Risk Matrix

A risk matrix is a table used to assign a 'score' to the identified risk, to assist with the risk management process. In fact it is the core of the risk management documentation. For each risk identified, a score is assigned for the probability and impact aspects.

Often a range of 1 to 5 is used for each aspect.  Different organisations use different ratings, and you will probably want to tailor something which suits your circumstance. A simple example is given below.

(The likelihood that this risk will actually happen)

  1. Almost certainly will not occur
  2. Very unlikely to happen
  3. Quite possible - it has happened on some previous projects
  4. Probably will happen.
  5. Certainly will happen, no question.

(The consequence if this risk / threat was to actually happen)Almost negligible impact - can easily be rectified.
  1. Would have small effect on budget or schedule. Could take a few days to fix.
  2. Noticeable effect on budget and schedule. Will require review of plan & some rescheduling.
  3. Serious problem which could affect credibility / integrity of project. May need to seek additional resources / funding. May need to consider significant project reschedule.
  4. Critical project failure. Could cause project to fail or be abandoned. Likely to cause costs or time estimates to be more than 70% behind.

(Table showing overall rating of risk)Involve a broad range of stakeholders when analysing risk
  1. List every risk identified.
  2. For each risk, estimate probability and impact.
  3. Calculate overall rating (Probability X Impact)
  4. Identify detailed risk mitigation (reduction) strategies
  5. Optionally, estimate 'net' risk rating (after allowing for effect of mitigation strategy)

(The following table is a simplified example for the purpose of explanation).
Developers do not have experience in new technology being implemented 4 4 16 Detailed training schedule to be implemented for completion prior to development. Seed team with experienced contractors. Team leader selection criteria to include appropriate skills & experience. 8
Funds were allocated prior to detailed design. May not be sufficient. 2 3 6 Seek 15% contingency funding to allow for expanded scope. 
Rate requirements from mandatory to 'wish list'. 
Operational staff have a history of not accepting new systems. If they are not ready, we could suffer huge losses. 3 4 12 Expand 'change Management' team, using experienced staff.
Develop staff communication strategy.
Develop detailed (operational) staff training schedule.
Develop 'champions' in operational areas.

The above is only useful if the mitigation strategies are developed and implemented. Reviews are necessary to track progress and effectiveness of the strategies and plans, to revise or develop new strategies as required, and to determine if any new risks have arisen.

It is not usually possible to overcome every risk. Concentrate on the risks with a high rating, particularly those considered to have a high impact value.

Seriously question the feasibility of a project with too many highly rated risks.

Next FAQ