The risk evaluation matrix
This section provides the framework that you will be using for the risk evaluation step in risk management.
The risk evaluation matrix should be based on the risk management policy, which very well may be a narrative description of how the organization looks on risk. That policy should then be translated into limits for acceptable and unacceptable risk and possibly risks that are acceptable but require special attention due to their relatively high risk (this can be risks that previously often were referred to as ALARP).
The matrix may have 3-10 steps on both the probability scale as well as the severity scale. I recommend using 3 to 5. More steps just make it more complicated.
I recommend using a green area for acceptable risk (ACC), a yellow area for risks that are bordering the unacceptable area (ACC*) and red area for unacceptable risk (N ACC).
The severity table
List the harms that are relevant to your product to assist coherent determination of severity. Below is an example:
|Catastrophic||Results in death||Death||5|
|Critical||Results in permanent impairment
or impairment requiring professional
|Serious||Results in injury or impairment
requiring professional medical
|Minor||Results in temporary injury or
impairment not requiring
professional medical intervention.
|Negligible||Inconvenience or temporary
|Pressure to hand||1|