A risk assessment matrix is an important part of the risk management decision-making process. As part of the risk management process, organizations need to set objectives, catalog assets, define risks, assess risks, analyze risks, set risk tolerance levels, and find ways to mitigate risks.
The risk matrix is a way to increase the visibility of risks based on multiplying the likelihood that an event will occur by the impact the event will have on the organization. A high risk is an event that has a high probability of occurrence and will impact the business significantly. A low risk is an event that will not likely occur and will have little impact if it does. In some cases, depending on the risk’s potential impact, an improbable event can still be considered high risk.
The risk matrix is a visual representation of the risk analysis. It presents the risks as a graph, rating them by category of probability and category of severity. The highest level risks are one end, the lowest level on the other, and medium risks in the middle. The risk assessment matrix often color codes the risk levels, thus increasing their visibility and easing decision making.