Mastering Risk Assessment: A Step-by-Step Guide and Examples
A risk assessment matrix turns vague worry into a prioritized action list. Here is how to build one for HR, score the risks that matter, and keep it current.
A risk assessment matrix is a visual tool that ranks risks by how likely they are to happen and how badly they would hurt the organization if they did. It is the single most common way HR, compliance, and operations teams turn vague worry into a prioritized action list.
The matrix shows up in nearly every formal risk framework, including ISO 31000:2018, the international standard for risk management. ISO 31000 defines a six-step risk management process where the matrix sits at the analysis and evaluation stage, helping organizations decide which risks deserve immediate action and which can be monitored.
This guide walks through what the matrix is, how to build one, the workplace risks HR teams should be scoring, and where the tool stands today.
What a risk assessment matrix is
A risk assessment matrix is a grid that plots two variables against each other: how likely a risk is to occur and how severe the impact would be if it did. Each cell on the grid corresponds to a risk score, color-coded from low to high.
The grid format is what makes it useful. A spreadsheet of 50 risks gives you no sense of which to address first. A matrix shows you immediately which risks are concentrated in the "high likelihood, high severity" corner and need attention now.
Most workplace risk matrices use a 5x5 grid:
- Likelihood axis: Rare, unlikely, possible, likely, almost certain
- Severity axis: Negligible, minor, moderate, major, catastrophic
- Risk score: Calculated as likelihood multiplied by severity, ranked low (green), medium (yellow), high (orange), or critical (red)
Some organizations use 3x3 or 4x4 grids. The 5x5 is the standard in most ISO 31000 implementations because it gives enough granularity without false precision.
Why risk assessment matrices are useful
The matrix does four things at once:
- Forces prioritization. You cannot address every risk equally. The matrix shows which to act on first.
- Creates a shared vocabulary. Compliance, HR, legal, and operations can talk about the same risk using the same scoring.
- Documents decisions. When something goes wrong, you have a record of what you knew, when you knew it, and how you scored it.
- Drives investment. A risk plotted in the red zone is a budget conversation. Risks plotted in the green zone usually are not.
For HR teams in particular, the matrix is where workplace risks get the same treatment as financial or operational risks. Without it, people issues get treated as soft and unbudgeted. With it, they are quantified. Pairing the matrix with disciplined employee relations case management closes the loop between risk forecasting and actual incident response.
How to build a risk assessment matrix
The process has five steps. Each one is required. Skipping any of them produces a matrix that looks rigorous but is not.
Step 1: Identify the risks
Start with a complete inventory of risks relevant to the function you are assessing. For HR and workplace safety, the categories typically include:
- Workplace safety hazards (slip-trip-fall, equipment, chemicals)
- Discrimination and harassment exposure
- Wage and hour compliance
- Data security and employee privacy
- Workplace violence and threats
- Retaliation and whistleblower exposure
- Mental health and burnout
- Vendor and contractor risk
Brainstorm broadly. Use incident logs, exit interview themes, employee survey data, and prior employee relations metrics as inputs. The risk you do not list does not get scored.
Step 2: Score the likelihood
For each identified risk, assign a likelihood score on the 1-5 scale:
| Score | Likelihood | What it means |
|---|---|---|
| 1 | Rare | Could only happen in exceptional circumstances |
| 2 | Unlikely | Could happen but not expected |
| 3 | Possible | Could happen occasionally |
| 4 | Likely | Will probably happen in most circumstances |
| 5 | Almost certain | Expected to happen in most circumstances |
Anchor the scores in data where possible. Past incidents, industry benchmarks, and regulatory enforcement trends all inform likelihood. A "possible" rating with documented justification is more useful than a "likely" rating based on a gut feel.
Step 3: Score the severity
Severity is what would happen if the risk materialized. Score on the same 1-5 scale, but be explicit about what dimensions you are measuring:
- People impact: Injury, harassment exposure, mental health consequences
- Financial impact: Legal settlements, lost productivity, recovery costs
- Reputational impact: Media coverage, employer brand damage, customer perception
- Regulatory impact: Fines, license issues, mandatory reporting
- Operational impact: Business continuity, workforce disruption, system downtime
Most organizations use the highest single severity rating across these dimensions. A risk that scores "moderate" on financial impact but "catastrophic" on reputational impact is a catastrophic risk overall.
Step 4: Calculate and plot the risk score
Multiply likelihood by severity to get the risk score. On a 5x5 matrix, scores range from 1 (rare and negligible) to 25 (almost certain and catastrophic). The grid breaks down typically as:
- Low risk (1-4): Monitor; no immediate action required
- Medium risk (5-9): Implement controls; review quarterly
- High risk (10-15): Active mitigation required; senior leadership awareness
- Critical risk (16-25): Immediate action; board-level visibility
Plot each risk on the grid by its likelihood and severity score. Patterns appear immediately. A cluster of high-severity, moderate-likelihood items in the upper-middle is a different challenge than a small number of critical risks in the top-right.
Step 5: Assign owners and treatments
A scored risk with no owner stays scored. For each risk in the medium-and-above range, document:
- Who owns the risk
- The treatment approach (accept, transfer, mitigate, avoid)
- The specific controls in place or planned
- The review cadence
- The trigger for re-scoring
Without ownership, the matrix becomes a wall poster. With ownership, it becomes a working document.
Example: scoring HR-specific workplace risks
Here is how a typical workplace risk matrix looks for an HR function:
| Risk | Likelihood | Severity | Score | Category |
|---|---|---|---|---|
| Sexual harassment complaint not properly investigated | 3 | 5 | 15 | High |
| Wage and hour misclassification | 3 | 4 | 12 | High |
| Manager retaliation against reporter | 2 | 5 | 10 | High |
| Data breach exposing personnel files | 2 | 5 | 10 | High |
| FMLA mismanagement | 3 | 3 | 9 | Medium |
| Workplace violence incident | 1 | 5 | 5 | Medium |
| ADA accommodation refused | 2 | 4 | 8 | Medium |
| Background check process error | 2 | 3 | 6 | Medium |
This pattern is common: the high-score items are the ones that combine moderate likelihood with high severity. They are the risks worth investing in controls for. Workplace violence ranks lower because while severity is catastrophic, likelihood is rare. That does not mean ignore it; it means design controls proportionate to the score.
Common risk assessment matrix mistakes
Six patterns show up in matrices that look good but do not function:
- Score inflation. When everything is "high," nothing is. Be specific about what makes a risk severe.
- Static scoring. A matrix scored once and never reviewed loses meaning in months. Quarterly review is the minimum.
- Single-rater bias. One person's view of likelihood is incomplete. Multiple raters from different functions produce better scoring.
- Ignoring near-misses. A near-miss is a free lesson. Update the matrix when one happens.
- Forgetting residual risk. Inherent risk is what exists before controls. Residual risk is what remains after. Both belong on the matrix.
- Disconnecting the matrix from action. A risk in the red zone with no owner is decorative.
Where risk assessment matrices stand in 2025 and 2026
Three shifts have changed how organizations apply the matrix in 2025 and 2026.
ISO 31000 emphasis on continuous review
The 2026 ISO 31000 framework guide from MetricStream reinforces that monitoring and review run continuously through the risk management process, not at fixed intervals. The matrix is now expected to be a living document updated whenever a control changes, an incident occurs, or a regulatory shift affects the underlying risk landscape.
AI and data risks have moved up the matrix
Risks that were either absent or "low" on most matrices three years ago, including generative AI use, employee privacy in monitoring systems, and algorithmic decision-making, now routinely score in the medium-to-high range. HR functions adding these to the matrix is one of the more common updates in 2025 and 2026.
The matrix integrates with case management
Risk assessment used to live in a separate compliance tool. Now it sits alongside actual incident data. When a workplace harassment case opens, the related risk score on the matrix gets re-evaluated. Trend data from your ER case system feeds back into the likelihood scoring for similar risks. AllVoices is a leading employee relations platform that helps HR teams manage ER cases, workplace investigations, anonymous reporting, and employee feedback in one auditable system. Request a walkthrough if you want to see how case data and risk scoring connect.
This article is informational and does not constitute legal or compliance advice. Risk assessment requirements vary by jurisdiction, industry, and regulatory framework. Consult counsel or a qualified risk professional for any matter with regulatory or legal implications.
.png)
.svg)
.svg)
