Don't gamble with your company's investigation process.

Learn about i-Sight software today

How to Use a Risk Assessment Matrix [with Template]

Learn how to organize your risk management process better with the help of risk assessment templates. Plus, download your own risk assessment form and matrix below.

Posted by Ann Snook on April 22nd, 2022

Your organization is facing health & safety, HR, fraud, and other types of incidents. Conducting an organizational risk assessment has moral, legal, and financial benefits, and can help you prevent these incidents.

Consider this example: in 2022, a refining company agreed to one of the largest wrongful-death settlements in history, paying $104.9 million to the family of one of its workers.

While working at a facility in Louisiana, the victim was trapped in a fire after a worker used a side-grinder above, sending sparks raining down on him. The flames burned through his safety lanyard, causing him to fall 80 feet, hitting his head on scaffolding on the way down.

In addition to the legal settlement, the company was cited with an OSHA violation and fined over $12,000.

Had the company proactively carried out a risk assessment, they would’ve identified and been able to avoid this hazard. They would have understood the possibility of rogue sparks and installed barriers to stop them, or not placed another worker below the grinder’s work station.

Instead, they failed to provide a safe workplace and, for that, faced legal repercussions, steep fines, and a hit to their reputation.

To ensure a similar outcome doesn’t happen to your company, we’ve created this step-by-step guide to conducting a risk assessment. Follow along to identify, analyze, and prevent hazards in your workplace so you can protect your employees and your organization.

 


Don't wait to assess your risks until it's too late.

Use our free risk matrix template and risk assessment form template to start your risk assessment right now.

Get the Template

What is a Risk Assessment?

A risk assessment is “a process to identify potential hazards and analyze what could happen if a hazard occurs” (Ready.gov). Its aim is to help you uncover risks your organization could encounter.

Knowing potential hazards makes it easier to either reduce the harm they cause or (ideally) prevent incidents completely, rather than dealing with the consequences afterwards.

This systematic process can uncover glaring risks of fraud, gaps in security, or threats to staff wellbeing before it’s too late. It can also mean the difference between a new project, policy, or process being successful or failing. One catastrophic risk that goes unnoticed could put an immediate stop on any project or event.

 

Benefits of a Risk Assessment

 

Risk assessments cost time and money to conduct. So why should you bother? The benefits of a risk assessment far outweigh any inconvenience because they can help you avoid incidents, fines, lawsuits, and negative media attention.

Benefits of risk assessments include:

  • Money saved: Picking up the pieces after a cyberattack, break-in, fire, or act of workplace violence is stressful and can cost thousands of dollars; a risk assessment costs far less.
  • Fewer lawsuits: By preventing incidents, you won’t have to deal with injured or disgruntled employees seeking legal action.
  • Lower risk of non-compliance: Eliminate risks above and beyond compliance requirements to avoid penalties from regulatory bodies.
  • Safe, happy employees: When employees see you’re making their safety and well-being a top priority, they’ll likely want to stick around, which leads to another benefit . . .
  • Lower turnover rate
  • Positive organizational reputation: Customers and clients want to do business with companies that operate safely, ethically, and fairly.

If you do identify risks, you'll need to create a prevention plan.

Download our free Root Cause Analysis Tools Cheat Sheet to learn methods for uncovering and preventing the root causes of your workplace incidents.

Get the Cheat Sheet

How to Conduct a Risk Assessment

To conduct your risk assessment, begin by defining its scope.

Maybe you want to improve health and safety measures in the shipping warehouse. Or perhaps you want to identify areas of risk in the finance department to better combat potential employee theft and fraud.

Whatever your objective, define it clearly. Conduct separate risk assessments for each goal, department, or project to keep things organized.

Note: Remember to modify the risk assessment forms to include details specific to your field. For example, a data security risk assessment might list hazard locations (e.g., internal or external).


Step 1: Identify Hazards

Relating to your scope, brainstorm potential hazards. The list should be long and comprehensive. It could include anything from falls and burns, to theft and fraud, to pollution and societal damage, depending on the scope of your risk assessment.

 

Risk Assessment Form - Risk

Step 2: Calculate Likelihood

Risk Assessment Form - Likelihood

For each hazard, determine the likelihood it will occur. This can be measured as a probability (a 90 per cent chance) or as a frequency (twice a year).

Then, based on the likelihood, choose which bracket accurately describes the probability:

 

1. Unlikely

An unlikely hazard is extremely rare. There is a less than 10 per cent chance that it will happen. For example, a blizzard is unlikely to happen at your office in Florida.

 

2. Seldom

Seldom hazards are those that happen about 10 to 35 per cent of the time. For instance, you might determine financial kickbacks seldom happen because you work with very few external vendors.

 

3. Occasional

An occasional hazard will happen between 35 and 65 per cent of the time. For example, strains from repetitive motions could be occasional for your warehouse employees.

 

4. Likely

A likely hazard has a 65 to 90 per cent probability of occurring. For instance, employee theft is likely to happen in a retail store that sells high-priced goods.

 

 

5. Definite

These hazards will occur 90 to 100 per cent of the time. You can be nearly certain it will manifest. For example, a hurricane will definitely happen at your office in coastal Florida.


Step 3: Calculate Consequences

Next, in the same fashion as above, calculate potential loss using either quantitative measurements (dollars lost or spent), qualitative measurements (descriptive scale) or a mix of both.

Then, based on the magnitude of the consequences, choose which bracket accurately describes the losses.

 

1. Insignificant

The consequences are insignificant and may cause a near negligible amount of damage. This hazard poses no real threat. Examples: loss of $1K, no media coverage, and/or no bodily harm to employees or customers.

 

2. Marginal

The consequences are marginal and may cause only minor damage. This hazard is unlikely to have a major impact. Examples: loss of $10K, local media coverage, and/or minor bodily harm (e.g. cuts, scrapes, sprains, minor burns).

 

Risk Assessment Form - Consequence

 

3. Moderate

The consequences are moderate and may cause a sizeable amount of damage. This hazard cannot be overlooked. Examples: loss of $100K, regional media coverage and/or minor bodily harm.

 

4. Critical

The consequences are critical and may cause a great deal of damage. This hazard must be addressed quickly. Examples: loss of $1M, national media coverage, major bodily harm and/or police involvement.

 

5. Catastrophic

The consequences are catastrophic and may cause an unbearable amount of damage. This hazard is a top priority. Examples: loss of $10M+, international media coverage, extreme bodily harm and/or police involvement.


Tap into your best risk-detecting resource: employees

Employees are “on the ground” and might notice issues and risks you’re missing. Use this free cultural assessment survey template to get employees’ input on your organization’s weak points.

Get the Template

Step 4: Calculate Risk Rating

Risk Assessment Form - Risk Rating

Assign each hazard with a corresponding risk rating, based on the likelihood and impact you’ve already calculated. For example, a hazard that is very likely to happen and will have major losses will receive a higher risk rating than a hazard that’s unlikely and will cause little harm.

Risk ratings are based on your own opinion and divided into four brackets. They are:

 

1. Low

Low risks can be ignored or overlooked as they usually are not a significant threat. A definite hazard with insignificant consequences, such as stubbing your toe, may be low risk.

 

2. Medium

Medium risks require reasonable steps for prevention but they’re not a priority. A likely hazard with marginal consequences, such as a small fall, may be medium risk.

 

 

3. High

High-level risks call for immediate action. An occasional hazard with critical consequences, such as a major vehicle crash, may be high risk. Examples: severe bodily harm (e.g. broken bones, third-degree burns, concussions), severe property damage, large data breach, national media coverage.

 

4. Extreme

Extreme risks may cause significant damage, will definitely occur, or a mix of both. They’re top priority. An unlikely hazard with catastrophic consequences, such as an aircraft crash, is an extreme risk. Examples: death, property destruction, complete data breach.


Experience a near miss? Don't forget to document that as a risk.

Download the free Near Miss Reporting Form Template to track and manage these safety incidents, then use the data to prevent unsafe conditions in the future.

Get the Template

Step 5: Create an Action Plan

Your risk action plan will outline steps to address each hazard, reduce its likelihood, reduce its impact, and respond if it occurs.

Depending on the severity of the hazard, you may wish to include notes about:

  • Key team members (e.g. project manager, PR or Communications Director, subject matter expert) and their responsibilities if the hazard occurs
  • Preventative measures
  • A response plan for media and stakeholders (e.g. customers, vendors, clients, shareholders, board members)

 

Risk Assessment Form - Action

Step 6: Plug Data into Matrix

A risk assessment matrix simplifies the information from the risk assessment form, making it easier to pinpoint major threats in a single glance. This convenience makes it a key tool in the risk management process, as it helps you make decisions faster and more easily.

 

 

Every risk assessment matrix has two axes: one that measures the consequence impact and another that measures likelihood.

To use a risk matrix, extract the data from the risk assessment form and plug it into the matrix accordingly. Simply find the square where the hazard’s consequence rating and likelihood meet, and you can see the risk level it falls under.

 

Green is low risk
Yellow is medium risk
Orange is high risk
Red is extreme risk

Fraud Risk Matrix Sample

Anticipating both internal and external fraud and theft is a crucial component of any company’s antifraud efforts. Developing a risk assessment helps you identify hazards proactively so you can take precautionary measures or, if required, a fraud response plan.

Examples of hazards that may need to be addressed in your fraud risk assessment include:

  • Asset misappropriation (check fraud, billing schemes, theft of cash)
  • Fraudulent statements (misstatement of assets, holding books open)
  • Corruption (kickbacks, bribery, extortion)
  • Conflicts of interest
  • Data theft
  • IP/trade secret theft

 

RELATED: 41 Types of Fraud and How to Detect and Prevent Them


Don't let a fraud scheme drag on, costing you thousands.

A fraud response plan ensures that when you uncover fraud, you can stop it ASAP. Download our free template to start drafting your plan today.

Get the Template

Health and Safety Risk Matrix Sample

A health and safety risk assessment is important for industries like construction, manufacturing, or science labs where work takes place in potentially dangerous environments.

In a warehouse, for example, workers are at risk of many hazards such as:

  • Severe or fatal injury from falling
  • Repetitive strain injuries from manual handling
  • Sprains and fractures from slips and trips
  • Being crushed by falling objects
  • Being hit by (or falling out of) lift trucks
  • Crush injuries or cuts from large machinery
  • Moving parts of a conveyor belt resulting in injury
  • Exposure to hazardous substances

 

However, workplaces in every industry can benefit from health and safety risk assessments.

They must also include things like workplace violence and other dangerous employee misconduct, infectious disease transmission, air quality, and ergonomic concerns.


Project Risk Matrix Sample

Before you kick off any project, event, or activity in your organization, conduct a thorough risk assessment to identify and assess potential hazards. Once these risks are better understood, your team can plan how best to prevent and mitigate the hazard.

Brainstorm hazards in several categories, including:

  • Technological (data breach, service outage)
  • Cost (funding falls through, go over budget)
  • Contractual (modified requirements, contractor pulls out)
  • Weather (tornado, wildfire)
  • Environmental (oil spill, air pollution)
  • People (illness, resignation)

Next Steps & Responding to Risks

Once you have finished your plan, determine how to action each step. What exactly needs to be done to mitigate or prevent the hazard? Who needs to complete these tasks? When should each task be completed by?

Harm reduction is a second option. You can choose to “accept” the risk if the cost of countermeasures will exceed the estimated loss. To reduce the consequences of the risk, develop a mitigation plan to minimize the potential for harm.

The third option is to avoid the risk. For catastrophic disasters such as a workplace shooting or a fire, taking every possible step to prevent the risk from occurring at all is the best (and often only) course of action.

However you plan to deal with the risks, your assessment is an ongoing evaluation and must be reviewed regularly. Experts recommend updating your risk assessment at least once a year, and perhaps more often depending on your unique situation.



Ann Snook
Ann Snook

Marketing Writer

Ann is a marketing writer at i-Sight Software. She writes about issues related to investigations of fraud, employee misconduct, corporate security, Title IX, ethics & compliance and more.

Book A Demo

To our customers: We’ll never sell, distribute or reveal your email address to anyone. Privacy Policy

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.