The ability to anticipate the unexpected and master uncertainties is a major challenge for companies concerned with securing their processes, particularly in procurement or project management. To achieve this, one of the most effective tools is the risk matrix, which allows you to visualise and prioritise potential threats based on their severity and likelihood of occurrence.
What is a risk matrix?
The risk matrix, also called risk assessment matrix or impact matrix, is a visual analysis tool that classifies risks based on their probability of occurrence and severity. It provides a clear representation of potential risks, thus helping decision-makers prioritise actions to mitigate or eliminate them.
Its key components are:
- Likelihood: measures the chance that a risk will occur;
- Severity: assesses the potential impact of the risk on the organisation.
By crossing these two dimensions, the risk matrix helps determine the level of criticality of each risk, thus facilitating the prioritisation of priorities.
What are the 3 types of risks?
Risk management is based on a classification of the different threats that a company may face, which not only guides risk analysis but also helps better adapt the responses.
Strategic risks
Strategic risks are linked to the company's fundamental choices: its orientations, market positioning, alliances or transformation projects. They stem from long-term decisions made by senior management and can profoundly affect the sustainability or competitiveness of the organisation.
Examples of strategic risks:
- Entering a new market without thorough study;
- Adopting an emerging technology that is not mastered;
- Excessive dependence on a single customer or supplier.
Managing these risks often relies on prospective analysis, evaluation of sector trends, and the implementation of solid governance mechanisms (strategic committees, audits, etc.).
Operational risks
Operational risks concern the company's internal processes, its daily organisation, and its human and material resources. They often constitute the majority of risks identified in assessment matrices.
These risks can result from:
- Human errors (handling, data entry, interpretation);
- Technical or IT failures;
- Supply disruptions, particularly in procurement chains;
- Logistical dysfunctions or regulatory non-compliance.
They directly impact the company's performance, particularly in terms of quality, safety, deadlines or productivity. Prevention here relies on rigorous process control, continuous training, monitoring of key indicators and internal control systems.
Financial risks
Financial risks concern monetary flows, profitability and the economic stability of the company. They can stem from internal factors (poor budget management, fraud) or external factors (market volatility, exchange rates, regulatory changes).
Among the most frequent financial risks:
- Liquidity risk: inability to meet short-term commitments;
- Credit risk: default of a customer or financial partner;
- Interest rate or exchange risk: unfavourable variation in financial conditions;
- Tax risk: unexpected reclassification or tax audit.
Financial risk management relies particularly on anticipation and hedging mechanisms, such as credit insurance, derivative financial instruments, diversification of funding sources, or regular consolidation of cash flow forecasts.
Why use a risk matrix?
Using the risk matrix offers several advantages:
- Problem anticipation: by identifying risks upstream, the company can implement preventive measures;
- Improved communication: the matrix offers a shared vision of risks, promoting collaboration between teams;
- Resource optimisation: by prioritising risks, the organisation can allocate its resources more efficiently.
How to create an effective risk matrix?
Creating a risk matrix is based on a methodology aimed at ensuring a rigorous and usable assessment of potential threats.
Step 1: Identifying risks
The first step consists of identifying all risks that could affect a project, a process or the organisation as a whole. This identification is based on contextual analysis, taking into account sector specificities, operational constraints, economic challenges and past experience feedback.
Several methods can be used to identify risks:
- Collaborative workshops bringing together stakeholders (project managers, procurement team, management team, etc.) to compare viewpoints;
- Documentary analysis of previous audits, incidents or risk management reporting;
- Analytical methods, such as SWOT analysis (strengths, weaknesses, opportunities, threats) or fault trees.
The objective is to develop a comprehensive and representative list of risks, whether they are strategic, operational, financial or related to regulatory compliance.
Step 2: Assessing probability and severity
Once risks are identified, they must be evaluated according to two fundamental risk criteria: the likelihood of occurrence and the severity of their impact. This dual assessment allows each risk to be positioned in the matrix, by crossing the two dimensions.
- Probability: it expresses the expected frequency of the risk. It can be defined according to a qualitative rating scale (rare, possible, probable, frequent) or quantitative (from 1 to 5).
- Severity: it corresponds to the potential impact of the risk on the project or company objectives (costs, deadlines, quality, image, safety...). Again, a rating scale can be used (low, medium, critical, catastrophic).
It is essential to define objective and shared criteria for each rating scale to ensure consistency and comparability of assessments.
Step 3: Prioritising risks
In the third step, the probability and severity of each risk must be crossed in a matrix table, to determine its level of criticality. This level is often represented by colour codes (green, yellow, orange, red) indicating the priority of action.
For example:
- Low risk: low probability and severity, minimal monitoring required;
- Medium risk: requires periodic evaluation;
- High risk: demands special attention and reduction measures;
- Critical risk: requires immediate intervention and dedicated resources.
This prioritisation allows efforts to be concentrated on the most threatening risks, while ensuring global coverage of others.
Step 4: Developing action plans
Once risks are prioritised, concrete measures must be defined to address them. These measures can fall under various risk management strategies:
- Avoidance: modify the activity or project to eliminate the risk (e.g., change supplier or abandon an unmastered technology);
- Reduction: decrease the probability or severity of the risk (e.g., team training, supplier audits, implementation of quality controls);
- Transfer: have the risk borne by another entity (e.g., use of insurance, outsourcing);
- Acceptance: recognise the risk and prepare to manage the consequences (e.g., establishment of a budget reserve, contingency plan).
Action plans must be clearly defined, budgeted and monitored, with identified managers, precise deadlines and monitoring indicators. The matrix thus becomes an operational management tool allowing dynamic monitoring of risk evolution.
This approach is fully in line with a business continuity logic, as Antoine COMPIN, Managing Director of Manutan France, points out: "It is not possible to predict the unpredictable, but it is possible to prepare for the unexpected. With our teams, we develop continuity plans. [...] In this context, we work on how to react to unexpected situations."[1]
Application of the risk matrix in the procurement process
In the procurement field, risks can be multiple:
- Financial: price fluctuations, unfavourable exchange rates;
- Contractual: non-compliance with clauses, disputes;
- Operational: delivery delays, non-conforming quality;
- CSR: non-compliance with environmental or social standards.
By using the risk matrix, each threat is evaluated and positioned according to its probability and severity. This prioritisation allows efforts to be focused on the most critical risks. Measures can be taken to mitigate identified risks:
- Supplier diversification: reduce dependence on a single supplier.
- Specific contractual clauses: provide for penalties in case of non-compliance.
- Regular audits: ensure supplier compliance and performance.
The risk matrix is a risk management tool that enables effective management of procurement and projects. By identifying, assessing and prioritising risks, it allows for informed decision-making and ensures the success of initiatives.
[1] Antoine, COMPIN (Managing Director of Manutan France), Le débat, SMART @WORK, 18 February 2023, 22 min, B-Smart, [https://www.bsmart.fr/video/18563-smart-work-partie-18-fevrier-2023]