The document presents a detailed overview of personal risk management, focusing on how to create and utilize a risk matrix for identifying and managing risks within organizations. It outlines steps for risk assessment, including defining risk, quantifying perils, and testing the risk matrix, while emphasizing the importance of systematic measures for compliance and informed decision-making. The document also discusses practical applications and templates for risk assessment in various contexts, such as fraud, health and safety, and project management.

1. RMI 1212 : PERSONAL RISK MANAGEMENT
Wayamba University of Sri Lanka
Diploma in Risk Management & Insurance
Resource Person
Dr. Weedige S. Sanjeewa
Senior Lecturer | Director HDRMI | Director DRMI | Chairman FRHDC
Head - Department of Insurance & Valuation
Faculty of Business Studies & Finance
Wayamba University of Sri Lanka
Risk Assessment: Creating a Risk Matrix
© Weedige S. Sanjeewa 1

2. Learning Outcomes:
 At the end of this lesson students will be able to
understand how to prepare and use Risk Matrix to
identify and manage risk.
© Weedige S. Sanjeewa 2
Risk Assessment: Creating a Risk Matrix

3. Risk is the new Benchmark
 Business are moving at a faster rate
 Compliance needs to be maintained – need a
systematic, quantitative measure
 Risk is becoming the new benchmark for compliance
 Objective, Repeatable
 Helps to make better, more informed decisions
© Weedige S. Sanjeewa 3

4. Step 1. Defining Risk / Risk Taxonomy
 Companies spend time and money building a risk
taxonomy
 A risk taxonomy is a comprehensive, common and
stable set of risk categories that is used within an
organization.
 By providing a comprehensive set of risk categories, it
encourages those involved in risk identification to
consider all types of risks that could affect the
organization's objectives.
© Weedige S. Sanjeewa 4

5. Risk Taxonomy Examples
© Weedige S. Sanjeewa 5

6. Risk comes from Perils Hazards and
Hazards
 Hazards = A situation that poses a level of threat to life, health,
property or environment (an undesired event)
 Perils = resulting damages from the Hazard
 Risk = The potential that a chosen action or activity will lead to
an undesirable event
 Control = A method of evaluating potential losses and taking
action to reduce or eliminate the potential for an undesired event
© Weedige S. Sanjeewa 6

7. Step 2. Quantifying Perils and Hazards
 We need a scale – Severity and Frequency
 Define the level of Risk on a pre-defined Scale:
7
Severity Description
Catastrophic Likely to result in death
Critical Potential for severe injury
Moderate Potential for moderate injury
Minor Potential for minor injury
Negligible No significant risk of injury
Frequency Description
Frequent Hazard likely to occur
Probable Hazard will be experienced
Occasional Some manifestations of the hazard are likely to occur
Remote Manifestations of the hazard are possible, but unlikely
Improbable Manifestations of the hazard are very unlikely

8. What is a Risk Matrix?
 A risk matrix is a matrix that is used during risk
assessment to define the level of risk by considering the
category of probability or likelihood against the category
of consequence severity.
 This is a simple mechanism to increase visibility of risks
and assist management decision making.
© Weedige S. Sanjeewa 8

9. Step 3. Build it all into a Risk Matrix
 The Risk Matrix: tool used in the Risk Assessment
process, it allows the severity of the risk of an event
occurring to be determined.
 Graphically displays the total of each of the Perils &
Hazards that contribute to the risk
© Weedige S. Sanjeewa 9

10. There are some “gray areas”
 Risks are not always “black and white”
 When defining risk management, some organizations
find it convenient to categorize risks into the following
three regions:
 The broadly acceptable region (Generally Acceptable - GA)
 The ALARP (As Low As Reasonably Practicable) region; and
 The intolerable region (Generally Unacceptable - GU)
© Weedige S. Sanjeewa 10

11. Step 4. Test your Risk Matrix
 You must vet the matrix
 Risk score is a mathematical measure
 Use “real world” examples to ensure validity of the
matrix
© Weedige S. Sanjeewa 11

12. A Vetted Risk Matrix is just a Tool
 Risk Matrix is designed as a tool, not a solution
 Risk is only quantifying the result
 Individuals / Organizations need to work on interpreting the
decision
 Risk Teams review events to make decisions, using the
Risk Matrix as a tool for the decision-making process
© Weedige S. Sanjeewa 12

13. A better example of a risk matrix
© Weedige S. Sanjeewa 13

14. Covid 19 compares with other infectious diseases
14
Source : Risk matrix from the NY Times article on How Bad Will the Coronavirus Outbreak Get?
Note: Average case-fatality rates and transmission numbers are shown. Estimates of case-fatality rates can vary, and numbers for the new
coronavirus are preliminary estimates.

15. How to Apply The Risk Matrix
 Use Risk Assessment to filter adverse events
 What is the risk of the event, versus when it came into the system
 Prioritize events by their RISK not their due date
 Resolve low-priority events at the source where they
are found
 Minor Complaints/Non-conformances/Audit findings
 Events with little impact can be immediately resolved
 Risk Mitigation: Applies risk assessment to
verification and effectiveness in Corrective Action
 Are we reducing the risk to the right level?
 Are we truly mitigating risk of recurrence?
© Weedige S. Sanjeewa 15

16. © Weedige S. Sanjeewa 16
How to Apply The Risk Matrix Cont.…

17. Practical Working Example
© Weedige S. Sanjeewa 17

18. Risk Assessment Templates – Practical
Example
Step 1: Identify Hazards
 Relating to your scope, brainstorm potential hazards.
The list should be long and comprehensive and
may include anything from falls and burns, to theft and
fraud, to pollution and societal damage.
© Weedige S. Sanjeewa 18

19. Step 2: Calculate Likelihood
 For each hazard, determine the likelihood it will occur. This
can be measured as a probability (a 90 per cent chance) or as
a frequency (twice a year). Then, based on the likelihood,
choose which bracket accurately describes the probability:
© Weedige S. Sanjeewa 19
1. Unlikely - An unlikely hazard is extremely rare, there is a less than 10 per cent chance that it will happen.
2. Seldom - Seldom hazards are those that happen about 10 to 35 per cent of the time.
3. Occasional - An occasional hazard will happen between 35 and 65 per cent of the time.
4. Likely - A likely hazard has a 65 to 90 per cent probability of occurring.
5. Definite - These hazards will occur 90 to 100 per cent of the time. You can be nearly certain it will manifest.

20. Step 3: Calculate Consequences
 Following the same pattern, calculate potential loss using
either quantitative measurements (Rupee), qualitative
measurements (descriptive scale) or a mix of both. Then, based on
the magnitude of the consequences, choose which
bracket accurately describes the losses:
A. Insignificant
The consequences are insignificant and may cause a near negligible amount of damage. This
hazard poses no real threat. Examples: loss of Rs 10,000, no media coverage and/or no bodily
harm.
B. Marginal
The consequences are marginal and may cause only minor damage. This hazard is unlikely to
have a huge impact. Examples: loss of Rs. 100,000, local media coverage and/or minor bodily
harm.
C. Moderate
The consequences are moderate and may cause a sizeable amount of damage. This hazard
cannot be overlooked. Examples: loss of 1,000,000, regional media coverage and/or minor
bodily harm.
20

21. © Weedige S. Sanjeewa 21
Step 3: Calculate Consequences
D. Critical
The consequences are critical and may cause a great deal of damage.
This hazard must be addressed quickly. Examples: loss of Rs.
10,000,000, national media coverage, major bodily harm and/or police
involvement.
E. Catastrophic
The consequences are catastrophic and may cause an unbearable
amount of damage. This hazard is a top priority. Examples: loss of Rs.
100,000,000 , international media coverage, extreme bodily harm
and/or police involvement.

22. Step 4: Calculate Risk Rating
 Assign each hazard with a corresponding risk rating, based on the
likelihood and impact you’ve already calculated.
 For example, a hazard that is very likely to happen and will have major
losses will receive a higher risk rating than a hazard that’s unlikely and will
cause little harm.
 Risk ratings are based on your own opinion and divided into four brackets.
They are:
22
1. Low
Low risks can be ignored or overlooked as they usually are not a significant
threat. A definite hazard with insignificant consequences, such as stubbing
your toe, may be low risk.
2. Medium
Medium risks require reasonable steps for prevention but they’re not a
priority. A likely hazard with marginal consequences, such as a small fall,
may be medium risk.

23. 3. High
High risks call for immediate action. An occasional hazard with critical
consequences, such as a major car accident, may be high risk.
4. Extreme
Extreme risks may cause significant damage, will definitely occur, or a
mix of both. They’re a high priority. An unlikely hazard with
catastrophic consequences, such as an aircraft crash, is an extreme
risk.
© Weedige S. Sanjeewa 23
Step 4: Calculate Risk Rating Cont.…

24. Step 5: Create an Action Plan
 Your risk action plan will outline steps to address a hazard, reduce
its likelihood, reduce its impact and how to respond if it occurs.
 Depending on the severity of the hazard, you may wish to include
notes about key team members (i.e., project manager, PR or
Communications Director, subject matter expert), preventative
measures, and a response plan for media and stakeholders.
© Weedige S. Sanjeewa 24

25. Step 6: Plug Data into Matrix
 A risk assessment matrix simplifies the information from the risk
assessment form, making it easier to pinpoint major threats in a
single glance.
 This convenience makes it a key tool in the risk management
process.
© Weedige S. Sanjeewa 25

26. More Risk Matrix Sample
© Weedige S. Sanjeewa 26

27. Fraud Risk Matrix Sample
 Anticipating fraud and theft is a crucial component of a
company’s antifraud efforts.
 Developing a risk assessment helps to identify hazards
proactively so management can take precautionary
measures or, if required, a risk response
 Examples of hazards that may need to be addressed in an
organization risk assessment include:
 Asset misappropriation (check fraud, billing schemes, theft of cash)
 Fraudulent statements (misstatement of assets, holding books open)
 Corruption (kickbacks, bribery, extortion)
 Conflicts of interest
© Weedige S. Sanjeewa 27

28. Health and Safety Risk Matrix Sample
 A health and safety risk assessment is important for industries like
construction, manufacturing or science labs where work takes place
in potentially dangerous environments.
 In a warehouse, for example, workers are at risk of many hazards
such as:
 Severe or fatal injury from falling
 Repetitive strain injuries from manual handling
 Sprains and fractures from slips and trips
 Being crushed by falling objects
 Being hit by (or falling out of) lift trucks
 Crush injuries or cuts from large machinery
 Moving parts of a conveyor belt resulting in injury
 Exposure to hazardous substances
 Health and safety risk assessments must also include things like
workplace violence and other dangerous employee misconduct.
28

29. Project Risk Matrix Sample
 Any project, event or activity must undergo a thorough risk
assessment to identify and assess potential hazards. Once these
risks are better understood, the team can make a prevention and
mitigation plan to arm themselves against the hazard.
 Brainstorm hazards in several categories such as:
 Technical (data breach)
 Cost (funding falls through)
 Contractual (modified requirements)
 Weather (natural disaster)
 Environmental (oil spill)
 People (illness, resignation)
© Weedige S. Sanjeewa 29

30. Next Steps & Responding to Risks
 Once you have finished your plan, determine how action steps. You
can choose to “accept” the risk if the cost of countermeasures will
exceed the estimated loss.
 Harm reduction is a second option. To reduce the consequences of
risk, develop a mitigation plan to minimize the potential for harm.
 The third option is to avoid the risk. For catastrophic disasters,
preventing the risk from occurring at all is the best (and often only)
course of action.
 However you plan to deal with the risks, your assessment is an
ongoing evaluation and must be reviewed regularly. Experts
recommend updating your risk assessment at least once a year, and
perhaps more often depending on your unique situation.
30

31. Summary
 Risk Assessment is great tool for making informed decisions
 Understand your Hazards and Harms within the organization
 Build a scale that makes sense to your organization
 Plot the scale on a graph to form a Risk Matrix
 Determine where the acceptable and unacceptable risk lie
 Then, vet that matrix with real-world historical examples
 Use the Risk Matrix as a tool within a Risk team to filter adverse
events by their Risk
© Weedige S. Sanjeewa 31