Don't gamble with your company's investigation process.

Learn about i-Sight software today

How to Use a Risk Assessment Matrix [with Template]

Learn how to organize your risk management process better with the help of risk assessment templates. Plus, download your own risk assessment form and matrix below.

Posted by Katie Yahnke on July 16th, 2018

What is a Risk Assessment?

A risk assessment identifies and evaluates the threats and risks of a specified situation. If you’re aware of a potential hazard, it’s easier to either reduce the harm it causes or (ideally) prevent it completely than to deal with the consequences.

Download our Risk Assessment Form & Matrix Template to help keep things organized for the upcoming steps.

This systematic process can uncover glaring risks of fraud, gaps in security or threats to staff wellbeing before it’s too late. It can also mean the difference between a new undertaking being a success or a failure. One catastrophic risk that goes unnoticed can put an immediate stop on any project or event.


Benefits of a Risk Assessment

Conducting a risk assessment has moral, legal and financial benefits.

In 2016, a school in Brentwood, England pleaded guilty after failing to comply with health and safety regulations. A 63-year-old employee was working on the roof when his foot got caught, causing him to fall nearly 10 feet. The man suffered a broken collarbone and chipped vertebrae, among other injuries.

Upon investigation, the Health and Safety Executive (HSE) in Britain determined that the work was being carried out in an unsafe manner and that no safety arrangements were in place for this type of work. The school was required to pay a fine of £40,000 (~$53,000 USD) and £1,477 (~$2000) in costs.

If the school had carried out a risk assessment, they would’ve identified and been able to avoid this hazard. Instead, they failed to provide a safe workplace and, for that, faced legal repercussions, steep fines and a hit to their reputation.

How to Conduct a Risk Assessment

To conduct your own risk assessment, begin by defining a scope of work. Maybe you want to improve health and safety measures in the shipping warehouse. Or, perhaps you want to identify areas of risk in the finance department to better combat employee theft and fraud. Whatever your objective, define it clearly.

If you do identify risks, you’ll want to create a prevention plan. Download the Root Cause Analysis Tools Cheat Sheet to learn more about prevention with root cause analysis.

Note: Remember to modify the risk assessment forms to include details specific to your field. For example, a health risk assessment may want to look at vulnerability instead of likelihood. A data security risk assessment may want to list hazard locations (e.g., internal or external).

Step 1: Identify Hazards

Relating to your scope, brainstorm potential hazards. The list should be long and comprehensive and may include anything from falls and burns, to theft and fraud, to pollution and societal damage.


Risk Assessment Form - Risk

Step 2: Calculate Likelihood

For each hazard, determine the likelihood it will occur. This can be measured as a probability (a 90 per cent chance) or as a frequency (twice a year). Then, based on the likelihood, choose which bracket accurately describes the probability:


1. Unlikely

An unlikely hazard is extremely rare, there is a less than 10 per cent chance that it will happen.


2. Seldom

Seldom hazards are those that happen about 10 to 35 per cent of the time.


3. Occasional

An occasional hazard will happen between 35 and 65 per cent of the time.


4. Likely

A likely hazard has a 65 to 90 per cent probability of occurring.


Risk Assessment Form - Likelihood


5. Definite

These hazards will occur 90 to 100 per cent of the time. You can be nearly certain it will manifest.

Step 3: Calculate Consequences

In the same fashion as above, calculate potential loss using either quantitative measurements (dollar), qualitative measurements (descriptive scale) or a mix of both. Then, based on the magnitude of the consequences, choose which bracket accurately describes the losses:


1. Insignificant

The consequences are insignificant and may cause a near negligible amount of damage. This hazard poses no real threat. Examples: loss of $1K, no media coverage and/or no bodily harm.


2. Marginal

The consequences are marginal and may cause only minor damage. This hazard is unlikely to have a huge impact. Examples: loss of $10K, local media coverage and/or minor bodily harm.


Risk Assessment Form - Consequence


3. Moderate

The consequences are moderate and may cause a sizeable amount of damage. This hazard cannot be overlooked. Examples: loss of $100K, regional media coverage and/or minor bodily harm.


4. Critical

The consequences are critical and may cause a great deal of damage. This hazard must be addressed quickly. Examples: loss of $1M, national media coverage, major bodily harm and/or police involvement.


5. Catastrophic

The consequences are catastrophic and may cause an unbearable amount of damage. This hazard is a top priority. Examples: loss of $10M+, international media coverage, extreme bodily harm and/or police involvement.

Step 4: Calculate Risk Rating

Assign each hazard with a corresponding risk rating, based on the likelihood and impact you’ve already calculated. For example, a hazard that is very likely to happen and will have major losses will receive a higher risk rating than a hazard that’s unlikely and will cause little harm.

Risk ratings are based on your own opinion and divided into four brackets. They are:


1. Low

Low risks can be ignored or overlooked as they usually are not a significant threat. A definite hazard with insignificant consequences, such as stubbing your toe, may be low risk.


2. Medium

Medium risks require reasonable steps for prevention but they’re not a priority. A likely hazard with marginal consequences, such as a small fall, may be medium risk.


Risk Assessment Form - Risk Rating


3. High

High risks call for immediate action. An occasional hazard with critical consequences, such as a major car accident, may be high risk.


4. Extreme

Extreme risks may cause significant damage, will definitely occur, or a mix of both. They’re a high priority. An unlikely hazard with catastrophic consequences, such as an aircraft crash, is an extreme risk.

Step 5: Create an Action Plan

Your risk action plan will outline steps to address a hazard, reduce its likelihood, reduce its impact and how to respond if it occurs.

Experience a near miss? Don’t forget to document that as a risk. Download the Near Miss Reporting Form Template to keep track and manage near-misses.

Depending on the severity of the hazard, you may wish to include notes about key team members (i.e., project manager, PR or Communications Director, subject matter expert), preventative measures, and a response plan for media and stakeholders.


Risk Assessment Form - Action

Step 6: Plug Data into Matrix

A risk assessment matrix simplifies the information from the risk assessment form, making it easier to pinpoint major threats in a single glance. This convenience makes it a key tool in the risk management process.



Every risk assessment matrix has two axes: one that measures the consequence impact and the other measures likelihood.

To use a risk matrix, extract the data from the risk assessment form and plug it into the matrix accordingly.


Green is low risk
Yellow is medium risk
Orange is high risk
Red is extreme risk

Fraud Risk Matrix Sample

Anticipating fraud and theft is a crucial component of a company’s antifraud efforts. Developing a risk assessment helps you identify hazards proactively so you can take precautionary measures or, if required, a risk response plan.

For a list of all fraud risks, check out our 41 Types of Fraud guide.

Examples of hazards that may need to be addressed in your risk assessment include:

  • Asset misappropriation (check fraud, billing schemes, theft of cash)
  • Fraudulent statements (misstatement of assets, holding books open)
  • Corruption (kickbacks, bribery, extortion)
  • Conflicts of interest

Health and Safety Risk Matrix Sample

A health and safety risk assessment is important for industries like construction, manufacturing or science labs where work takes place in potentially dangerous environments.

In a warehouse, for example, workers are at risk of many hazards such as:

  • Severe or fatal injury from falling
  • Repetitive strain injuries from manual handling
  • Sprains and fractures from slips and trips
  • Being crushed by falling objects
  • Being hit by (or falling out of) lift trucks
  • Crush injuries or cuts from large machinery
  • Moving parts of a conveyor belt resulting in injury
  • Exposure to hazardous substances

Health and safety risk assessments must also include things like workplace violence and other dangerous employee misconduct.

Project Risk Matrix Sample

Any project, event or activity must undergo a thorough risk assessment to identify and assess potential hazards. Once these risks are better understood, the team can make a prevention and mitigation plan to arm themselves against the hazard.

Brainstorm hazards in several categories such as:

  • Technical (data breach)
  • Cost (funding falls through)
  • Contractual (modified requirements)
  • Weather (natural disaster)
  • Environmental (oil spill)
  • People (illness, resignation)

Next Steps & Responding to Risks

Once you have finished your plan, determine how action steps. You can choose to “accept” the risk if the cost of countermeasures will exceed the estimated loss.

Harm reduction is a second option. To reduce the consequences of risk, develop a mitigation plan to minimize the potential for harm.

The third option is to avoid the risk. For catastrophic disasters, preventing the risk from occurring at all is the best (and often only) course of action.

However you plan to deal with the risks, your assessment is an ongoing evaluation and must be reviewed regularly. Experts recommend updating your risk assessment at least once a year, and perhaps more often depending on your unique situation.

Katie Yahnke
Katie Yahnke

Marketing Writer

Katie is a former marketing writer at i-Sight. She writes on topics that range from fraud, corporate security and workplace investigations to corporate culture, ethics and compliance.

Book A Demo

To our customers: We’ll never sell, distribute or reveal your email address to anyone. Privacy Policy

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.