How to calculate your business risk using a Risk Assessment Matrix

published on Compliance Management, Entity Management, General Counsel, Legal Risk Management, Reporting
Pulling together a risk management plan for your company is no easy feat. Firstly, you need to properly identify the full gamete of risks that could impact your business. Then gathering and compiling all the necessary information requires time and resources. But arguably the most important step of all is calculating the level of risk by creating a Risk Assessment Matrix. This is what the business takes out from the assessment and puts into action. It requires a high level of expertise and advanced analytical skills if you want the findings to be accurate and credible. Risk assessment is a systematic approach to measuring, ranking, comparing and prioritizing risk in a consistent way, across your company. According to ISO 31000:2009, risk is “expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence” [Clause 2.1]. As such, risk is measured as a function of likelihood that cause(s) trigger an occurrence and impact of the consequence using a full-proof system; the Risk Assessment Matrix. This post will delve specifically into how you can create a Risk Assessment Matrix using a 5-point rating scale that you can customize to your organization.  

Calculating the Likelihood of Risk

The likelihood of a certain occurrence can be given a rating based on qualitative terms or quantitative terms, like probability or frequency of an occurrence over a specified time frame. For example, you can describe the probability of an event occurring over the course of the project or asset, or the frequency of it happening annually based on historical occurrence. Here is an example of a rating scale with examples of qualitative and quantitative definitions. Keep in mind that assessment criteria – such as probability or frequency – should be tailored to fit the nature of risk you are assessing and potential causes you have identified. This can be calculated on a spectrum of 1 to 5. 1 = Rare (i.e. <once in 100+ years / <10% chance) 2 = Unlikely (i.e. once in 50-100 years / 10-35% chance) 3 = Possible (i.e. once in 25-50 years / 35-65% chance) 4 = Likely (i.e. once in 2-25 years / 65-90% chance) 5 = Frequent/almost certain (i.e. >once in 2 years / >90% chance)

Calculating the Impact of Risk if it occurred

Just like likelihood, the impact or consequence of a certain occurrence can also be given a rating based on qualitative or quantitative terms.  Depending on the nature of risk, impact assessment can be tied to a variety of consequences. These too can be calculated on a scale of 1 to 5 based on their severity of impact to finances, health & safety, security, regulatory, operations, reputation and human resources. 1 = Insignificant 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic A best practice is to assess impact using a combination of considerations and assign a rating where impact is greatest.  

Likelihood by Impact = the Risk Assessment Matrix

After effectively evaluating the likelihood and Impact, you are now ready to present the level of risk in the form of a Risk Assessment Matrix with actionable items assigned to each risk. An example of a Risk Assessment Matrix could look something like this. Risk Assessment Matrix for businesses   Like to get started on your business’ Risk Management Plan including your own Risk Assessment Matrix? Download our free detailed Whitepaper: 7 Steps to Legal Risk Management for General Counsel