In this part I’ll talk about an important piece of information that must always be included in a risk assessment. The risk matrix.
Every risk assessment needs to be based on an agreed upon scale of risk. This is the risk matrix. If I get a risk assessment that I need to evaluate, then I need to know what the author of the risk assessment has based his or her risk levels on. Their 3 may be defined differently than my 3, so I need to know.
The risk matrix gives us a way to know how the risk levels were defined by the person writing the risk assessment and when risk is at an acceptable level. There is no definitive risk matrix format. Worldwide we sort of agree on levels between 1 and 5 for probability and severity. Sometimes you’ll find risk matrixes that go from 1 to 3. In my opinion, that’s not enough detail. Then you’ll have ones that go from 1 to 10. That’s overcomplicating things.
Whenever you need to evaluate a risk assessment, you always need to see the risk matrix it’s based on.