A simple guide to the risk matrix
A qualitative risk assessment matrix
The purpose of risk analysis
The purpose of risk analysis is to understand the true nature of the risk and its characteristics, such as causal factors, likelihood and impact. The likelihood and impact dimensions can be combined to quantify the risk level, prioritisation, and comparison with appetite boundaries.
Risk management occurs in constrained systems, necessitating tradeoffs and consideration of opportunity costs. Risk analysis is an important input to this decision-making process, as it provides top management with information to make informed decisions, i.e. to allocate scarce resources or to enable risk taking up to risk appetite thresholds.
Additionally, knowledge of causal factors can be used to inform risk treatment options, including risk avoidance, removing the risk source, and design and implementation of preventive controls.
Qualitative Risk Analysis
A qualitative risk analysis involves use of expert judgement and perception.
Risk Matrix
A popular qualitative method uses a risk matrix to combine separate estimates of likelihood and impact to determine the level of risk. The levels of risk, or the risk criteria, are developed as part of policy, and consider business objectives and context.
Table 1. An example of a qualitative impact matrix.
Table 2. An example of a 5x5 risk matrix, illustrating how to combine likelihood and impact to determine the risk level (low, medium, high, and extreme). Risk appetite can be overlaid, such as High and Very High-risk levels representing outside of appetite.
Risk levels can also be used to delegate decision making authority to organisational roles.
Table 3. Decision matrix providing guidance on appetite, response, reporting and delegation.
