Back to blog

A Risk Matrix Can Save Your Business or Project

Preemptive risk management is a necessary task in any business and on every project. The simplest and most common way to accomplish this is with a risk matrix.

Motion Blog
at Motion
Sep 7, 2023
Table of contents

There are different types of risk around us. One of the biggest risks you face is the loss of an important employee or project team member (for whatever reason).

And the potential impacts of losing your staff could be low, medium, or high. That depends on the resources, what they do, and who’s affected.

Of course, there are many other types of risk to your business or project, some internal to the business (budget cut), some external (natural disaster).

No matter the circumstances, you need to consider what these things would mean for your business or project.

A risk assessment matrix is an easy way to visually plot the risks that may affect your project and determine which represents the most danger to your goals and objectives.

In this article, we’ll dive deeper into risks and the risk matrix, including some examples.

Let’s dive in.

What is a risk?

The risks encountered in a project are usually quite different from those you may confront running a business, but there can be some overlap. Most project managers will expect to run across one or more of the seven risks:

  • Scope creep
  • Poor performance
  • Escalating costs
  • Time pressure
  • Resource constraints
  • Environmental changes
  • Lack of clarity.

In business, there are far more risks, and they tend to be far more general. They can fall into one of seven different risk categories:

  • Strategic risks
  • Compliance risks
  • Financial risks
  • Operational risks
  • Reputational risks
  • Global risks
  • Competitive risks

What is a risk matrix?

The risk matrix as we know it today was first described in a 1978 scientific paper published in Long Range Planning, an international journal of strategic management. In short, it described an approach to exploring external factors that could be critical to decision-making.

When it comes to the risk matrix, the terminology and dimensions do vary, but it’s generally a 6x6 square or rectangular box similar to that depicted in the image below. One side represents a ranking of the likelihood of something happening, and the other will rate the consequences of that thing if it were to happen.

The goal is to help you identify the potential risks affecting your business or project. That allows you to rate the risk likelihood and determine what it could mean for your business if it did happen. And if you keep the risk assessment matrix updated (as old risks expire, and new ones pop up) you can maintain a real-time view of your evolving risk environment.

A person conducts a risk assessment to determine the chances that potential risks could cause

‎The key components of a risk matrix

Creating a risk matrix template is quite simple. Your first component is your list of risks; these are the things that, if they do happen, could have an impact on your business or project.

The second thing you need is a table. You can do it on a whiteboard, but it’s probably best to keep an electronic version. Most people will create a blank table in their favorite word processor or spreadsheet program.

On one axis, you'll have five ratings from low to high for the likelihood of something happening. On the other axis, you'll have similar ratings for the consequences of that happening — a bit like the image above.

Now work down the list of risks and figure out how likely each is to happen. When you've determined the likelihood, you then need to rate how severe the consequences would be for your business or project if they did happen.

To rank each risk, let's take a look at the levels of risk.

The levels of risk

Assessing, against your matrix, the chances of something happening (risk probability) and the consequences (impact of risks) if it does happen generally determines the level of risk to your business or project.

A low level of risk is usually when something's quite unlikely to happen, and even if it does, the consequences of it happening aren't going to be too severe.

Let’s go back to the example of losing a key team member. If that person performs a critical role in the business or project, that’d make the consequences more severe. As a result, you may consider this to be a moderate or medium risk, or even a high risk (depending on how difficult that person would be to replace).

A scale from very low to very high and an arrow labeled risk

‎Benefits of risk matrices

There are three key benefits of using a risk matrix template when planning or running a project or business. These are:

  • The exercise makes you think about and rate the things that could be a problem for your project or business.
  • Creating a risk matrix encourages you to prepare for and develop a risk response plan in case one or more of the likely risks were to happen.
  • Understanding your venture’s risks often presents opportunities you may not have appreciated before.

The risk matrix process in 4 steps

Identifying risks

When planning a new project or business, an important part of that process is to assess the risks that may derail or inhibit it. And that's the logic behind organizations using a risk control matrix: to do a risk analysis and to put contingency plans in place where they might be needed.

The first thing to know about risk identification is that it's an ongoing process. There are always new risks to consider, evaluate, and track. This will continue until the risks expire or the project is over.

There are several ways to identify risks:

  • A SWOT analysis looks at strengths, weaknesses, opportunities, and threats associated with a project or business. In this process, you'll inevitably identify new risks as well.
  • Brainstorming, as the name suggests, involves getting stakeholders and team members together to throw around ideas about risks and how they may affect the project or business.
  • A more in-depth variation of brainstorming is the nominal group technique. Here, participants individually note what they perceive as risks. You then collate all the ideas to remove duplication.
  • Stakeholder interviews are useful when you want a perspective from people who aren't intimately involved with the day-to-day of a business or project.
  • The first step of any project is usually a meeting to outline and discuss its objectives and needs. It's also a great time for you to ask about possible risks.
  • Requirements reviews are where you analyze the specific objectives and requirements of the project. These help to identify immediate risks that may delay or even derail it.

A risk matrix connected to a business project via contingency plans

‎Assessing risks

Once you’ve identified the risks, you need to start the risk assessment process. And as suggested earlier, context is everything. Something could happen, but who it happens to and how badly could determine the severity of the consequences for the business or project.

This isn’t to say that some people are more important than others, but contextually, the effect on a business or project is different depending on the role of the person.

This is why you need a way to measure risks in terms of their likelihood and severity. This is the risk impact (and why we score them).

Scoring risks

This is where it can be a bit tricky if you've assigned risk levels such as very low, low, moderate, high, and very high. To get a more quantifiable measure, it's preferable to assign numeric values (for example, 1-5).

You can then multiply the risk score for the likelihood by the one for the consequences should that risk materialize. Extending our example in this way, the lowest calculated risk level would be 1, the highest would be 25, and moderate risks would be in the middle. Doing this will allow you to quickly and confidently make informed decisions regarding risks because you'll have a clear idea of the possible impact.

Risk mitigation and contingency planning

The scoring process also gives you a way of differentiating the depth of the risk response plan needed for each risk. If the risk level is very high (25), you'd have to do some contingency planning.

On the other hand, something rated as very low risk (1) would probably not require mitigation. Everything in between will be a judgment decision.

Where the rubber hits the road…some examples

In a business

If you think about your business and the seven categories of risk listed above, the easiest ones to wrap your arms around are operational.

As an example, look at each member of your team. What would you do if they were suddenly no longer available?

The same goes for machinery and equipment. If your business is manufacturing, you'll have machinery that's critical to your operation. What would you do if that failed catastrophically?

Alternatively, and from a strategic point of view, you may be looking at your customer book. If you have one big customer who accounts for 30% of your revenue, that'd be a strategic risk. What if your biggest competitor targeted that customer? What would your business look like then?

You'd need to have a risk response plan. That could be to do everything you can to keep the customer. Or it could be to grow other (smaller) customers to a similar size. Or both.

An example risk matrix

‎On a project

The most common project risk is scope creep, which is what happens when tasks are added mid-flight (hadn't been part of the original plan). These are known in the project management trade as the "can't you just" additions.

It's a frequent occurrence when implementing complex software. Project team members might be aware of what the software can do, but don't necessarily understand all the interdependencies. This often leads to the question: "Can't you just…?". Saying yes to much then leads to scope creep.

Different options should be explored up front, during discovery, to make smart, timely decisions (and often include trade-offs).

My risk matrix is done. Now what?

Well done. You’ve completed your first risk matrix template.

But don’t file it away. As the adage by Tim Lister and Tom DeMarco goes, “Risk management is how adults manage projects”.

You’ll encounter new risks as you go, while others will expire.

The point is that risk management is an ongoing activity, and the risk matrix is a living document that helps you manage the process.

Risk matrix as a management tool

A risk matrix isn't just another tool in your arsenal to help you manage your business or project. The real pay-off is that it enables you to stay out in front of most of the problems you're likely to encounter.

It'll also show your external stakeholders and team members that you're on top of things (and thinking two steps ahead).

Even better if you involve your team. Make sure that they:

  • Are aware of the risks you're facing as a team.
  • Can contribute to your risk management efforts.
  • Are encouraged to take ownership where they can.

Risk matrices help you deal with the unexpected

To effectively manage a business or project, you need to be able to anticipate problems that could derail it. A risk matrix is a useful tool to help you constantly evaluate the current state and try to anticipate potential pitfalls.

One way you can use it to your advantage is by loading your risk matrix into Motion’s AI-powered calendar app and letting your team members comment on it (in-app). You could also use the app to schedule periodic meetings to review the risk matrix.

Alternatively, you might want to go the whole hog. You can learn about 2023’s top six risk management software options and how apps like Motion can help your business or project.

Or cut to the chase and access a free trial today.

Motion Blog
Written by Motion Blog