The Risk Matrix
Every risk assessment needs a risk matrix. If I get a risk assessment that I need to evaluate, then I need to know what the author of the risk assessment has based his or her risk levels on. Their level 3 may be defined differently than my level 3, so I need to know
The risk matrix gives us a way to know how the risk levels are defined and when risk is at an acceptable level. There is no definitive risk matrix format. Worldwide we sort of agree on levels between 1 and 5 for probability and severity. Sometimes you’ll find risk matrixes that go from 1 to 3. In my opinion, that’s not enough detail. Then you’ll have ones that go from 1 to 10. That’s overcomplicating things.
Whenever you need to evaluate a risk assessment, remember you always need to see the risk matrix it’s based on.
If you missed the first 2 parts of this series, they’re here: