Risk management matrix


Back to blog list

How to Make a Risk Assessment Matrix

We take risks every day, from the moment we wake up until we go to bed at night, as they are a normal part of life. The only question is which risks are wise risks, which of them are worth taking, and which of them must certainly be avoided. That’s why an important part of the risk management process is being able to identify and quantify risks.

What is a risk assessment matrix?

A risk assessment matrix is an indication of the significance of a risk based on both the event’s likelihood and impact on the risk acceptance matrix. The first step in risk assessment is identifying the potential negative consequences that may occur that would result in losses for the company. The purpose of assessing risk is to ensure that sufficient controls are in place, to prioritize further risk reduction, and to make sure that risks are at a low level as reasonably practicable. An assessment matrix is a useful tool to achieve this end. It will provide some objectivity as well as serve as a basis for discussion.

Corporate Risk Matrix and Risk Acceptance Matrix

For proper risk management, the likelihood and the impact level of an event can be evaluated in terms of a risk assessment matrix with numbers on 5 levels, 3 levels, or even more than that. The company will decide how to create a risk assessment matrix on its own along with the number of levels in the risk assessment matrix. How to do risk assessment matrix charts will also depend on the industry. The following is an audit risk assessment matrix with 5 levels both horizontally and vertically. Structured vertically is the likelihood of the event occurring, with each level labeled L1, L2, etc. Meanwhile, displayed horizontally is the consequence of the impact according to the level of severity, labeled as C1, C2, etc. The closer to the upper-right-hand corner of the chart that the event is placed on the risk assessment matrix, the greater the risk. The significance for the level of severity of the consequences are the following: C1: negligible, C2: Minor, C3: Moderate, C4: Severe, C5: Catastrophic. As for the likelihood of the event, each level represents the following: L1: Rare occurrence, L2: Unlikely to occur, L3: Possible to occur, L4: Likely to occur, L5: Almost certain to occur. The blue represents a low-risk event, the gray – a moderate risk, while the orange represents a high-risk event.








































If one were to consider the information on a family photography center’s computer, the impact of the data and files becoming breached for a typical such business may be evaluated as low on its IT risk control matrix while for a large accounting firm with an extensive security system the same event could entail a high impact on its IT risk assessment matrix in the case that the bookkeeping information of its clients becomes known. In the former risk control matrix, both the potential financial and legal impact of such an event are low and it is also unlikely that a malicious individual would have such an interest; therefore, the risk assessment matrix will show the risk as low.


The reader should not use this detection risk matrix in particular as the factors under which different businesses operate vary too greatly. A company will know how to make a risk matrix intuitively based on its own circumstances, goals, and strategies. Companies must remember how to use risk assessment matrix charts for all purposes, for example being in compliance with the law, which merits a risk management matrix in and of itself.


Another potential risk for each of these companies would be breaking the law. Doing so could entail major consequences for a hotel offering reservations through a website for example, leading all the way up to criminal charges and the company’s closure. Such an event would be catastrophic (C5). However, this event is unlikely and would likely only happen in the event of the hotel’s intentional maliciously misguided actions. All the hotel has to do is follow simple procedure and regulations, ensure that it is honoring all of the commitments listed in the terms and conditions displayed on its website, and ascertain that its rooms are very clean and in compliance with health codes. Perhaps a moderately frequent event for the typical hotel is complaints, with the losses that it could potentially entail moderate as well. This would place the risk dead center on the detection risk matrix, in the yellow area.

Risk management Risk assessment