There are a number of different ways to document risk assessments.
The methodology ranges from “What if” models to more complex analysis using a variety of quantitative models and algorithms.
The identification of risks and risk exposure is only part of an effective risk assessment.
The whole purpose of a risk assessment is to measure both the possibility and the impact of risk before and after mitigation.
Many companies are ISO 9001 certified. ISO 9001 requires companies to identify risks and take measures to reduce the effects of risks on the company. Furthermore, the company is expected to measure the effectiveness of the measures taken.
One of the easiest ways to document risks, the likelihood of it happening, and the impact on a company is mathematically.
Using a risk assessment matrix helps quantify the possibility and impact before and after mitigation.
The first step of a risk assessment is to document the likelihood of the risk occurring and the impact on the company if the risk event occurred and no mitigation measures are employed.
The second step of the risk assessment is to identify the mitigation implemented to either reduce the possibility of the risk occurrence, reduce the impact of the risk event if it does occur, or both.
Lastly, in keeping with the requirements of ISO 9001, the effectiveness of the mitigation should be assessed by measuring the possibility and impact after mitigation has been implemented.
If the residual risk that is left after mitigation has been implemented is still high or not acceptable, the mitigation should be reviewed again to further reduce the possibility, the impact, or both.
The Risk Assessment Matrix can be downloaded and modified with descriptors of your choice.
The Sample Company Risk Assessment Sheet can be downloaded to document the risks, possibility, impact, mitigation, and further residual risk values.