A Risk and Control Assessment Matrix is a simple way to access risks, and define controls to mitigate them. It is a less extensive analysis than for example FMEA’s, but a powerful tool that can be used in a lot of scenarios.
Risk and Control Assessment Matrix Layout
There are different ways to outline the matrix, which each have their advantages and disadvantages.
One of the simplest ways would be to have a matrix with 2 columns. The first column would include the risks, and the second column the controls against each risk. There are some clear drawbacks from using this matrix though, as it does not give a clear overview if there are a lot of risks and controls.
A second option which is a bit more detailed can be seen below, it is a larger risk assessment matrix that gives a better overview of which controls every risk is covered by. For example, Risk 02 is only covered by Control B, but Risk 03 is covered Control A, D and E.
Risk Assessment Matrix
As there are different levels of risks, a risk assessment can be used to assess them and prioritize them against each other. The way to determine the level of risk, is by using following factors.
- Severity: How severe is the issue if it happens.
- Likelihood: How likely is it to happen.
- Detection: How likely is the issue detected if it happened.
By using a scale of 1-10 or 1-5 for each of the factors in the risk assessment matrix, the level of risk can be calculated. The calculation we will look into a bit later, because the scale needs to be defined first.
As an example, let’s look at the severity rating on a parachute. If we define a scale from 1-10, the risk of it not opening would for sure be 10, whereas a small cosmetic defect could be rated as 1. Same principle would be applied to the likelihood and detection factor.
The overall level of risk is calculated as a Risk Priority Number (RPN), by multiplying the 3 factors with each other as seen below.
Severity x Likelihood x Detection = RPN
These can then be added to the risk assessment matrix as seen below, and it clearly show risk 02 and 04 are ones that need attention.
The next steps in the process is to look at what controls are in place for the high risks, and identify further controls that can be implemented to reduce the likelihood and detection rating.
Alternatively, you can continue to our quality training page to see our available courses.Go to Quality Training