Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Anti-Money Laundering

Easily identify, establish controls, and monitor AML risks→



Improve your internal audit processes, support regulatory compliance, and generate value for your organization through continuous improvement →

What will you learn? Learn with our experts about critical topics on Risk Management that will be useful in your daily work.

Piraní Academy

Prioritize risk with a control matrix

written by Juan Pablo Calle, On July 29, 2022


A management process is effective only if each risk identified is prioritized and properly classified. Here are the steps to take so.

Recognize the risks:

Before prioritizing risks, they have to be identified. Typically, risk managers create a list of threats based on past events and what they have learned from previous projects.

In this process, creating a risk management checklist is very useful, in which the main sources and risk factors are investigated.

The list of lessons learned is made up of threats that had not been considered during planning previous projects and somehow affected the expected results.  

Considering the impact these problems had on previous projects and preparing for similar results will prevent you from repeating the same mistakes over and over again.

This is important because, despite having the best risk management plan in place, unforeseen events, design errors or omissions may occur.

Although some risks are unpredictable and unlikely, these must be included in a risk and control matrix. That way, people in charge are assigned before the risk occurs. This risk matrix needs to be updated and revised frequently.

After the risks have been identified, the impact and likelihood of their occurrence should be measured and ranked from most critical to least critical, i.e. prioritized.

How to prioritize risk with a control matrix

The priority of risks may vary depending on the type of company or project.

There are multiple quantitative and qualitative techniques to prioritize risks. The former include cardinal risk, probability, and time frame assessments, sensitivity, expected monetary value, modeling, and simulation analyses.

Qualitative techniques for prioritizing risk include probability and impact analysis. A risk matrix is often used to categorize risks according to frequency and urgency. This is a risk management method that helps to systematize the process. Here's how to do it.

1) Identify the risks

Similar to recognizing risk, all potential risks to the project must be listed before conducting the assessments. Very unlikely events should be considered.

2) Measure the probability

Each risk identified should be classified based on the likelihood of occurring. The scale for this ranking depends on the criteria established for each company or project. A scale of 1-5 could be used as values, with 1 being unlikely and 5 being likely, or simply by measuring them with a percentage.

3) Assess the impact

The impact of different risks should be classified based on the established guidelines for measuring probability. Of course, the impact can also change over the project's timeline.

For example, an unforeseen condition may not have an impact at the beginning, so it would be classified as 1. As the project progresses, when it is close to completion, that condition may cause schedule interruptions or budgetary issues, changing its priority from 1 to 4.

4) Calculate the total risk

The overall risk associated with a given event can be calculated depending on the scale used to measure probability and impact. On this basis, risks can be weighed according to their probability as low, medium or high. This way, the team will know which risks are most urgent.

After calculating the overall risk for each event, stakeholders should consider the urgency of each type of risk. If all or most of the risks are shown as high, they should be reviewed and reclassified.

Remember that the objective of the risk matrix in Excel is to show what risks to focus on. Therefore, it makes no sense to label all or most of the risks as priorities, as the team would not know which one to focus on first.

5) Update the matrix with the team

Many projects begin following an organized procedure with a solid risk matrix file, but the team forgets that this document exists as the project progresses.

Since priorities and impacts change, failing to update the risk matrix is the main reason some risks emerge out of nowhere at the last minute. To have a successful risk management program, all team members must regularly update the control matrix. If this is done consistently, it will be easier to mitigate the impact of the risks.

Try Pirani for FREE

Start to prioritize the risks now! Click below and download a free control matrix. In the Excel file, all you must include is the probability and impact according to the specified criteria. The risk matrix will calculate the level of risk and assign a score for it. 

Money Laundering and Terrorism Financing Prevention Manual

Try Pirani For FREE NOW
Download a free Excel Risk Matrix Template
Free e-book Prevention & Correction of Human Error For Risk Management

Leave us your comments