Question:

How are Risk Scores calculated and what determines the color of the individual
Contributing Factors and the Overall Risk Score?

Answer:

Risk impact and probability are used to calculate the risk score value (Calculated
risk) for a particular risk. Risk impact and probability are lookup values in the system
that have numeric values (LOOKUP_ENUM) assigned to them. The product of the
impact and probability values give the 'Calculated risk' value for a risk.

The Risk score matrix is used to determine the degree of risk (High, Medium, Low)
based on the impact and probability factors of a risk. This matrix can be defined by
the customer in the Risk Settings page on the admin side.
- Administration, Project Management : Risk Settings

Project Risk Score:

Risk score at the project level is calculated using the building formula based on
certain contributing factors (Category types). Projects that do not require detailed
risks can set these contributing factor attributes on the Project Properties, Risk
Rating page (Risk summary page or Settings page).

Projects that have detailed risks can create risks of particular category
types(contributing factors). The system takes care of moving the average value of all
the risks of a certain category type (contributing factor) to the contributing factor
attribute of the project.

Average Impact:

Project Risk Impact is determined by taking the average of the sum of all the risks
impact value for a category type and then mapped it to the closest higher
lookup_enum value of the impact.

Average Probability:

The same is the case with Project Risk Probability.

Thus impact and probability for a certain category type is used to get the risk score
from the risk score matrix. This value is assigned to the contributing factor attribute
of the project that is one of the factors that drives the formula of the project risk
score.

Note: The 'status' of a detailed Risk is considered in the overall Risk Score Average
Weighted Formula, therefore, the calculation will NOT add in the detailed Risks with
a status of 'Closed' or 'Resolved'.

Example: In the application, the default values for the Risk Settings are as follows:
Risk Impact: Low (1), Medium (2), High (3)
Risk Probability: Low (1), Medium (2), High (3)
Risk Rating: Low (0), Medium (50), High (100)

A project has two risk of 'Funding' category type.

1. Risk 1 with low impact and low probability ( calculated risk=1, risk rating=low)
2. Risk 2 with high impact and medium probability ( calculated risk=6, risk
rating=High)

Contributing Factor Risk Score:

The 'Funding' (category) contributing factor attribute will be determined from the Risk
Score Matrix using the values from the impact and probability.

Average impact = SUM(Risk Impact values) / number of risks in same category

Average impact=(1+3)/2 = 2 ('Medium' Impact Rating)

Risk 1 = low impact (1)
Risk 2 = high impact (3)
There are two risks with the same category type

Average probability = SUM(Risk Probability values) / number of risks in same

category

Average probability=(1+2)/2=1.5 (this is less than 2, so it equates to 'Medium'

Probability Rating)
Risk 1 = low probability (1)
Risk 2 = medium probability (2)
There are two risks with the same category type

WHAT IS A RISK ASSESSMENT MATRIX?

A risk assessment matrix is a chart that plots the severity of an event occurring
on one axis, and the probability of it occurring on the other. You can also format
the matrix as a table, where the risk likelihood and impact are columns, and the
risks are listed in rows. By visualizing existing and potential risks in this way,
you can assess their impact, and also identify which ones are highest-priority.
From there, you can create a plan for responding to the risks that need the
most attention.

A risk matrix chart is a simple snapshot of the information found in risk

assessment forms, and is often part of the risk management process. These
forms are more complex, and involve identifying risks, gathering background
data, calculating their likelihood and severity, and outlining risk prevention and
management strategies.
HOW TO USE A RISK ASSESSMENT MATRIX TEMPLATE

Also known as a “risk management matrix,” “risk rating matrix,” or “risk analysis
matrix,” a risk assessment matrix (by any name) template focuses on two
aspects:

 Severity: The impact of a risk and the negative consequences that would result.
 Likelihood: The probability of the risk occurring.
To place a risk in the risk assessment matrix, assign a rating to its severity and
likelihood. Then plot it in the appropriate position in your chart, or denote the
rating in your table. The typical classifications used are:

Severity:
 Insignificant: Risks that bring no real negative consequences, or pose no
significant threat to the organization or project.
 Minor: Risks that have a small potential for negative consequences, but will not
significantly impact overall success.
 Moderate: Risks that could potentially bring negative consequences, posing a
moderate threat to the project or organization.
 Critical: Risks with substantial negative consequences that will seriously impact
the success of the organization or project.
 Catastrophic: Risks with extreme negative consequences that could cause the
entire project to fail or severely impact daily operations of the organization. These
are the highest-priority risks to address.
Likelihood:
 Unlikely: Extremely rare risks, with almost no probability of occurring.
 Seldom: Risks that are relatively uncommon, but have a small chance of
manifesting.
 Occasional: Risks that are more typical, with about a 50/50 chance of taking
place.
 Likely: Risks that are highly likely to occur.
 Definite: Risks that are almost certain to manifest. Address these risks first.
Classifying and Prioritizing Risk
After you’ve placed each risk in the matrix, you can give it an overall “risk
ranking.” Risks that have severe negative consequences and are highly likely to
occur receive the highest rank; risks with both low impact and low likelihood
receive the lowest rank. Risk rankings combine impact and likelihood ratings to
help you identify which risks pose the greatest overall threats (and therefore are
the top priority to address).
Some organizations use a numeric scale to assign more specific risk rankings.
However, most rankings fall into a few broad categories, which are often color-
coded:

 Low: The consequences of the risk are minor, and it is unlikely to occur. These
types of risks are generally ignored, and often color-coded green.
 Medium: Somewhat likely to occur, these risks come with slightly more serious
consequences. If possible, take steps to prevent medium risks from occurring, but
remember that they are not high-priority and should not significantly affect
organization or project success. These risks are often color-coded yellow.
 High: These are serious risks that both have significant consequences, and are
likely to occur. Prioritize and respond to these risks in the near term. They are often
color-coded orange.
 Extreme: Catastrophic risks that have severe consequences and are highly likely
to occur. Extreme risks are the highest priority. You should respond to them
immediately, as they can threaten the success of the organization or project. They
are often color-coded red.
Once you’ve ranked your risks, you can make a risk response plan to prevent
or address those that are “high” or “extreme.” You may not need to respond to
risks ranked “low” or “medium” before work begins.

Many organizations get an even clearer picture of risk by dividing the matrices
into zones:

 Generally Acceptable (GA): In the area of the chart ranked “low,” risks have
little impact and/or are unlikely to occur. Risks in this region don’t pose an
immediate threat to the project or organization, and some can even be ignored.
 As Low As Reasonably Possible (ALARP): This is a zone of acceptable
risk, encompassing the “low” and “medium” ranking areas. Risks falling within
this region of the matrix are tolerable or not significantly damaging; work can
proceed without addressing these risks being immediately.
 Generally Unacceptable (GU): This is the area of the chart where risk is
“high” or “extreme.” Risks in this region are quite damaging, highly likely to
occur, and would threaten the project or organization. They are highest-priority,
and you must address them immediately.
Validation and Risk Response
To ensure you’ve chosen the right risk matrix chart and completed it correctly,
validate it with a real-world scenario. After selecting your template, fill it in with
examples of risks your organization encounters. After you’ve used the matrix to
quantify the severity and likelihood of risks, it’s up to your team to come up with
a risk response plan for those ranked “GU.”
Depending on your industry or organization size, you may have additional
resources for risk assessment and response. For example, the U.S.
Occupational Safety and Health Administration (OSHA) has specific matrices
workers can use when responding to natural disasters: The Hazard Exposure
and Risk Assessment Matrix helps workers and employers assess risks and
operate more effectively in areas impacted by hurricanes.
Of course, a risk rating matrix is simply a tool to help guide decision-making.
The risk management team should always carefully analyze both the matrices
and the risks themselves before deciding how to prevent, mitigate, or respond
to a current or potential risk. Risk matrices are commonly used in project
management to examine how risks might affect project scope, schedule, and
cost. But they’re also used in industries from construction to IT. Our free risk
assessment matrix examples contain a variety of types for different industries,
so you can find one that best fits your needs.
RISK ASSESSMENT MATRIX TEMPLATE

This all-purpose risk assessment matrix template captures the essential

information your organization needs to gauge risks. It allows you to list each
risk, rate its severity and likelihood, and plot all risks on a chart. You can also
color-code the risks to visualize risk rankings and designate the GA, ALARP,
and GU zones. This gives your organization an at-a-glance view of which risks
to prioritize.