Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

Risk and Fraud

What is a risk assessment matrix?

· 12 minute read

· 12 minute read

Jump to:

What is a risk assessment matrix?

How to create a risk assessment matrix

What are the next steps?


Risk, fraud, and investigative solutions

Know today’s risk and navigate tomorrow’s challenges

View our products



Risk is a fact of life for any organization, whether it operates in the private sector or the public one. For organizations, risks aren’t necessarily bad. They can provide opportunities for new growth and increased profitability. Still, there are signs that risks are becoming more unpredictable, more numerous, and potentially more dangerous. Economic uncertainties, unprecedented climate events, the increasing reliance on digital platforms, new and evolving technologies, and political polarization both in the U.S. and abroad are providing plenty of opportunities for the best-laid plans to go awry.

The magnitude and complexity of risks for both enterprises and government agencies are growing and appear likely to keep doing so. That is why the development and use of a risk assessment matrix is more crucial than ever.


What is a risk assessment matrix?

A risk assessment matrix, also sometimes referred to as a probability and severity matrix or a likelihood and impact matrix, is a visual tool for evaluating and prioritizing the potential risks that can hurt an organization. A typical risk matrix is laid out on two axes, with the likelihood of a risk event plotted on one axis and the severity of the risk impact on the other. Each cell in the matrix represents a specific risk scenario and is assigned a corresponding risk level based on the intersection of the likelihood and severity values. By categorizing different levels of risk (high risks and low risks), a risk assessment matrix can help organizations with decision-making and create action plans that more effectively position them to manage risk in this current climate of uncertainty.

A risk assessment matrix enables an organization to identify, evaluate, and manage risks in a systematic and structured manner. By undertaking the risk analysis process and identifying both high risks and low risks along with various risk scenarios, organizations can make informed decisions about risk impact. As a result, they can establish robust actions to protect their assets, reputation, and operations from catastrophic risk events. If such controls are already in place, a risk matrix can help an organization evaluate if they are sufficient to handle the risk.

A risk matrix can play a crucial part in the risk assessment approach, which is the process of identifying, analyzing, and evaluating risks associated with a particular activity or project. By identifying potential risks, a risk matrix intersects with project management, since the ongoing viability of initiatives such as product development, new service introductions, and other essential operating tasks can be derailed by certain risk events.

For example, a project involving construction can be slowed because of supply chain issues. This became an all-too-common problem for many enterprises during the pandemic period when items including lumber, structural steel, and semiconductors became increasingly difficult to obtain. Though companies can project plan for such shortages, many components can also jump in price—so much so that the costs can make a project unaffordable. There also are situations where supply chain risks intersect with external forces. This year’s unprecedented Panama Canal drought could wreak new havoc on the availability of imported goods and components. A risk assessment matrix should help bring these kinds of risks into the spotlight.

Why is a risk matrix important?

In developing a risk matrix, the areas of risk that are the most widely applicable—that is, applicable to most organizations, regardless of mission—include climate change, vendors and other third-party relationships, supply chains, cybersecurity, talent acquisition and retention, and disruptive new technologies. One of the emerging technologies that currently has the most disruptive potential is generative AI (GenAI), which could upend numerous business models (as well as generate new opportunities for innovation and growth).

Another key source of risk is economic uncertainties such as inflation, interest rates, and consumer spending levels, which can affect not only the companies themselves but also the various other businesses (such as distributors, professional service providers, and financial services firms) that cater to them.

Some of the risks that organizations face can be obvious. Most, for instance, have been having to deal with shortages in talent—skilled and even not-so-skilled employees are often difficult to find. Others are more unpredictable. The pandemic is clearly an example of an unforeseen risk, one that costs nearly every organization. Both private and public entities now need to assess what impacts the new COVID variant might impart.

Financial institutions have long been vigilant against risk. Some of these risks are well known, such as rising interest rates, which have hurt smaller regional banks in particular. Others are more shadowy and their potential hazards are more unpredictable. Recently, as interest rates continue to climb, more and more banks have been taking on what are called “brokered CDs.” Banks sell these higher-yield certificates of deposit through brokerage firms. They can attract a lot of new customers–but those customers could disappear if they can find better rates elsewhere.

For government agencies, risks are rarely opportunities for improvement. Currently, one of the bigger risks that the public sector is having to handle is benefits fraud. The ending of the continuous Medicaid enrollment program in the spring of 2023 means that millions of people will be seeking to re-enroll—and fraudsters will be looking to illicitly cash in. And of course, the law enforcement function has always been fraught with risks. New regulations and a shortage of qualified personnel are making things even more unpredictable.

Whether the organization is a business or a government agency, prioritizing risks is essential. Levels of risk do vary and so do types of risks. Some risks could result in catastrophic impacts; others are much less likely to do so. An organization’s resources should be allocated accordingly. A risk matrix can enable targeted strategizing for risk management. By creating a risk matrix, organizations can identify the most pressing threats, develop action plans, and take appropriate risk mitigation measures. By assigning risk levels to different scenarios, organizations can focus their attention and allocate resources to the risks that pose the greatest threats. This ensures that limited resources are used efficiently and effectively while minimizing potential risk impacts. In sum, a risk matrix helps organizations cultivate a deeper understanding of their risk environment.

A risk matrix can also aid any type of organization keep track of risks as they emerge and evolve since a risk’s potential harm might not yet be readily apparent. What’s more, some threats may reappear the following year or a later year. In an ever-changing risk environment, a risk matrix can help stakeholders within the organization develop action plans and maintain operational continuity.

There’s another benefit to developing a risk assessment matrix: It can demonstrate to stakeholders, both internal and external, that organization leadership is conducting risk management with utmost seriousness.


Risk & Compliance Report

A delicate balance between risk and reward

View report



How to create a risk assessment matrix

In developing a risk matrix—and this is true of all elements of risk management—an organization needs to clearly identify each risk and be specific about how each risk should be handled. It should also conduct and maintain risk assessments for each project as a part of the project management process. By doing so, organizations can see patterns if any specific project risk overlaps with another project.

To be sure, this design will vary depending on the type of organization and its activities. But in general, the process of creating a risk assessment matrix should follow the following steps:

Identifying the risks

In this step, organizations need to identify all potential risks that could impact their operations, objectives, or function. This involves conducting a thorough analysis of the internal and external factors that may pose a threat. For businesses, these threats most likely will include operational, financial, and enterprise risks.

Defining the risks

Once the risks have been identified, they need to be defined and described in detail. This includes assessing the likelihood of the risk occurring and the potential impact of the consequences. By understanding these factors, organizations can prioritize their efforts in managing and mitigating the risks.

Assessing the risks

The next step is to assess their severity and categorize them into different risk levels. This can be done by evaluating or calculating the likelihood and impact of each risk. Typically, evaluations can be classified into a risk rating as high risk, medium risk, or low risk based on their potential to cause harm or disruption.

Prioritizing the risks

Once the risks have been assessed and categorized, it is important to prioritize them based on their potential impact. By identifying the risks that are the most likely to occur—and the most hazardous–organizations can more effectively allocate resources and develop strategies to manage and mitigate them.

A risk assessment matrix is typically categorized as a combination of quantitative and qualitative. Quantitative matrices, as the term suggests, rely heavily on numerical data to determine how likely a risk is and what level of impact it might have. For less complex risk situations, a qualitative matrix might be preferable since it is relatively easy to develop. It evaluates risks based primarily on subjective judgments and observations.


What are the next steps?

Once a risk matrix is developed, the organization needs to develop action plans for risk management. Whenever possible, the objective of any risk management plan will be to prevent a risk from causing operational disruption. That’s especially true of a potentially catastrophic risk event where identifying and putting into place every possible strategy for avoiding a risk impact is the only real option. In some cases, however, an organization may decide that the costs of prevention would be higher than the losses due to a risk impact. The best strategy in those situations might be a mitigation plan for reducing any harm a risk event might cause.

Develop a procedure

Based on the risk matrix and other risk assessment tools, an organization will likely wish to develop internal controls to detect, prevent, or mitigate risk events. The policies and procedures may include more robust regulatory compliance, anti-fraud protocols, and consistent financial reporting.

Monitor and track efficiency

Once the organization has created the risk matrix and implemented risk prevention and mitigation strategies, it should monitor and track their effectiveness, making adjustments as needed. A general rule of thumb is that a review of the matrix and the overall risk management strategy should be conducted at least once a year. Few risks are static. They can go up or down in their impact or likelihood scoring. What’s more past mitigation strategies may become out of date or ineffective. And of course, new potential risks are likely to arise and will need to be identified.

For instance, an organization should update its risk assessment and risk management action plans whenever it introduces new steps, equipment, technologies, processes, or other changes to its workflow, or whenever hazard identification uncovers new potential risks. Updating should also incorporate regulatory, economic, and geopolitical changes, as well as potential disruptions that could be caused by medical and climatological risk events (pandemics, droughts, flooding, etc.).

Establish communication protocols

It should be clear that an organization needs to also establish risk communication protocols. It is essential to communicate the findings of a risk assessment to relevant stakeholders and assure them that the identified risks are effectively managed and controlled. Depending on the organization and its work, these protocols should include a response plan that includes all stakeholders likely to be affected by a risk event. These stakeholders may include board members, project managers, internal and external communications, crisis management, and PR leaders and consultants. Customers and vendors might also need to be made aware of any risk event—particularly a catastrophic one–that might impact production or payments. The goal is to allow all stakeholders to make informed decisions regarding how they might need to manage a risk-induced crisis.

A risk assessment matrix, while a highly useful tool, is not a once-and-done panacea for risk management. An organization still needs to ascertain that the data it uses to determine the likelihood and danger of the risks is reliable and current. A matrix also may cause an organization to overlook or minimize risks that it has yet to encounter. In other words, a risk matrix is just one part—though a major part—of an overall risk assessment approach, risk analysis process, and risk management framework. And like risk analysis strategies in general, a risk matrix needs to be regularly updated. The biggest risks an organization faces are often those that are the most “unpredictable.”


Risk management: The framework

Navigate the dynamic landscape, covering steps for effective resilience

Read blog post


← Blog home

More answers