Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Money laundering risk management

Easily identify, establish controls and monitor AML risks→
Piraní Academy

Prioritize risk with a control matrix

Por Juan Pablo Calle, en July 29, 2020


A management process is effective only if each risk identified is prioritized and properly classified. Here are the steps to do so.

Recognize the risks:

Before prioritizing risks, they have to be identified. Typically, risk managers create a list of threats based on past events and what they have learned from previous projects.

In this process, it is very useful to create a risk management checklist, in which the main sources and risk factors are investigated.

The list of lessons learned is made up of threats that had not been considered during the planning of previous projects and that somehow affected the expected results.  

Considering the impact these problems had on previous projects and preparing for similar results will prevent you from repeating the same mistakes over and over again.

This is important because, despite having the best risk management plan in place, unforeseen events, design errors or omissions may occur.

Although some risks are unpredictable and unlikely, these must be included in a risk and control matrix. That way, people in charge are assigned before the risk occurs. This risk matrix needs to be updated and revised frequently.

After the risks have been identified, the impact and likelihood of their occurrence should be measured and ranked from most critical to least critical, i.e. prioritized.

How to prioritize risk with a control matrix

The priority of risks may vary depending on the type of company or project.

There are multiple quantitative and qualitative techniques to prioritize risks. The former include cardinal risk, probability and time frame assessments, as well as sensitivity, expected monetary value, modeling and simulation analyses.

Qualitative techniques for prioritizing risk include probability and impact analysis. A risk matrix is often used to categorize risks according to frequency and urgency. This is a risk management method that helps to systematize the process. Here's how to do it.

1) Identify the risks

Similar to recognizing risk, all potential risks to the project must be listed before conducting the assessments. Even events that are very unlikely should be considered.

2) Measure the probability

Each risk identified should be classified based on the likelihood that it will occur. The scale for this ranking depends on the criteria established for each company or project. A scale of 1-5 could be used as values, with 1 being unlikely and 5 being likely, or simply by measuring them with a percentage.

3) Assess the impact

The impact of different risks should be classified based on the established guidelines for measuring probability. Of course, the impact can also change over the timeline of the project.

For example, an unforeseen condition may not have an impact at the beginning, so it would be classified as 1. As the project progresses, when it is close to completion, that same condition may cause schedule interruptions or budgetary issues, which would change its priority from 1 to 4.

4) Calculate the total risk

The overall risk associated with a given event can be calculated depending on the scale used to measure probability and impact. On this basis, risks can be weighed according to their probability as low, medium or high. This way, the team will know which risks are most urgent.

After calculating the overall risk for each event, stakeholders should consider the urgency of each type of risk. If all or most of the risks are shown as high, they should be reviewed and reclassified.

Remember that the objective of the risk matrix in Excel is to show what risks to focus on. Therefore, it makes no sense to label all or most of the risks as priorities, as the team would not know which one to focus on first.

5) Update the matrix with the team

Many projects begin following an organized procedure with a solid risk matrix file, but as the project progresses, the team forgets that this document exists.

Since priorities and impacts change, failing to update the risk matrix is the main reason why some risks seem to emerge out of nowhere at the last minute. To have a successful risk management program, the control matrix must be regularly updated by all team members. If this is done consistently, it will be easier to mitigate the impact of the risks.

Start to prioritize the risks now! Click below and download a free control matrix. In the Excel file, all you need to include is the probability and impact according to the specified criteria. The risk matrix will calculate the level of risk and assign a score for it. 

Download a free complete list of indicators and metrics

Nueva llamada a la acción

También te puede interesar

Otros artículos de Operational risk

Escribe tu comentario