Using a “Risk Matrix” to Risk-Proof Your Business

“Don’t be fearful of risks. Understand them, and manage and minimize them to an acceptable level.” (Naved Abdali, Financial journalist and author)

Managing risk in your business is absolutely critical for developing it to success. Knowing exactly which threats are really relevant and which will help any leader to develop strategy and prepare for the worst eventualities. One of the simplest and most useful ways of determining the greatest risks to a business is through developing a “risk matrix”, otherwise known as a “risk assessment matrix”. Risk matrices give leaders a visual way of understanding the risks in their business by plotting these risks on a grid.

An example to illustrate…

Let’s illustrate the concept with the help of an example. A catering company has identified three risks to its business and has plotted them on a typical matrix which looks like this –

Source: Adapted from a template available for free download from

As you can see –

  1. The caterer has decided that a food poisoning event is deemed to be unlikely but with severe consequences. This puts it in the orange “High” category.
  1. Staff not arriving for shift is deemed likely with major consequences. This puts it in the red “Very High” category.
  1. Catering customer paying a month late is deemed possible with insignificant consequences. This puts it in the green “Low” category.

This allows the caterer to visually compare the identified risks with one another at a glance, and to prioritise addressing them.

Create your risk matrix in the context of your own business

Any risk that is high on the likelihood scale and high on the consequence scale needs to be paid attention to immediately, while conversely those that are low on both axes can be attended to last.

Leaders would determine where each individual risk falls on the matrix dependent on the context for their own business. For example, while a food poisoning risk may be a very low risk and unlikely event at a mining company, it is more likely for, and could mean bankruptcy for, a catering company.

This simple outline may differ depending on the organisation or leader using it. Often, they appear colour coded with severe risks marked in red and less severe ones in blue or green. The effect of the matrix, however, remains the same, so choose whichever format works for you.

How to build your risk matrix

There are essentially four steps to creating a risk matrix, each of which will be influenced by your knowledge of your business and its particular details.

1. Identify risks

The first step is to identify all the likely risks to your business. You cannot plan for things that you don’t know about and haven’t imagined. At this stage every avenue should be covered, and each eventuality considered. The catering company cannot prepare for a mass food poisoning if they have never even considered it enough to put it on their risk matrix. Risks are not just direct dire threats, however, and include anything that could prevent your company achieving its goals or bring harm to its staff or customers or investors.

2.  Evaluate them

This is the critical stage that makes the risk matrix work. Looking at the list of risks, you must determine which of those could cause a critical failure to your business and which are merely small annoyances. You should also determine which of these risks are likely to happen and which are more fanciful and unlikely. This is a subjective decision you will make dependent on the unique circumstances of your own company.

In the catering company example above, we have mentioned how a client paying late may be of insignificant consequence. Perhaps this is an established company, with good cash reserves? A newer company, that is not in as strong a position may deem the risk level of a late payment to be closer to severe making it a “Very High” threat to the existence of the business.

3. Enter them into the matrix and prioritise them

Now that the threat levels have been determined, these values can be entered into the matrix and the danger of the various threats can be measured against one another.

Low risks, or those that would fall within a green area, can generally simply be accepted and no risk-mitigation actions need to be taken.

Moderate risks, or those that would fall within the yellow area, will likely need risk-mitigation strategies to reduce their likelihood or improve circumstances should they occur.

High risks, or those that fall within the red area, need to be urgently attended to. Processes need to be put in place to eliminate these risks or greatly reduce their likelihood of occurrence. This may involve staff training, or changes to entire systems of logistics and ordering.

Continued analysis

Risk management is not something that is set in stone. Risks may move within the matrix over time dependent on internal and external factors. Increasing interest rates, for instance, may move cash flow problems higher up on the matrix, while the discovery of new mineral deposits may make the threat of raw material shortages lower. Leaders should be prepared to update their matrices in-line with these new events.


While risk matrices are extremely useful in decision making, problem solving and communication of challenges, they are not without their weaknesses. Good leaders should be cognisant that due to the matrix’s reliance on context and the leader’s own subjectivity, errors can creep in due to over- and under-estimation of threats. A risk matrix is therefore something that should be shared with the team, and other interested parties such as investors, and partners, and feedback should be sought to lower the risk of this happening.

The bottom line

In the end, risk matrices are a powerful tool to help you manage your company’s risk. In the hands of knowledgeable and experienced leadership they have helped numerous companies to thrive or to avoid harm when the risks eventually become realities.

Ask your accountant to help you identify and address those risks that are particularly relevant to your business!

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© CA(SA)DotNews