Project risk assessment: an example with a risk matrix template

“Begin with the end in mind” (Stephen Covey) is to say, “Think first what could go wrong.”

A project is a collection of interconnected tasks that are bound to specific timelines, resources, and deliverables. Any task could carry a certain uncertainty (risk) that, if it happens, could affect the project’s success. In this regard, project risk comprises two factors: the probability of happening and the consequences if it does.

While you cannot avoid risks entirely, with the help of risk management methods, such as the project risk assessment matrix, you can evaluate the potential damages caused by those risks. And consequently—increase the likelihood of successful project completion.

Today, you are going to learn about:

• What is a project risk assessment?
• What is a project risk matrix?
• How to create a risk matrix template for your project.
• How to visualize project risks on a risk matrix.
• Types of risks in project management.

What is a project risk assessment?

A project risk assessment is a process that aims to gain a deeper understanding of which project tasks, deliverables, or events could influence its success. Through the assessment process, you identify potential threats to your project and analyze consequences in case they occur.

Risk assessment takes on many forms. It could be a simple matrix or a database using sophisticated algorithms. In this article, we will focus on a risk assessment matrix.

What is a project risk matrix?

A project risk matrix, also known as a Probability and Severity risk matrix, is a graphical risk analysis tool in the form of a table (matrix). It is typically square, but some risk matrices are rectangular or circular. A risk matrix gives you a quick view of project risks and their consequences’ severity (impact). You use it to allocate ratings for each risk based on two intersecting factors:

• The likelihood (or probability) of a risk to occur (x-axis).
• The impact (or severity) if a risk occurs (y-axis).

The higher a risk ranks for these two factors, the bigger threat it poses to your project.

The bottom-left corner of the matrix is where the likelihood and impact of a risk occurring are very low. On the opposite side, in the top-right corner, the likelihood and the impact are the highest. In short, when the likelihood increases, the risk moves to the right; if the impact increases, then the risk moves up.

To denote the threat level, many risk maps feature a red-yellow-green color-coding that indicates whether risks are significant-, moderate- or low-level concerns respectively. (Hence why risk matrices are often called risk heatmaps.) You may also come across risk heatmaps that use different shades of one color instead of red-yellow-green.

Once you assess the likelihood and impact of each risk, you will be able to prioritize and prepare for them accordingly.

Risk matrix template: create a risk matrix for your project 

A risk matrix is a useful tool for project planning that you can create in just a few steps. In this article, we will create a risk assessment form and a respective 5×5 risk matrix template for a construction project.

Step 1. Identify project risks

Start by brainstorming and analyzing potential risks and opportunities related to your project scope. Leave no risk behind. Depending on your organization and project, your list of risks might include several types of risks, such as cost, environmental, and legal risks.

(You will find a comprehensive list of risk types at the end of this article).

Hint: If you are not a huge fan of lists and prefer visual methods, you can follow a work breakdown structure style to identify and categorize your risks. Or, in other words, you could create a sort of “risk breakdown structure” for your project. Take a look at the example below.

Step 2: Determine the risk likelihood

In this step, you need to identify the likelihood of a given risk happening. ​​On a 5×5 matrix, you express the likelihood scale on 5 levels:

• 1 – (Very unlikely): A very slim chance for this risk to occur.
• 2 –  (Not likely): Low chances for this risk to occur.
• 3 – (Possible): Fifty-fifty chances for this risk to occur.
• 4 – (Probable): Good chances for this risk to occur.
• 5 – (Very likely): You can bet this risk will occur at some point.

Step 3. Define the impact scale

Next, you rank your risks based on the impact they would cause on your project if they occur. The impact scale also has 5 levels:

• 1 – (Negligible): This risk will hardly impact your project.
• 2 –  (Low): You can easily handle the consequences of this risk.
• 3 – (Moderate): It will take some time and effort to mitigate the consequences of this risk.
• 4 – (Significant): This risk could cause long-term consequences that will be hard to recover from.
• 5 – (Catastrophic): The impact of this risk might wreck your project.

Step 4. Calculate the risk rating

Assign each risk a corresponding risk rating based on the likelihood and impact you have already identified. For example, a project risk that is very likely to happen and will cause major safety hazards will receive a higher risk rating than a risk that is unlikely to occur and will cause very minor harm.

The formula for the risk rating is as follows:

Likelihood x impact = Risk rating

e.g., Likelihood (4) x Impact (5) = Risk rating (20)

(A risk with such a high rating could threaten your project, therefore you should monitor it closely.)

Since we work on a 5×5 matrix, the risk rating values will range from 1 to 25.

• 1 – 6 (Low): Low-rating risks most likely will not happen. If they do, they will not be a threat to your project.
• 7 – 12 (Medium): Some medium-rating risks might happen at some point. You do not need to prioritize them but you should not ignore them either.
• 13 – 25 (High): High-rating risks are serious and very likely to happen threats. They can cause your project to go off the rails, so you should keep them in mind when planning your project.

Step 5. Draw your risk matrix

To draw a risk matrix, extract the data from the risk assessment form and plug it into the matrix accordingly. In our example, we identified risks for which 5 levels of likelihood and 5 levels of impact were sufficient. Therefore, we get the 5×5 matrix that looks like this:

The risk ratings in the lower-left quadrants are the lowest, therefore they have a green color; the ratings in the upper-right quadrants are the highest—hence the red color.

Important notes on creating a risk matrix template

The 5×5 template we have created in the previous steps is only an example of how you approach creating your matrices. You can create a separate matrix for an entire organization, a specific program, or a project. In each case, it could be different. Therefore, there are a few important things about risk assessment matrices to note:

1. When defining your matrix, think about the number of intervals for the likelihood and impact. How many rows and columns will it have? For example, a 3×3 or 3×4 matrix could suit your project better. When you decide on your matrix size, place labels and values on its scales accordingly.

2. Likelihood and Impact scale intervals are numerical values (e.g., 1 – 5 or 0% – 100%). You place those values on your matrix but you can also use them to describe the likelihood and impact of certain risks. Depending on your project, it could be, e.g., safety, quality, cost, schedule risks, etc. (You will find several risk types at the end of this article.)

Let’s take a look at some examples.

As you can see from the above, the numerical value for the impact is the same. However, the description for each risk type is different. Therefore, you may need to define interval names for individual objectives and their respective impacts and probabilities.

3. Your scale will not always be linear. You may observe it with risks that carry high impact—those will often have larger intervals than low-impact risks. Take a look at the table above, and compare the interval for the “Low” impact (0-3%) and the “Catastrophic” impact (50-100%). The discrepancy is quite significant—the impact of a fatal injury will be much greater than that of a scratched finger.

4. Instead of risk rating values in your matrix, you can plug in the number of risks you identified in your project for each quadrant. For example:

(In fact, that is pretty much how the BigPicture Risk matrix report looks like. Read on to learn more about visualizing risks in the BigPicture app).

5. The labels in brackets on matrix scales are arbitrary. You can name your values however you want. For example, Impact (1) could have a label: “Insignificant.”

6. Your risk form and matrix are not the type of task that you complete and forget. You should manage your risks throughout the life of your project. A common mistake in project management is creating a fairly standard risk register during the project planning and not returning to it until something happens. Project managers should carry out regular risk assessments to be able to react to changes in the project environment on an ongoing basis.

Visualize project risks on a risk matrix

What might have struck you is that the matrix does not offer much room for putting risks directly on it. It could work for a few, but if you have dozens of them, it will become cluttered and a pain to use. Not to mention that over the course of your project, you might need to identify new risks and revise the existing ones for their likelihood and impact. This means you will need reliable software to visualize and work with project risks efficiently.

The risk software we would like to introduce is BigPicture which seamlessly integrates with Jira. It has several key features that will help you assess and monitor your project risks.(If you are not ready to start the 30-day trial yet, we encourage you to visit the demo page, where you can try all the BigPicture features. The demo app runs inside the browser, so you do not need to install anything or create an account).

View your risks on the risk matrix

The BigPicture Risk module enables you to generate a risk assessment matrix with a default size of 5×5. The matrix features two scales: the risk consequence and risk probability.

The risk consequence scale has the following values: Trivial, Low, Medium, High, and Severe. Whereas with the risk probability scale, you can assign the following values to a risk: Almost none, Low, Medium, High, and Very high. If you enable the heatmap mode, the app will color the risk cards based on their risk rate with four default colors: green, yellow, orange, and red.

Visualizing risks from the risk assessment example

Let’s return to our construction risk assessment form and see what the risks will look like on the BigPicture risk heatmap.

The electrical leakage has the highest probability (likelihood) and consequence (impact). That is why you will find it in the top right corner (the app colored a risk card of such a high-priority risk with red color). The app automatically calculates the risk rating, so you do not have to worry about manually updating the heat map.

If you want to move any risk to a different quadrant (because its impact or likelihood has changed) you can edit the risk or use a drag-and-drop feature. Of course, you can place several risk cards in a given quadrant. Our simple project has only 5 risks but yours might carry many more and BigPicture will visualize all of them for you. If you notice your risk map getting really busy, you can display risks in a compact mode.

Populate your risk matrix with risks and issues

You can add any issue type to the risk heat map as long as you select the Consequence and Probability fields and assign them respective values. (You will need your Jira admin to preconfigure the fields you will be able to add to your tasks.)

So when you create a new task or edit the existing one, just add those two fields to make it pop up on your risk matrix.

In our risk assessment form, we did not add any issues, epics, or milestones—only risks. So how come those risks are on the heatmap? By clicking on any quadrant, you can add new and existing tasks and tasks as risks directly on the risk matrix.

Click “Create new Jira issue” and provide details for your risk (remember about the Probability and Consequence fields).

Since you can add project tasks as risks, and risks directly to the matrix, you can use the BigPicture’s Risk board in two ways.

Risks as tasks approach

The first approach is about directly adding the tasks as risks to the risk matrix. Those tasks will not result from the project plan (unlike typical project tasks that must be completed) and will serve as risks alone.

Let’s come back to the “Water leakage” risk as an example. Previously, we added it directly to the matrix as a typical risk that carries some probability and impact. Such a model will not readily show you which task(s) a given risk relates to. However, you could connect this risk to the actual tasks it has an impact on using Jira Issue Links. Also, by adding a task as a risk to the matrix, you can immediately read what this risk is about (e.g., the risk of “Water leakage”).

Project tasks at risk approach

(This approach is more popular among BigPicture users.) You can also add individual project tasks to the risk matrix. Unlike in the previous model, you will not see details about the risk just by looking at the matrix. Because, in fact, you would be looking at the task, not a risk as such. But you will know the probability and the impact of the risk that this task is related to.

For example, let’s say you want to add a “Road building task” to the risk matrix. You situate this task on the matrix according to the risk’s probability and impact. You do not know that this task is at risk due to the potential “Water leakage” but you know the likelihood and impact of it. If you want to have a more detailed overview of a given task at risk, you can add the info about the risk to the issue (e.g., as a comment or a relevant attachment).

Customize your risk matrix

If the default look of the BigPicture risk matrix is not optimal for your project, you can customize it.

• Transpose the whole matrix and/or invert individual scales (one or both simultaneously).
• Change the scale names (e.g., from “Consequence” to “Impact”).
• Add and delete Probability and Consequence individual values. For example, let’s say you want to see only the risks with the highest ratings on your map. In such a case, you delete low and medium values.

• Configure the risk matrix to have SAFe® ROAM-based quadrants.
• Use the card view creator to see more details on your risk cards.

Risk matrix report

The Risk matrix report gives you a quick overview of your existing risks in each matrix quadrant. You can use this report for risks present in your program, project, or iterations on a lower hierarchy level (on the ART level, the report will also display risks from the PI iterations and the PI sprints).

When you hover over a given quadrant, you will see a list of risks with their corresponding statuses.

You can rename the report, invert the risk scales, or transpose the whole risk report matrix.

9 Types of risks in project management

Arguably, the biggest indicator of the risk likely occurring is whenever your project has something “new” in it. For example, a “new supplier” for safety goggles; “new processes” according to which employees will carry out their work; “new technologies” that the higher-ups want to introduce; a “new software developer” the company wants to hire for the current project.

Of course, there are many types of risks to consider when assessing your project. These could be:

1. Cost risks
2. Schedule risks
3. Performance risks
4. Operational risks
5. Market risks
6. Governance risks
7. Strategic risks
8. Legal risks
9. Environmental risks

Cost risks

They indicate there is a possibility that the project’s cost will exceed the budget. Cost risk might occur due to poor budget planning, inaccurate cost estimating, and scope creep. This type of project risk can cause other risks to emerge, such as schedule risk and performance risk.

Example: “The cost of steel might increase over the next quarter.”

Schedule risks

This risk occurs when activities take longer than expected, typically due to poor planning. Schedule risk can impact cost risk because any delay in a schedule could increase the costs of a project.

Example: “Hiring a new foreman might take longer than anticipated.”

Performance risks

Performance risk is the risk of a project failing to produce the expected results. It is a complex risk that can result from the activities of several parties, so it can be hard to pinpoint the exact reason behind it.

Example: “The level of noise might increase after the office redesign.”

Operational risks

This type of risk results from poor implementation and process problems such as distribution, procurement, and production. And since any of these could cause the project to produce results differing from project specifications, operational risk is a type of performance risk.

Example: “Insufficient funds to pay for the next batch of goods.”y

Market risks

Market risk could be, among others, competition, commodity markets, and foreign exchange. Because these types of risks are highly unpredictable, planning for them is difficult without sound expertise.

Example: “Foreign exchange fluctuations due to…”

Governance risks

This risk concerns the company’s top management and other important stakeholders with regard to their ethics and company reputation. This risk can be fairly easy to mitigate because it largely depends on the stakeholder’s behavior.

Strategic risks

Those risks are another type of performance risk. Strategic risks stem from erroneous strategic decisions concerning the selection of people for the job, the tools, as well as the technology that does not help with the work as expected.

Example: “The application might not be compatible with systems already in use.”

Legal risks

Legal risk is the consequence of legal obligations, such as law of the land, local laws, and statutory requirements. This type of project risk is also about the contractual obligations, as well as avoiding and handling any lawsuits against the company.

Example: “Export license might not be granted.”

Environmental risks

Those risks pertain to external hazards that one cannot fully avoid or even foresee. For example, storms, floods, earthquakes, force majeure, pandemics, terrorism, labor strikes, etc.

Example: “Severe weather conditions might delay the maintenance works.”