Best Practices

How to Use the Risk Assessment Matrix in Project Management?

Team TrueNxus
January 26, 2022
How to Use the Risk Assessment Matrix in Project Management?

Are you curious about using a risk assessment matrix? Then, you’ve come to the right place.


Project managers spend too much time trying to balance their projects. They worry about getting their projects prioritized to mitigate risk. They wake up in the middle of the night wondering if they got their priorities right.


All too often, a mistake can take the company beyond its budget. The solution was the development of the risk assessment matrix.

Do you know how to use the Risk Assessment Matrix in project management? This helps you analyze risk so you can detect and rank risks.

Below is everything we will cover. Feel free to skip ahead.


Creating a risk assessment matrix


The below fundamental steps will give you an excellent overview of the process. You'll be able to create a Risk Assessment Matrix and use it successfully. You may even be able to leverage the matrix as a change agent for your organization.


Step 1: Identify risk


Risk managers use many tools to identify risk. These include historical data, Root Cause analysis, checklists, Monte Carlo analysis, decision trees, cause-effect diagrams, and SWOT analysis.


The tools are helpful. But the SWOT analysis might be more useful. The tool compares the company's strengths and weaknesses to the strengths and weaknesses of the competition. Since outside factors tend to increase risk, we'll review the use of SWOT as a risk identification tool.


SWOT for Risk Identification


Risk identification, not a strategic perspective, must be the focus of the SWOT analysis. Since risk identification is about documenting and communicating risks that can potentially derail a project/investment from achieving its objectives, this focus must remain throughout the analysis.

The SWOT analysis drives risk reports throughout the project development cycle. Reporting every external milestone brings clarity to any shifts in the marketplace.


Internal changes also generate a reason for more communication. This includes change control, hitting key milestones, and standing meetings.

SWOT Analysis Defined 


The SWOT acronym is Strengths, Weaknesses, Opportunities, and Threats. The strengths and weaknesses are a focused analysis of the company and its products. The opportunities and threats are the competitor's strengths and weaknesses.


The competitors' weakness reflects an opportunity for the company. This opportunity is a time when the company can capitalize on the competition's error.


The competitors' strength is a threat to the company. Any external product can become a threat if it is capable of blocking the project/investment from achieving its objectives.


Defining the Risks


Defining the risks associated with the project is the first step in risk control. Understanding the scope of the project informs a proactive approach to limit damages.


A brainstorming session can flesh out common risk factors like:



These are many times covered under the business' standard risk assessment checklist.


The main risk classifications in business checklists include:



Other considerations for risk identification might include:



Step 2: Risk analysis


Once the project manager understands the risks, it is time to evaluate them. A matrix is the best way to assess the risk levels. It is helpful to include a stakeholder to validate the input. This will confirm each area of importance.


The stakeholder needs to agree with each area of risk analyzed. Without this agreement, the development of a contingency plan becomes futile.

It is also helpful to collaborate with the stakeholder to plan strategies that reduce the expected damages. Reviewing each contributing factor of the mitigation process leads to a measurable and acceptable strategy for the stakeholder.


Analyzing every risk component simplifies the risk resolution plan.


Step 3: Assessing risk impact


The level of risk impact must be determined. On the first pass, assess the levels to be critical or minor. Some project managers assess the impact to be high, medium, or low. The second pass requires a more detailed approach with the impact stated on a numeric scale.


The Risk Assessment Matrix brings clarity between two similar projects. This allows you to compare the weighting of risks and the probability of the risks playing out. This clarity can move a project outcome from severe to less critical.


The matrix reveals how the high-risk and low-risk factors impact each assessed issue: the more detailed the assessment, the more pronounced the mitigation plan.


Step 4: Risk prioritization


The prioritization process requires frequent updates. A rule of thumb is to update the risk prioritization every time there is a shift in the market or organizational trends.


Critical risk


The priority is critical risks. They need a prompt and active response to:



Major risk


The second priority is the high-risk item with a lessor probability and severity risk matrix. They are essential but are not critical.


Moderate risk


This risk level is not a high priority. The items are not used to develop a new process to resolve issues or bottlenecks in the process. This level informs managers to work around time constraints or perfect the quality of the deliverables.


Minor risks


Since everything has a risk level, minor risks are as low as you can get. While they, too, are essential, they are not of great concern. But the team should work to mitigate all risks as time and talent allow.


The matrix structure


To best inform your decisions, the matrix structure includes the probability of occurrence on the Y-axis. The resulting risk impact is on the X-axis. The combination of the two reflects a realistic representation of actual and natural risk.


The probability is expressed as a percentage, and the severity is defined in terms of probable impact. The populated matrix cells reveal these factors.


Severity color-coded


The matrix is color-coded for a glance reading. The color-coding represents the impact or the risk severity. The critical risks can be color-coded in red. The major risk can be orange, the moderate risk can be green, and the negligible risk blue.


If a moderate risk has a higher than an expected consequence, the situation's seriousness may deem the project to be color-coded red.

An example might be a moderate risk that is easy to execute unless a technical difficulty hits. Then it might increase due to severe injuries, damages, or financial loss. 


Probability percentages


The percentages represent the likelihood that the risk will happen. This combination gives you a quick visual cue to know exactly where each project stands at a glance.


The risk likelihood can be structured in 25% increments.



General risk zones


In addition to the probability and severity, there are three significant zones inside of the matrix—each noted risk generalized into a high, medium, or low zone.


The low category is an acceptable low-risk zone and colored yellow. The moderate zone includes items that may not be accepted and are green. The critical zone, the red zone, holds the high-risk and unacceptable items.


The Risk Assessment Matrix makes the risk zones easy to spot and categorize. This results in clear and concise recommendations for a mitigation plan.


Risk status


The risk status reports on the tracking of the above information and activities. The notation of the risk status includes it being:



Once discovered, the project manager marks the identified risk status. The review step includes the stakeholder in the discussion. The meeting that results determines if the stakeholder agrees or rejects the risk.


To facilitate the status report, the project manager must understand what it takes to write an effective status report. The report is a communication tool to drive conversation and accountability.


Risk efficiency measurement


Once the team understands the risks and matrix's prioritization, they rate their efficiency at detecting and mitigating the risk. Next, an audit measures the team's ability to refine their approach for effectiveness.


Risk audit


Like a financial audit, the risk audit is an independent measurement of risk status. An audit will address whether a team must increase their effectiveness (efficiency) or their company assessment process.

The audit does a deep dive to determine the granularity of risk elements assessed by project management and stakeholders: the more exhaustive the assessment, the fewer recommendations for change.


The audit will also assess to what degree the project management team is good at identifying risks within the company. This will even recognize any linkage of the risk to the organization at risk and the associated stakeholder.


Finally, the audit will assess the contingency plan and the effectiveness of any active mitigation process.


Assigned auditors


Independent technical experts conduct the audit. They need to be experts in the field and understand the principles of risk management. The auditors must also understand the company's policies and risk assessment practices.


The audit tasks include:



Risk metrics


The auditors will review the risk metrics. By monitoring the numbers throughout the closure process, auditors will gain insights into external issues impacting the project objectives.


The auditor will tally the number of actual risks that occurred. Compare it to the number of risks that were identified. Assess the severity of the actual risks against the estimated risks.


Since each risk level requires a different amount of attention, the accidental labeling of a minor risk at a higher level increases the resources used to mitigate the unnecessary issue. Identifying the actual risks against the estimated ones will help the team avoid level creep while assisting them in understanding their accuracy rate.


The auditor will also assess how many risks had reoccurred during the life of the project. And finally, the auditor will compare the actual issues that surfaced during the project with the anticipated and documented risks.


The audit report 


A good audit report informs the project management team on their accuracy of identifying potential problems and assigning the right level of probability, severity, and general risk zone. The more critical notes include recommendations for correcting the process.


The report also informs stakeholders to be more alert toward future activities and issues. The project management team can recalibrate their operations. This results in more accurate recommendations and future resources required to mitigate risk.


The report empowers the project manager and the stakeholder to develop a strategic risk mitigation program based on experience and actual market conditions.


Benefits of a risk assessment matrix


A Risk Assessment Matrix is a visual depiction of the risks affecting your company's projects. This tool empowers the project manager to limit damages that can hinder the project objectives proactively. The curtailing of risks is managed with the Rick Assessment Matrix using the recorded probability, severity, and risk zones.


Risk control empowers the team to diminish the risks proactively. Focusing on uncertain circumstances upfront reduces adverse outcomes. From another vantage point, the issues that are bottlenecks in the process can be circumvented to optimize project performance.

It is beneficial to identify and prioritize project milestones and outcomes. These findings are then tracked and analyzed.


Provide a quick snapshot using a visual of risks across the project. Simplify the risk mitigation process to give more time to focus on high-risk issues. And determine new areas of risk reduction.


Tools like the Risk Assessment Matrix are beneficial, especially since key associations recommend and support them.


The International Project Management Association (IPMA-USA) works to help improve performance and business results. Their goal is to standardize as many risk reduction processes and analysis practices as possible. They work with the National Institute of Standards and Technology (NIST) to manage the physical standards.


Risk assessment matrix case study—drinking water


Here is a good Risk Assessment Matrix example.


The TECHNEAU project in Europe carried out several risk assessment case studies at different water systems. The objective was to implement and test several methods of risk analysis. This case study reflects the drinking water system in Březnice, Czech Republic, located about 80 km southwest of Prague.


The analysis identified hazardous events that could influence the quality of the distributed water. This was assessed from the standpoint of noncompliance with the national drinking water standards and risks that might compromise the consumer's health. There were 47 different hazardous events identified and evaluated.


For each identified hazardous event, the likelihood (probability) and the consequences (impact or severity) were assessed using a scale of four categories using a risk assessment matrix. The levels addressed included extreme, high, moderate, and low. These events were slotted based on a combination of probability and severity.


The water utility and the Water Safety Plans teams determined that extreme risk (1 event) and high risk (15 events) were unacceptable and required risk reduction steps. The mitigation process for the moderate risk levels (16 events) was driven by the ALARP (As low as reasonably practical) rule of thumb. Each of the events to be monitored and discussed on a one-on-one basis.


The low-risk levels (12 events) were acceptable. Also acceptable were several of the moderate levels with no financial, technological, or workable ways to reduce the risk. But again, the moderate was monitored in case conditions or circumstances changed.


A sampling of hazardous events


A sampling of the hazards identified included the risk of sabotage, defects in the reservoirs and storage tanks. The most significant findings were the corrosion of the metallic parts in the tanks.


Also identified were power outages, a lack of backup equipment, nonfunctioning ventilation of the tanks, and leakage of the tanks. They learned that the tanks were not on a reoccurring schedule or checked for cracks.


The lack of maintenance generated many hazardous events. The events included:



The Risk Assessment Matrix simplified the management of this project at a glance. The extreme risk and high-risk categories were easily spotted. A risk mitigation plan was immediately implemented.


The implementation team included members of the Regional Public Health Authority. Further examination of the Risk Assessment Matrix drove the project management team to consider the surrounding physical locations.

Consideration was also given to its impact on the existing hazardous areas. The team suspected that pesticides from local farms were seeping into the water supply. Specialized testing proved that all the pesticides were below the detection limit.


This area of concern wouldn't have been considered if it wasn't for the Risk Assessment Matrix. Since this risk can't be entirely discarded due to the chemicals' uncertainties, they will continue to be measured to determine the impact on the surrounding soil.


The moderate risks


Risks discussed with stakeholders included the category of moderate. The conversation reviewed the economics and technology of mitigation. The vast majority of the issues received labels based on their sensitivity levels.


The causes of uncertainty included the lack of knowledge and the variability of the parameters.


The stakeholders gave the project management team a better understanding of the limitations. The project management team focused on the reliability of the hazard identification and the risk assessment. This part of the process was not quantitative but semi-quantitative—in other words, it was subjective.


The uncertainty was more related to the probability of the consequences identified. While it was clear that some of the hazardous events existed, there was no evidence of how often they occurred. Nor was it possible to verify all of them.


Then there were the hazardous events that may happen. But since they haven't yet happened, it was difficult to assess the reliability of the probability. Therefore, the team mitigated what they could and monitored everything else moving forward.


Risk evaluation


The water utility had not developed any risk tolerability criteria. This was unacceptable as it would lead to risk creep when lower levels of risk inch up to higher levels. The Water Safety Plans and the Regional Public Health Authority agreed that the project management team would develop risk mitigation plans.


The plans included the hazardous events categorized as extreme and high-risk levels.


The tracking and research of hazardous events were determined with the help of the Risk Assessment Matrix. The clear visual made it easy to oversee the status of many risk factors.


Risk assessment matrix


Excel-based Risk Assessment Matrix templates are standard in most industries. There are also several companies using online services that automate some of the project manager's activities. 


The key to most success stories is the stakeholder meetings that bring clarity to the identified risks. A secondary factor leading to success is accurately assessing risk events at the correct level. Lower risks that are marked at a higher level absorb too many resources and increase team concerns.


The Risk Assessment Matrix alleviates many of the concerns by driving more communication. The more information that crosses the project manager's and stakeholders' path, the less likely an error will hinder the project management team from controlling and mitigating any given risk event.

For more information about project management tools, search other blog posts.