basis and in particular each time a change occurs at the workplace, e.g. the use of new work equipment or chemicals , changes in the work processes or modifications to the work organisation.

Risk assessment is not only a legal duty but also good for business. Avoiding and reducing risks reduces work-related accidents and health problems, leading to cost benefits and improved productivity. Risk assessment is a dynamic process that allows companies and organisations to put in place a proactive policy for managing occupational risks. Therefore, risk assessment constitutes the basis for implementation of appropriate preventive measures and, according to the Directive; it must be the starting point of any Occupational Safety and Health (OSH) Management system. An OSH Management system should be integrated in the company’s management system. An OSH Management system allows to develop a systematic approach to OSH [2] . Risk assessment is a step in the OSH risk management process.

Basic concepts

Basic concepts in risk management are the definitions of hazard and risk.

Hazard: source or situation with a potential to cause injury and ill-health i.e. an adverse effect on the physical, mental or cognitive condition of a person [2] . Examples of physical hazardous sources or situations can be working on a ladder, handling chemicals or walking on a wet floor. Examples of psychosocial hazardous sources or situations are job content, job insecurity, isolation, bullying or harassment.

Risk: effect of uncertainty. Occupational health and safety risk: combination of the likelihood of occurrence of a work-related hazardous event or exposure(s) and the severity of injury and ill health that can be caused by the event or exposure s. [2]

A psychosocial risk is defined as a combination of the likelihood of occurrence of exposure to work-related hazard(s) of a psychosocial nature and the severity of injury and ill-health that can be caused by these hazards [3] . Hazards of a psychosocial nature include aspects of work organisation, social factors at work, work environment, equipment and hazardous tasks.

Risk assessment can be defined as the process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace [4] . This definition stems from the EU guide elaborated by the EU Commission to provide practical assistance for the implementation of the risk assessment requirements from the framework directive. However, it should be noted that the concept of risk assessment is not only used within the context of OSH but it can also relate to financial, environmental, socio-economic, technical and other aspects. A general framework on the risk assessment process is provided in standard ISO 31001. This standard describes risk assessment as the overall process of (1) risk identification, (2) risk analysis and (3) risk evaluation:

• Risk Identification: process of finding, recognising and describing risks;
• Risk analysis: process to comprehend the nature of risk and to determine the level of risk;
• Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.

Risk management

Following the methodology PDCA (Plan-Do-Check-Act) risk management is a systematic process that includes the examination of all characteristics of the work system where the worker operates, namely, the workplace, the equipment/machines, materials, work methods/practices and work environment. The aim of risk management is to identify what could go wrong, i.e. finding what can cause injury or harm to workers, and to decide on measures to prevent injuries and ill-health and implement the measures.

It is important that employers know where the risks are in their organisations and prevent or keep them under control to avoid putting employees, customers and the organisation itself at risk. The main goal of risk management is to eliminate or at least to reduce the risks according to the ALARP (as low as reasonably practicable) principle. A key aspect in risk management is that it should be carried out with an active participation/involvement of the entire workforce. Carrying out risk management requires a step-by-step approach.

Step 1: Preparation of the process

The preparation of the risk management process involves several activities, namely:

• workers with special needs , such as pregnant women , young workers , aging workers and workers with disabilities ;
• maintenance workers, cleaners, contractors and visitors
• Description of tasks, work equipment, materials, and work procedures ;
• Consideration of work patterns and organisational aspects ;
• Consideration of external factors that could affect the workplace;
• Identification and description of implemented prevention measures ;
• Data on workplace incidents, near-misses, injuries and work-related health problems; and
• Identification of legal requirements , standard s or company regulations.

Several means can be used to support these activities. For instance:

• Direct observation while the job is being performed – walkthrough;
• Interviews with workers and managers;
• Analysing data on workplace incidents, near-misses, injuries and work-related health problems;
• Review of technical documentation and inspection reports on work equipment and machinery ;
• Review of the safety data sheets of the chemicals used in workplace;
• Review of the applicable legislation, standards and company regulations.

As referred, according to EU legislation employers are responsible for performing risk assessment regarding safety and health at work. Therefore, the overall responsibility for identifying, assessing and preventing risks at the workplace lies with the employer, who must guarantee that the occupational safety and health (OSH) risk management activities are properly executed.

The employer can delegate this function (not the responsibility) to occupational health and safety specialists and occupational physicians. The specialists may be part of the company staff (internal services) or be contracted outside (external services).

The participation of workers in the process of risk management in the field of safety and health at work is of fundamental importance, as workers have the best knowledge of their tasks and the associated risks. Participation also improves acceptance of the measures and facilitates their application in practice.

Step 2: Risk analysis

The risk analysis activities involve:

• Identification of hazards present in the workplace and work environment;
• Determination of the potential consequences of the risks.
• Direct observation – walkthrough;
• Checklists;
• Deviation analysis;
• Task analysis;
• Previous risk assessment data;
• Employee (satisfaction) surveys.

Step 3: Risk assessment

Risk assessment is the process of evaluation of the risks arising from a hazard, taking into account the adequacy of any existing controls. Several methods to perform risk assessment are available ranging from expert to participatory methodologies and from simple to complex methods. Which method for assessing risks is applied will depend on the nature of the workplace, the type of the tasks and work processes, and the technical complexity [4] . An overview and some guidance on risk assessment techniques can be found in IEC/ISO Standard 31010:2019 Risk management - Risk assessment techniques https://www.iso.org/standard/72140.html . Risk assessment involves evaluating, ranking, and classifying risks.

Risk evaluation

Risk evaluation involves the determination of a quantitative or qualitative value for the risk. Quantitative risk evaluation requires calculations of the two components of the risk: the probability that the risk will occur, and the severity of the potential consequences. This approach is seldom applied in practice.

Qualitative risk evaluation is more common and usually adopts a methodology based on a matrix. A risk assessment matrix consists of a two-dimensional grid with categories of harmful effects on one axis and categories of probability or likelihood on the other axis. The cells within the grid are used to indicate risk [6] . An example is shown in table 1.

Ranking of the evaluated risks

Based on the risk values obtained during the risk evaluation phase, risks should be sorted and ranked according to their severity.

Classify risk acceptability

A decision whether or not a risk is acceptable results from the comparison of the obtained risk value with acceptability criteria based on legal requirements, principles of the hierarchy of prevention , standards, recommendations,  evidence-based information on risks, adapting to innovation, etc.

It should be highlighted that a particularly careful assessment of individual risk exposure should be performed to workers of special groups (for example, vulnerable groups such as new or inexperienced workers), or to those most directly involved in the highest risk activities (i.e. the most exposed group of workers) [8] .

This risk classification is the baseline for selecting actions to be implemented and when defining the timescale, i.e. the urgency of the implementation of the corrective measures. As an example, table 1 includes a simple risk categorisation in 3 broad categories indicating a priority ranking for actions.

To have a consistent base for all risk assessments the company should first establish the acceptability criteria. This should involve consultation with workers representatives and other stakeholders and should take account of legislation and regulatory agency guidance, where applicable [8] .

Step 4: Taking measures

At this stage actions are identified and implemented to avoid or reduce risks having in mind the protection of workers’ health and safety, as well as their monitoring over time. The measures implemented should be the ones that best protect everyone exposed to the risk. However, it is important not to forget that additional or different measures may be required to protect workers belonging to special groups, namely workers with special needs (such as pregnant women, young workers, aging workers and workers with disabilities) and maintenance workers, cleaners, contractors and visitors .

It is very important to take account of the number of individuals exposed to the risk when setting priorities and the timeline for the implementation of prevention and control measures. The risk prevention and control strategy includes the design, planning and implementing of adequate measures, as well as training and informing workers.

Design measures

The first step is the design of the measures to eliminate risks. The risks that cannot be avoided or eliminated should be reduced to an acceptable level, i.e. the residual risk shall be minimised according to the ALARP (as low as reasonably practicable) principle. This means employers must perform a cost-benefit analysis to balance the cost (including money, time, trouble and effort) they could have to reduce a risk against the degree of risk [9] . It should be demonstrated that the cost involved in reducing the risk further would be grossly disproportionate to the benefit gained. The residual risk should be controlled.

Implement measures

The measures to be implemented should be based on up-dated technical and/or organisational knowledge, and good practices using the following hierarchy order [10] [11] :

• Prevention measures

Protection measures

Mitigation measures.

The aim of implementation of prevention measures is to reduce the likelihood of injuries or ill-health. Several examples, also in hierarchical order, that can be used to achieve this objective are:

a) Using engineering or technical measures to act directly on the risk source, in order to

• Remove it, i.e. ensure that during the workplace design phase risks are 'designed out'
• Reduce levels of hazardous materials. For instance provide effective ventilation through local or general exhaust ventilation systems .
• Replace it, i.e. substitute the risk by a less risky material, equipment or substance .

These measures are more efficient and economical when accomplished during the workplace design phase.

b) Using organisational or administrative measures for changing of behaviours and attitudes and promote a safety culture :

• Information and training (awareness)
• Establish appropriate working procedures and supervision
• Management and proactive monitoring
• Routine maintenance and housekeeping procedures

Implementation of Protection measures should consider, first, collective measures and then individual measures. Several examples of measures (sorted by priority) that can be used to achieve this objective are:

a) Collective Protection measures:

• Enclose or isolate the risk through the use of guards, protection of machinery and parts, or remote handling techniques;
• Physical barriers (anti-drop networks, railings, packaging, acoustic, thermal or electrical barriers);
• job rotation of workers;
• timing the job so that fewer workers are exposed;
• Implementation of safety signs, for instance restricting entry to authorised persons.

b) Individual Protection - use of Personnel Protective Equipment (PPE) to protect worker from the residual risk. The worker should participate in the selection of PPE and should be trained in its use.

When despite prevention and protective measures incidents, an injury or a cases of ill-health occurs, the company needs to be prepared (emergency preparedness) by implementing mitigation measures. The aim of mitigation measures is to reduce the severity of any damage to facilities and harm to employees and public. Several examples of measures that can be used to achieve this aim are: emergency plans, evacuation planning, warning systems (alarms, flashing lights), test of emergency procedures, exercises and drills , fire-extinguishing system, or a return-to-work plan.

Training and information

Managers must know the risk their workers are exposed to. Workers must know the risks they are exposed to. Providing information and training courses to workers is a legal requirement in EU.

Step 5: Review and update

The risk management process should be reviewed and updated regularly, for instance every year, to ensure that the prevention measures implemented are adequate and effective. Additional measures might be necessary if the improvements do not show the expected results. This is also a highly recommendable procedure since workplaces are dynamic due to change in equipment, machines, substances or work procedures that could introduce new hazards in the workplace. Another reason is that new knowledge regarding risks can emerge ; either leading to the need of an intervention or offering new ways of avoiding or controlling the risk. The review of the risk management process should consider a variety of types of information and draw them from a number of relevant perspectives (e.g. staff, management, stakeholders).

Step 6: Document the process

In EU it is a legal obligation that employers make an assessment of the risks to safety and health at work, including those facing groups of workers exposed to particular risks (Framework Directive 89/391/EEC) and document the process. Documentation should provide an overview of the identified hazards, respective risks and subsequent measures implemented .

Risk management tools

The risk management process plays a central role for any to ensure occupational health and safety and to prevent workplace injuries and ill-health. But, companies, especially smaller ones, sometimes lack the expertise and the resources to carry out risk assessments. The need for a simple, clear and cost-effective way to ensure compliance with the legislation and to foster a positive safety and health culture has led to the development and use of web-based tools. To assist Member States, EU-OSHA has created the OiRA tool , a web-based platform that enables the creation of sectoral risk assessment tools in any language in an easy and standardised way. The OiRA tool generator is provided free of charge to sectoral social partners and national authorities at EU and national level. All the OiRA tools are available on oiraproject.eu https://oiraproject.eu/en and can be used by workplaces to carry out risk assessments.

[1] Directive 89/391/EEC of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive). Available at: https://osha.europa.eu/en/legislation/directives/the-osh-framework-directive/1

[2] ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use

[3] ISO 45003:2021 Occupational health and safety management - Psychological health and safety at work - Guidelines for managing psychosocial risks

[4] EC - European Commission, Guidance on Risk Assessment at Work, Luxembourg, 1996. Available at: http://osha.europa.eu/en/topics/riskassessment/guidance.pdf .

[5] Nunes, I. L., 'Risk Analysis for Work Accidents based on a Fuzzy Logics Model', 5th International Conference of Working on Safety - On the road to vision zero? Roros. Norway, 2010.

[6] Jensen RC, Bird RL, Nichols BW. Risk Assessment Matrices for Workplace Hazards: Design for Usability. Int J Environ Res Public Health. 2022 Feb 27;19(5):2763. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8910355/

[7] BAuA. Schritt 3: Gefährdungen beurteilen. Available at: https://www.baua.de/DE/Themen/Arbeitsgestaltung-im-Betrieb/Gefaehrdungsbeurteilung/Grundlagenwissen/Prozessschritte-der-Gefaehrdungsbeurteilung/Autorenbeitraege/Schritt3.html

[8] BSI - British Standard Institutions, Occupational health and safety management systems — Guide, BS 8800, 2004.

[9] HSE - Health and Safety Executive, Principles and guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably practicable, 2011. Available at: http://www.hse.gov.uk/risk/theory/alarp1.htm#P14_1686

[10] NSW - New South Wales Government, Six steps to Occupational Health and Safety. Available at: http://www.une.edu.au/od/files/OHSSixsteps.pdf

[11] Harms-Ringdahl, L., Safety Analysis: Principles and Practice in Occupational Safety, Taylor & Francis, 2001.

EU-OSHA - European Agency for Safety and Health at Work, Risk assessment essentials. Available at: https://osha.europa.eu/en/publications/risk-assessment-essentials/view

EU-OSHA - European Agency for Safety and Health at Work, Management Leadership in Occupational Safety and Health – a practical guide. Available at: https://osha.europa.eu/en/publications/management-leadership-occupational-safety-and-health-practical-guide

EU Commission, Health and safety at work is everybody’s business. Available at: https://op.europa.eu/en/publication-detail/-/publication/cbe4dbb7-ffdc-11e6-8a35-01aa75ed71a1/language-en/format-PDF/source-85839760

ILO - International Labour Organisation, How can occupational safety and health be managed? Available at: https://www.ilo.org/global/topics/labour-administration-inspection/resources-library/publications/guide-for-labour-inspectors/how-can-osh-be-managed/lang--en/index.htm

IEC/ISO 31010:2019 Risk management - Risk assessment techniques https://www.iso.org/standard/72140.html .

ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods https://www.iso.org/standard/57180.html

OSH Categories

Select theme

• Identifying new and emerging risks
• Legislation
• Main OSH players - organisations
• OSH Education
• OSH strategies
• OSH systems at national level
• Social Dialogue
• What's OSH
• Corporate Social Responsibility
• Economic aspects
• Management Systems
• OSH Culture
• OSH Management in SMEs
• Risk assessment
• Worker participation and involvement
• Work Organisation
• Communication
• Disability management
• Emergency planning
• Personal Protective Equipment
• Workplace Health Promotion
• Biological agents
• Carcinogenic, mutagenic, reprotoxic (CMR) substances
• Chemical agents
• Dust and aerosols
• Endocrine Disrupting Chemicals
• Indoor air quality
• Irritants and allergens
• Nanomaterials
• Occupational exposure limit values
• Packaging and labeling
• Process-generated contaminants
• Risk management for dangerous substances
• Vulnerable groups
• Electricity
• Electromagnetic fields
• Thermal climate
• Anthropometry
• Cognitive ergonomics
• Ergonomic work design
• Ergonomics in office work
• Human errors
• Human machine interface
• Musculoskeletal disorders
• Physical ergonomics
• Accidents and incidents
• Errors and violations
• Fire and explosion
• Machinery and work equipment
• Maintenance
• Road safety
• Slips, trips and falls
• Working on height
• Workplace transport
• Discrimination
• Job satisfaction, engagement and performance
• Mental Health
• Psychosocial issues in specific sectors and groups
• Psychosocial risk factors
• Work-life balance
• Work-related stress management
• Health and well-being
• Health, screening and surveillance
• Occupational diseases
• Substance abuse
• Agriculture
• Construction
• Emergency workers
• Hairdressers
• Health and Social work
• Hotels, restaurants and catering
• Manufacturing
• Ageing workers
• Contractors
• Disabled persons
• Expectant mothers
• Migrant workers
• Self-employed
• Temporary workers
• Young workers

Isabel L. Nunes

Aditya Jain

Karla Van den Broek

Isabel Nunes

Related articles

The Matrix Reloaded – our guide to the risk assessment matrix

The humble Risk Assessment Matrix (RAM) comes in for a lot of criticism. Whilst some of this may be justified, some arises more from a misunderstanding of the purpose and intended use of the RAM. There are strong views expressed on both sides of the argument (see Ref. 1 example). Here, we provide practical guidance on some of the more common issues.

WHAT IS A RAM?

A RAM is a matrix that is used during risk assessment to define the various levels of risk as the combination of probability and consequence categories. Figure 1, derived from ISO 17776, shows a typical example. A RAM is a simple tool intended to increase visibility of risks and assist decision-making.

KEEP IN MIND THE PURPOSE

The key benefit of a RAM is to give a rapid and consistent appreciation of the risk levels and, hopefully, to encourage a discussion and common understanding of how severe hazardous scenarios can be and how often they could occur. The RAM risk level scores are there to help make an informed decision as to the acceptability of that risk. The actual cell chosen should not be too critical, and if the decision-making process is indelibly tied to the exact position on the RAM, then a more detailed assessment method would be appropriate.

DOES IT MATTER?

RAMs come in many different shapes and sizes, ranging from 3×3 to 10×10. Too small a RAM may not give sufficient resolution, whilst too large may take longer to use and it is questionable whether this level of granularity is really needed. The most common tend towards the 6×4, 5×5 or 6×6 type.

However, don’t assume that because there are only two axes and 25 cells, that everyone will use the RAM in the same way. What is important is consistency and that that there is clear guidance on its use.

UNMITIGATED AND RESIDUAL RISK

One contentious area that commonly results in poor use of the RAM is in assessing residual risk. Residual risk, when combined with the initial unmitigated risk scores, has the advantage of showing a moving score on the RAM. Unfortunately this allows some people to claim, falsely, that this proves risk levels have been reduced as low as reasonably practicable (ALARP).

Part of the problem lies with the difficulty in determining the unmitigated risk. This answers the question, “If nothing works, how bad could it be?” The acceptance of residual risk then relies on assessing whether “given the controls we have in place, is that good enough?” But it’s not always practical to completely discount controls in gauging the unmitigated risk. You might argue that the unmitigated risk of driving a car should consider an unlicensed driver in a car with no mechanical integrity on unmade roads, but is this realistic? But if we allow for a licensed driver in a roadworthy car on a freeway, why then should we not claim the seat belts and airbags as well? The solution to this conundrum is to define at the outset precisely what is meant by unmitigated and residual risk.

THAT’S THE POINT

A RAM gives point risk scores for individual scenarios. Whilst it is often useful to prepare heat maps showing the relative distribution of events across the RAM, this isn’t the same as determining a cumulative risk score. Individual events may affect different groups of people, and may also lead to multiple consequences occurring simultaneously.

ONE SIZE FITS ALL…OR NOT?

Should an entire company employ a single common RAM, or should each department have its own specific one? The former allows for a consistent approach but can lead to increased RAM size to handle risk assessments ranging from workplace hazards to events threatening the corporation. The latter allows for simple, highly targeted assessments, but managing consistency across an organisation becomes more difficult.

The RAM provides a simple, well-used approach to risk assessment with considerable benefits in promoting discussion and achieving a common understanding of the risks. Despite its simplicity it is still open to abuse both unconsciously (“It’s simple so I don;t have to think very hard”) and consciously (“I can use this to my advantage”) from people ascribing greater accuracy than the matrix can achieve or using it to uphold a decision that has already been made, rather than using the ALARP process.

1. Cox, L.A., What’s wrong with risk matrices? 2008. 2. Talbot, J., What’s right with risk matrices?

This article first appeared in RISKworld issue 30

Related Articles

Deterministic or probabilistic analysis?

The goal of safety assessment is to demonstrate that the...

Data Powered – Data driven risk-based planning of wind energy...

As countries race to meet climate goals set in the...

Tomorrow’s world: The future of risk and safety management

Foreseeable changes in risk and safety management over the next...

Hydrogen: The lifeblood of a low-carbon energy future?

What is the ‘hydrogen economy’ and what are the hazards...

Wind of change

It is now widely accepted that global temperatures are increasing...

Error Trapping – An introduction to human reliability assessment

Quantitative Human Reliability Assessment (HRA) can improve the safety and...

Related Consulting Services

Qualitative / deterministic risk assessment

The humble Risk Assessment Matrix (RAM) comes in for a...

• Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

These cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

These cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

• Financial industry
• Insurance industry
• Private industry
• Healthcare Industry
• AS/NZS 4360
• Sarbanes-Oxley
• Operational Risk Management
• Cybersecurity Asset Management
• Compliance Management
• Anti-Money Laundering

By industry

• • Financial industry
• • Insurance industry
• • Private industry
• • Healthcare Industry

By reglamentation

• • ISO 31000
• • ISO 27001
• • AS/NZS 4360
• • Sarbanes-Oxley
• • Basel III

• Keep informed about everything you need to know regarding integral risk management and ML/TF fraud prevention.
• Videos | Webinars
• Pirani Explains
• Risk Management School
• Check out the upcoming events and keep up with us.

Next class: How to use risk management software   Wednesday, Sept 25th, 10 :00 a.m. GMT-5.

• • Financial services industry

• Operational risk management
• Information security risks
• Normative compliance
• Money laundering risk management
• Case Studies

Risk Assessment Matrix

In this class, Alejandro Orrego, CEO at Pirani, teaches us about key components of a Risk Assessment Matrix, impact variables, measure risks, and risk management strategies.

A Risk Assessment Matrix is a tool used in risk management to evaluate and prioritize potential risks by categorizing them based on their likelihood and impact.

It provides a visual representation that helps in assessing the severity of risks and deciding which ones need attention.

Key Components of a Risk Assessment Matrix

IMPACT: Impact refers to the potential consequences or effects of a risk event on an organization's objectives. The impact can be positive (an opportunity) or negative (a threat) and can affect various aspects of the organization, such as financial performance, reputation, safety, or environmental factors.

LIKELIHOOD: Likelihood refers to the probability or chance of a risk event occurring. It is a measure of the frequency or occurrence of the risk and can be expressed qualitatively (e.g., low, medium, high) or quantitatively (e.g., a percentage or frequency rate).

This How It Works:

• The matrix is a grid with Likelihood on one axis and Impact on the other.
• Risks are plotted on the grid based on their assessed likelihood and impact.
• Common matrix formats are 3x3, 4x4, or 5x5 grids, depending on the granularity needed.

The Purpose:

• Prioritize risks to focus resources on high-risk areas.
• Assist in decision-making regarding which risks to mitigate, transfer, avoid, or accept.

• Low Risk: Manage with routine procedures.
• Medium/High Risk: Requires monitoring and some control measures.
• Critical/Severe Risk: Needs immediate and active mitigation efforts.

Impact variables

• Operational The impact of a risk can also affect a company's operational efficiency, such as through supply chain disruptions, equipment failures, or cyber-attacks. This can result in lost productivity, delays in delivery, and decreased customer satisfaction.
• Financial performance The impact of a risk can have significant financial consequences, such as increased costs, decreased revenue, or loss of income. This can affect a company's profitability, cash flow, and overall financial stability.
• Reputational The impact of a risk can also affect a company's reputation, particularly if it involves unethical behavior, legal violations, or negative publicity. This can damage the company's brand, reduce customer loyalty, and lead to decreased sales.
• Legal and regulatory These are risks associated with compliance with laws and regulations, including changes in regulations, fines, and penalties, and legal disputes.
• Environmental The impact of a risk can also affect the environment, such as through pollution, resource depletion, or climate change. This can result in regulatory fines, legal liabilities, and reputational damage, as well as harm to ecosystems and public health.
• Health and safety The impact of a risk can also affect the safety of employees, customers, and other stakeholders. This can result in injuries, fatalities, or property damage, as well as legal liabilities and reputational damage.

10  KEY ADVANTAGES of RISK MANAGEMENT SOFTWARE OVER SPREADSHEETS

1. centralized data management.

Risk management software provides a centralized platform for storing and managing all risk-related data. This reduces the risk of data being scattered across multiple spreadsheets and ensures consistency and accuracy.

2.   Advanced Analytics and Reporting

These tools often come with built-in analytics and reporting features that allow for more sophisticated risk analysis and visualization. You can generate reports and dashboards that offer insights into risk trends and metrics that are more difficult to create manually in spreadsheets.

3. Real-Time Updates and Collaboration

Risk management software typically supports real-time updates and collaborative features, allowing multiple users to work on risk assessments simultaneously. This is more efficient than coordinating changes across different versions of spreadsheets.

4. Automated Risk Assessment

Many risk management tools include automation features that can calculate risk scores, prioritize risks, and even suggest mitigation strategies based on predefined criteria. This reduces manual effort and potential errors.

5. User-Friendly Interface

Modern risk management software is designed with user experience in mind, offering intuitive interfaces that make it easier to navigate and use compared to complex and often unwieldy spreadsheets.

6. Scalability

As your organization grows, managing risks through spreadsheets can become cumbersome and error-prone. Risk management software is designed to scale with your needs, handling larger datasets and more complex risk management processes efficiently.

7. Audit Trails

Risk management software often includes audit trails that track changes and updates made to the risk data. This can be crucial for accountability and understanding the history of risk management decisions.

8. Improved Accuracy and Reduced Errors

Spreadsheets are prone to human errors, such as formula mistakes or data entry issues. Risk management software reduces these risks through standardized processes and automated checks.

9. Regulatory Compliance

Dedicated software often includes features to help ensure compliance with industry regulations and standards. This can be particularly important for industries with strict compliance requirements.

10. Integration Capabilities

These software solutions often integrate with other business systems (like ERP, CRM, or project management tools), which helps in consolidating risk information from various sources and maintaining a comprehensive risk profile.

Register for free for the next session

Learn everything you need to know about Risk Management with our experts. Next   class: How to use risk management software

See previous sessions →

Register for free

Follow Pirani

If you are a customer request help here →

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/publications/guide-conducting-risk-assessments

Guide for Conducting Risk Assessments

Download paper, additional citation formats.

• Google Scholar

If you have any questions about this publication or are having problems accessing it, please contact [email protected] .

Home / Resources / ISACA Journal / Issues / 2024 / Volume 5 / Managing the Practical Risk Assessment

Is audit in practice: managing the practical risk assessment.

Jane smiled as she signed the contract—it had been a long time coming. Data availability and data integrity for her organization’s advocacy work had always been an issue. Available public information was controlled by the entities her organization was trying to monitor. Detail was lacking, timeliness was nonexistent. Now their watchdog group would change all that by developing their own data analytics tool for fact-based evidence that could be acted upon. Not that Jane was ready to toast the occasion yet. Although the new contract for a vendor-developed custom data tool would bring the organization from conversation to action, she knew the project posed risk to the tiny advocacy group. Did they have the know-how to pull this off, even with a savvy software vendor? What if the budget projections were off and more capital was needed? And, what if, after all the data collection, the results were inconclusive, or the data integrity was suspect? How would they even know how to detect errors? Jane knew they had taken a huge leap and a risk that everyone was ready to accept, but did they all understand what that risk really was? She thought of the old saying, “be careful what you wish for.”

ISACA ® professionals know that all risk is not the same. Industry dynamics, enterprise culture, and department risk tolerance all impact what an organization is willing to do. But risk is more than a willingness to take something on. Risk needs to be reviewed and scored based on the organization’s objectives, while fact checking the objectives against market trends, regulatory requirements, and more. So how can a risk professional help someone like Jane?

Practically Speaking, Culture Matters

Successful risk management is all about operational acceptance and feasibility. Industry culture plays a significant role in determining risk priorities, and having a structured risk assessment approach is crucial, regardless of industry or organization size. That said, the structure must be tailored to suit the audience. Oftentimes, the leadership teams inadvertently make risk decisions without careful deliberation on benefits and consequences. To an IT professional familiar with the rigor of methodical development, business continuity, and other technology disciplines, it seems inconceivable that planning based on prioritized value and need might be overlooked, but it often is. The standard portfolio of risk categories must be outlined and assigned ratings of importance, including these categories:

• Financial risk —Does the project have a clear business case outlining the required expense/capital with projected benefits? If so, that business case can be used to determine what activities may pose too great a financial risk to be considered. If not, a business evaluation is needed to manage general project cost, funds for potential rework, or issues against the expected value to the organization.
• Market risk —What is the risk of losing market share by either completing or not completing the project? This risk challenges teams as they consider financial risk, since one must often spend money to get or keep a competitive edge. Understanding the competitive landscape and how actions will positively or negatively impact market share must be evaluated as risk, including financial risk, is identified.
• Reputational/client risk —How will the project impact the existing client base and potential new clients? A technology organization may be expected to take a risk and innovate, reducing the potential negative impact from clients. An insurance company may have a very different investor base, one which expects a conservative approach, thereby requiring a higher risk rating for cutting edge projects.
• Regulatory/compliance risk —Industries falling under regulatory scrutiny such as banking or healthcare must prioritize regulatory requirements with a high risk score. What might seem like a great idea from a market share perspective may be tempered by what is permissible within the confines of the law or even industry best practices.
• Security/privacy risk —A critical risk for many organizations across industries, this risk still varies in priority based on information used to perform the work. Privacy does not become a major concern if all information used is publicly available, for example.
• Operational risk —Operational risk includes all the risk factors inherent in getting the work done: employee absence, volunteers who don’t show up, machines that break down, systems that fail, and unforeseen conditions such as weather or utility emergencies. Operational risk must be defined and prioritized to determine appropriate budget allocations for resources to adequately cover the risk while balancing the need to spend wisely across many organizational objectives.

It seems like a lot of work to research and discuss up front, which is why many organizations do a less than thorough job of building a risk framework. Business ideas are raised, teams get excited, and risk isn’t reviewed. Yet doing nothing to assess risk is the biggest risk of all.

It seems like a lot of work to research and discuss up front, which is why many organizations do a less than thorough job of building a risk framework.

Overcoming barriers to successful risk management.

ISACA professionals can help organizations overcome the major barriers to risk profiling by providing and executing a risk framework that’s feasible and practical for each organization. A feasible framework is one that the organization can execute because it has the tools and resources to perform the risk evaluation. A practical framework is one that provides enough value to the organization to merit using resources and tools versus using them on something else. Using resources, whether budget or manpower that is best used elsewhere, only devalues the benefit of the risk assessment. It is an extra step, but understanding what else is going on, what money can be spent, and what the organization’s expectations are will help right-size the risk framework used. The example of Jane’s advocacy group shows what must be considered by the ISACA professional to ensure that the risk assessment itself is valued and prioritized. Taking the following steps for Jane’s not-for-profit can help:

• The risk consultant must know the client and their industry well. Knowledge, whether researched, acquired through interviews, or based on experience is the starting point before all other considerations.
• Collaboration is crucial. The enterprise, IT, and any vendors involved must review and assess the risk together. In some cases, legal and regulatory will participate to avoid missing any required guidelines. For a more structured evaluation of who should participate, using a responsible, accountable, consulted, and informed (RACI) grid can help ensure that all aspects are covered.
• Adequate time must be spent to evaluate all risk factors. Making time, with all the necessary stakeholders present, is a big request to make of any organization. Everyone is busy, but when a decision is needed regarding what risk is the right one to take, all opinions add value and save on potential rework.
• Evaluating risk must be a repeat event. Successful risk management occurs when people involved plan to participate more than once. A standard risk review cadence, whether annually, twice a year, or more must be established based on how fast the business or customer base is changing. Looking back at the prior risk ratings to see how close they were to reality also makes the risk review a practical, valuable undertaking.

End Results

Jane did end up hiring a risk professional after signing the data analytics contract. Practically speaking, she knew this was a huge opportunity for her organization to become a trusted advisor to the communities impacted by the big business Jane’s organization monitored. Success required a solid financial assessment, especially for add-on features and functionality they might want. Data integrity was paramount, so a thorough review of security and operational risk were also key priorities for project success. All information used was public, and her organization was a small advocacy group, but the organization they monitored was regulated and Jane wasn’t sure how to tackle compliance risk. It made sense to bring in a knowledgeable professional to not only educate the team and vendor on risk management, but also to help operationalize a risk plan, with appropriate controls and auditing. The result was that risk was prioritized adequately from the start and corrective action was taken in a timely manner for the high priority areas. It was worth the risk of taking on a risk consultant.

CINDY BAXTER | CISA, ITIL FOUNDATION

Is Conservation Manager for Friends of Belle Isle Marsh. She works with environmental organizations, the community, and with developers to promote compliance for a green and resilient environment for the only remaining salt marsh in the city of Boston, Massachusetts. Her work also involves collaboration with municipal and state officials to move legislation forward with the innovation that green technology provides. Baxter is pleased that technology has allowed her to reinvent her career and continue learning at every step. She had the privilege of learning technology and managing Fortune 100 client relationships at AT&T. Baxter then applied her expertise as an IT operations director at Johnson & Johnson before moving to compliance and risk management roles at AIG and State Street Corporation. Baxter continues to accept select consulting assignments through her business What’s the Risk LLC, focusing on environmental risk management, inspection, and compliance enforcement. Baxter is pleased to serve as Operations Officer on the ISACA New England Chapter and is a board member on the Nantucket Lightship LV-112 Museum.

Log in using your username and password

• Search More Search for this keyword Advanced search
• Latest content
• Current issue
• For authors
• BMJ Journals

You are here

• Online First
• Rupture risk assessment in cerebral arteriovenous malformations: an ensemble model using hemodynamic and morphological features
• Article Text
• Article info
• Citation Tools
• Rapid Responses
• Article metrics

• Haoyu Zhu 1 , 2 ,
• Lian Liu 2 ,
• http://orcid.org/0000-0001-5623-7400 Shikai Liang 3 ,
• http://orcid.org/0000-0002-8339-0176 Chao Ma 4 ,
• Yuzhou Chang 1 , 2 ,
• http://orcid.org/0000-0002-3406-7743 Longhui Zhang 5 ,
• Xiguang Fu 1 , 2 ,
• Yuqi Song 1 , 2 ,
• Jiarui Zhang 1 , 2 ,
• Yupeng Zhang 2 ,
• http://orcid.org/0000-0003-2148-5134 Chuhan Jiang 1 , 2
• 1 Department of Neurosurgery , Beijing Neurosurgical Institute, Capital Medical University , Beijing , China
• 2 Department of Neurosurgery , Beijing Tiantan Hospital, Capital Medical University , Beijing , China
• 3 Department of Neurosurgery , Beijing Tsinghua Changgung Hospital , Beijing , China
• 4 Department of Neurosurgery , Beijing Chaoyang Hospital Affiliated to Capital Medical University , Beijing , China
• 5 Department of Neurology , Beijing Tiantan Hospital, Capital Medical University , Beijing , China
• Correspondence to Dr Chuhan Jiang; jiangchuhan126{at}126.com ; Dr Yupeng Zhang; zhangyupeng1003{at}gmail.com

Background Cerebral arteriovenous malformation (AVM) is a cerebrovascular disorder posing a risk for intracranial hemorrhage. However, there are few reliable quantitative indices to predict hemorrhage risk accurately. This study aimed to identify potential biomarkers for hemorrhage risk by quantitatively analyzing the hemodynamic and morphological features within the AVM nidus.

Methods This study included three datasets comprising consecutive patients with untreated AVMs between January 2008 to December 2023. Training and test datasets were used to train and evaluate the model. An independent validation dataset of patients receiving conservative treatment was used to evaluate the model performance in predicting subsequent hemorrhage during follow-up. Hemodynamic and morphological features were quantitatively extracted based on digital subtraction angiography (DSA). Individual models using various machine learning algorithms and an ensemble model were constructed on the training dataset. Model performance was assessed using the confusion matrix-related metrics.

Results This study included 844 patients with AVMs, distributed across the training (n=597), test (n=149), and validation (n=98) datasets. Five hemodynamic and 14 morphological features were quantitatively extracted for each patient. The ensemble model, constructed based on five individual machine-learning models, achieved an area under the curve of 0.880 (0.824–0.937) on the test dataset and 0.864 (0.769–0.959) on the independent validation dataset.

Conclusion Quantitative hemodynamic and morphological features extracted from DSA data serve as potential indicators for assessing the rupture risk of AVM. The ensemble model effectively integrated multidimensional features, demonstrating favorable performance in predicting subsequent rupture of AVM.

• Angiography
• Arteriovenous Malformation
• Vascular Malformation
• Intervention

Data availability statement

Data are available upon reasonable request. The data that support the findings of this study are available from the corresponding author on reasonable request.

https://doi.org/10.1136/jnis-2024-022208

Statistics from Altmetric.com

Request permissions.

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

Contributors All authors made substantial contributions to the conception and design of the study. Material preparation, data collection, and analysis were performed by LL and HZ. Formal analysis and investigation were performed by SL, XF and CM. YC, LZ, and YS performed manuscript review and editing. CJ and YZ performed supervision. HZ and JZ wrote the first draft of the manuscript, and all authors commented on previous versions of the manuscript. All authors read and approved the final manuscript. CJ is the guarantor for this study.

Funding The authors have not declared a specific grant for this research from any funding agency in the public, commercial or not-for-profit sectors.

Competing interests None declared.

Provenance and peer review Not commissioned; externally peer reviewed.

Supplemental material This content has been supplied by the author(s). It has not been vetted by BMJ Publishing Group Limited (BMJ) and may not have been peer-reviewed. Any opinions or recommendations discussed are solely those of the author(s) and are not endorsed by BMJ. BMJ disclaims all liability and responsibility arising from any reliance placed on the content. Where the content includes any translated material, BMJ does not warrant the accuracy and reliability of the translations (including but not limited to local regulations, clinical guidelines, terminology, drug names and drug dosages), and is not responsible for any error and/or omissions arising from translation and adaptation or otherwise.

Read the full text or download the PDF: