U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guidance on Risk Analysis

The NIST HIPAA Security Toolkit Application , developed by the National Institute of Standards and Technology (NIST), is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services.

The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment (SRA) Tool . The tool’s features make it useful in assisting small and medium-sized health care practices and business associates in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

  • OCR and ONC are holding training sessions and overview of the SRA Tool. The slides for these sessions are posted at the following link, and a recording will be posted as soon as possible: https://www.healthit.gov/sites/default/files/page/2019-07/SRAInstructionalPresentation.pdf

The Office for Civil Rights (OCR) is responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.)  This series of guidance documents will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The materials will be updated annually, as appropriate.

For additional information, please review our other Security Rule Guidance Material and our Frequently Asked Questions about the Security Rule.

Download a copy of the guidance in PDF.

Introduction

The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. 1   (45 C.F.R. §§ 164.302 – 318.)  This series of guidances will assist organizations 2  in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI). The guidance materials will be developed with input from stakeholders and the public, and will be updated as appropriate.

We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.  Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.  

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. 3  An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

We note that some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST). NIST, a federal agency, publishes freely available material in the public domain, including guidelines. 4  Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI. Therefore, non-federal organizations may find their content valuable when developing and performing compliance activities.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process. We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.

Risk Analysis Requirements under the Security Rule

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The following questions adapted from NIST Special Publication (SP) 800-66 5  are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

• Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit. • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI? • What are the human, natural, and environmental threats to information systems that contain e-PHI?

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)

The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Organizations should use the information gleaned from their risk analysis as they, for example:

• Design appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).) • Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).) • Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).) • Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).) • Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

Important Definitions

Unlike “availability”, “confidentiality” and “integrity”, the following terms are not expressly defined in the Security Rule. The definitions provided in this guidance, which are consistent with common industry definitions, are provided to put the risk analysis discussion in context. These terms do not modify or update the Security Rule and should not be interpreted inconsistently with the terms used in the Security Rule.

Vulnerability

Vulnerability is defined in NIST Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”

Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of e-PHI. Vulnerabilities may be grouped into two general categories, technical and non-technical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.

An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:

• Natural threats such as floods, earthquakes, tornadoes, and landslides.

• Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to e-PHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.

• Environmental threats such as power failures, pollution, chemicals, and liquid leakage.

An adapted definition of risk, from NIST SP 800-30, is:

“The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to— 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man- made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

Elements of a Risk Analysis

There are numerous methods of performing risk analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule. Some examples of steps that might be applied in a risk analysis process are outlined in NIST SP 800-30. 6

The remainder of this guidance document explains several elements a risk analysis must incorporate, regardless of the method employed.

Scope of the Analysis

The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.

Data Collection

An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)

Identify and Document Potential Threats and Vulnerabilities

Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

Assess Current Security Measures

Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

The security measures implemented to reduce risk will vary among organizations. For example, small organizations tend to have more control within their environment. Small organizations tend to have fewer variables (i.e. fewer workforce members and information systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk to the confidentiality, availability and integrity of e-PHI in a small organization may differ from those that are appropriate in large organizations. 7

Determine the Likelihood of Threat Occurrence

The Security Rule requires organizations to take into account the probability of potential risks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are “reasonably anticipated.”

The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§ 164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)

Determine the Potential Impact of Threat Occurrence

The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.

The output of this process should be documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)

Determine the Level of Risk

Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.

The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

Finalize Documentation

The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is a direct input to the risk management process.

Periodic Review and Updates to the Risk Assessment

The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.

A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if the covered entity has experienced a security incident, has had change in ownership, turnover in key staff or management, is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed to ensure the e-PHI is reasonably and appropriately protected. If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed. Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels. 8

Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

The Security Series papers available on the Office for Civil Rights (OCR) website, http://www.hhs.gov/ocr/hipaa , contain a more detailed discussion of tools and methods available for risk analysis and risk management, as well as other Security Rule compliance requirements. Visit http://www.hhs.gov/ocr/hipaa for the latest guidance, FAQs and other information on the Security Rule.

Several other federal and non-federal organizations have developed materials that might be helpful to covered entities seeking to develop and implement risk analysis and risk management strategies. The Department of Health and Human Services does not endorse or recommend any particular risk analysis or risk management model. The documents referenced below do not constitute legally binding guidance for covered entities, nor does adherence to any or all of the standards contained in these materials prove substantial compliance with the risk analysis requirements of the Security Rule. Rather, the materials are presented as examples of frameworks and methodologies that some organizations use to guide their risk analysis efforts.

The National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, is responsible for developing information security standards for federal agencies. NIST has produced a series of Special Publications, available at http://csrc.nist.gov/publications/PubsSPs.html , which provide information that is relevant to information technology security. These papers include:

  • Guide to Technical Aspects of Performing Information Security Assessments (SP800-115)
  • Information Security Handbook: A Guide for Managers (SP800-100; Chapter 10 provides a Risk Management Framework and details steps in the risk management process)
  • An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP800-66; Part 3 links the NIST Risk Management Framework to components of the Security Rule)
  • A draft publication, Managing Risk from Information Systems (SP800-39)

The Office of the National Coordinator for Health Information Technology (ONC) has produced a risk assessment guide for small health care practices, called Reassessing Your Security Practices in a Health IT Environment .

The Healthcare Information and Management Systems Society (HIMSS), a private consortium of health care information technology stakeholders, created an information technology security practices questionnaire . The questionnaire was developed to collect information about the state of IT security in the health care sector, but could also be a helpful self-assessment tool during the risk analysis process.

The Health Information Trust Alliance (HITRUST) worked with industry to create the Common Security Framework (CSF), a proprietary resource available at https://hitrustalliance.net/csf-rmf-related-documents . The risk management section of the document, Control Name: 03.0, explains the role of risk assessment and management in overall security program development and implementation. The paper describes methods for implementing a risk analysis program, including knowledge and process requirements, and it links various existing frameworks and standards to applicable points in an information security life cycle.

[1] Section 13401(c) of the Health Information Technology for Economic and Clinical (HITECH) Act.

[2]  As used in this guidance the term “organizations” refers to covered entities and business associates. The guidance will be updated following implementation of the final HITECH regulations.     

[3] The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20, 2003, 68 FR 8334.

[4] The 800 Series of Special Publications (SP) are available on the Office for Civil Rights’ website – specifically, SP 800-30 - Risk Management Guide for Information Technology Systems . (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.) 

[5] See NIST SP 800-66, Section #4 "Considerations When Applying the HIPAA Security Rule." Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf

[6] Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf .

[7] For more information on methods smaller entities might employ to achieve compliance with the Security Rule, see #7 in the Center for Medicare and Medicaid Services’ (CMS) Security Series papers, titled “Implementation for the Small Provider.” Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/smallprovider.pdf .

[8]  For more information on methods smaller entities might employ to achieve compliance with the Security Rule, see #6 in the Center for Medicare and Medicaid Services’ (CMS) Security Series papers, titled “Basics of Risk Analysis and Risk Management.” Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf .

Frequently Asked Questions for Professionals  - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

  • Project planning |
  • Risk matrix template: How to assess ris ...

Risk matrix template: How to assess risk for project success (with examples)

Team Asana contributor image

A risk matrix analyzes project risks based on likelihood and severity. Once you map your risks, you can calculate overall impact and prioritize risks accordingly. In this piece, you’ll learn how to create a risk matrix template and how to use the information from this analysis tool to develop a comprehensive risk management plan.

Risks are a part of any project, and there’s no surefire way to know which ones will occur and when. Sometimes, you'll get through an entire project without experiencing a single hiccup. Other times, you’ll feel like all the odds are against you. Without the help of a crystal ball, the only way to prevent project risks is to proactively prepare for them. 

A risk matrix helps you analyze risk by assigning each event as high, medium, or low impact on a scale of one through 25. Once you assess the severity and likelihood of each risk, you’ll prioritize your risks and prepare for them accordingly. In this article, we’ll explain how to create a risk matrix template and offer helpful tools for turning your results into action.

What is a risk matrix in project management?

Types of risks.

As part of the process, you’ll need to brainstorm a list of risks to chart in your risk matrix. The risks you may face will likely fall into these categories:

Strategic risk : Strategic risks involve performance or decision errors, such as choosing the wrong vendor or software for a project.

Operational risk : Operational risks are process errors or procedural mistakes, like poor planning or a lack of communication among teams.

Financial risk : Financial risk can involve various events that cause a loss of company profit, including market changes, lawsuits, or competitors.

Technical risk: Technical risk may include anything related to company technology, such as a security breach, power outage, loss of internet, or damage to property.

External risk: External risks are out of your control, like floods, fires, natural disasters, or pandemics. 

There are other risk categories to consider depending on your work industry. For example, if you have government clients, then you also want to brainstorm legal risks. If your company sells a physical product, you may have to think about manufacturing risks.

How to create a risk matrix template

When creating your risk matrix template, you’ll first identify your scale of severity, which you’ll place in the columns of your matrix. ​​The scale of severity measures how severe the consequences will be for each risk. In a five-by-five matrix, there are five levels in your scale of severity. 

Negligible (1): The risk will have little consequences if it occurs.

Minor (2): The consequences of the risk will be easy to manage.

Moderate (3): The consequences of the risk will take time to mitigate.

Major (4): The consequences of this risk will be significant and may cause long-term damage.

Catastrophic (5): The consequences of this risk will be detrimental and may be hard to recover from.

You’ll then identify your scale of likelihood, which you’ll place in the rows of your risk matrix template. The scale of likelihood identifies the probability of each risk occurring.  

Very likely (5): You can be pretty sure this risk will occur at some point in time.

Probable (4): There’s a good chance this risk will occur.

Possible (3): This risk could happen, but it might not. This risk has split odds.

Not likely (2): There’s a good chance this risk won’t occur.

Very unlikely (1): It’s a long shot that this risk will occur.

When you place a risk in your matrix based on its likelihood and severity, you’ll find the level of risk impact. The risk impact is both color-coded from green to red and rated on a one through 25 scale. 

Low (1-6): Low-risk events likely won’t happen, and if they do, they won’t cause significant consequences for your project or company. You can label these as low priority in your risk management plan .

Medium (7-12): Medium-risk events are a nuisance and can cause project hiccups, but if you take action during project planning to prevent and mitigate these risks, you’ll set yourself up for project success. You shouldn’t ignore these risks, but they also don’t need to be a top priority.

High (13-25): High-risk events can derail your project if you don’t keep them top of mind during project planning. Because these risks are likely to happen and have serious consequences, these are most important in your risk management plan.

[inline illustration] risk matrix criteria (infographic)

 You don’t have to stick to the labels above for your risk matrix template if they don’t feel right for your company or project. You can customize the size and terminology of your matrix to your needs.

How to use a risk matrix

Once you’ve created a risk matrix, you can use it as a comprehensive analysis tool. The best part about a risk matrix template is that you don’t need to change it for every project. Once you have one, you can reuse it and share it with others. 

[inline illustration] 5 steps to use a risk matrix (infographic)

1. Identify project risks

You’ll need a list of potential risks to make use of your risk matrix. In this step, you’ll determine what risks may affect the specific project you’re working on. 

To come up with relevant risks for your project, you’ll need to understand your project scope and objectives. This includes the project’s:

Constraints

Using your project scope as a guide, think of risky situations that might affect your project. If you’re not sure where to start, try brainstorming techniques like mind mapping or starbursting to list as many risks as you can under each risk type. 

2. Determine severity of risks

When you created your risk matrix, you defined the criteria for your risk severity and likelihood. Now that you have a list of project risks, categorize them using the matrix criteria. Start with the scale of severity and go through each risk you’ve listed. Consider the following questions:

What is the most negative outcome that could come from this risk?

What are the worst damages that could occur from this risk?

How hard will it be to recover from this risk?

Which of the five severity levels most closely matches this risk?

You may not always have the perspective you need to know how severe the consequences of a risk are. In that case, work with other project stakeholders to determine the potential risk impact.

3. Identify likelihood of risks

Once you’ve defined the severity of each risk, you’ve completed half of the risk analysis equation. Next, identify the likelihood of each risk. To do this, consider the following questions:

Has this risk occurred before and, if so, how often?

Are there risks similar to this one that have occurred?

Can this risk occur, and if so, how likely is it to occur?

Team collaboration is also crucial in this step because you may not have a good idea of similar risks that have occurred in past projects. Make sure to reference past projects and analyze the probability of each risk with your team in order to create a more accurate mitigation plan.

4. Calculate risk impact

The last part of your risk analysis equation is to calculate risk impact. The equation you’ll use is:

Likelihood x severity = risk impact  

Place each risk in your matrix based on its likelihood and severity, then multiply the numbers in the row and column where it lands to find the level of risk impact. For example, if you think the risk of a data breach is of major severity (4) and probable likelihood (4), you’d multiply four by four to get a risk impact of 16. This is considered a high-risk impact. 

5. Prioritize risks and take action

You should now have a risk impact level on a scale of 1–25 for each risk you’ve identified. With these number values, it’s easier to determine which risks are of top priority. When you have risks with the same risk impact score, it will be up to you and your team to determine which risk to prioritize. Risks with equal risk impact may require equal attention as you create your action plan. 

Your risk response plan should include steps to prevent risk and ways to mitigate risk if unfortunate events occur. Because so much goes into project planning, the best strategy when tackling risks may be to divide and conquer.

Risk assessment matrix template

The size of your risk matrix template determines how closely you can analyze your project risks. A larger risk matrix template offers more room on the risk impact spectrum, while a smaller risk matrix template keeps your risk impact rating simpler and less subjective. 

Each square in your matrix represents a risk level of likelihood and severity, so you shouldn’t make your risk matrix smaller than three squares in length and width.

A five-by-five risk matrix is ideal so you can further analyze each risk. Once you chart your risks along your finished risk matrix template, this matrix creates a larger color spectrum to see the impact of each risk as high, medium, or low. 

The example below shows a five by five risk matrix template.

[inline illustration] Risk matrix (example)

You can download a free risk matrix template using the link below. Use this template to chart your project risks and determine their overall level of risk impact.

Pair your risk matrix template with a work management tool

You can use the same risk matrix template when measuring risk across multiple projects. However, it’s important to remember that the risks you face will evolve. The environment changes, technology becomes smarter, and the workplace grows. Every project faces unique risks, and you must reevaluate these risks year after year.

When you pair your risk matrix template with work management software , you can use past data to inform current processes. Asana helps you share the results of your risk matrix with stakeholders so you can collaborate on a risk management plan. Once you have a solid plan in place, you can monitor your team in real-time as they take action.

What is a risk matrix (and how to use one)

Risk matrix in Miro

Table of Contents

Identifying potential risks is a vital part of business success. If you’re not aware of the challenges your business might face, you won’t be prepared to deal with them. And if you’re not prepared, the damage will be harder to control.

This is where a risk matrix can be helpful.

When done well, a risk matrix identifies potential risks, the likelihood they’ll happen, and what the impact could be. As a result, you can put preventative measures in place and have strategies to mitigate the damage.

In this article, we’ll show you what a risk matrix is, why it’s important, and how to create one of your own.

What is a risk matrix?

A risk matrix is a visual tool that assesses and prioritizes risk. It analyzes how likely it is that a risk will occur, as well as the potential impact it’ll have on your business.

The matrix typically consists of a grid with four quadrants. The ‘likelihood of risk’ sits on one axis, and the ‘potential impact of the risk’ sits on the other. Each cell represents a different level of risk, allowing you to easily determine which risks require the most attention and resources.

For example, you can use the matrix to identify a risk that’s highly likely and will cause a lot of damage. As a result, you can put preventative measures and contingency plans in place before tackling a risk that’s unlikely to happen.

Why use a risk matrix?

Let’s outline some of the reasons a risk matrix chart can be beneficial.

To proactively prepare for challenges

A risk matrix provides a consistent approach to risk management. It ensures that risks are identified and assessed systematically, ensuring you cover all your bases. As a result, you can proactively prepare for challenges before they arise. You know how to mitigate risk and what to do if a risk occurs, and you'll be better equipped to handle unexpected risks, too.

To assess the likelihood and impact of risks

A risk rating matrix is a visual representation of the probability and effect of each risk. This means you can clearly see whether a risk is likely to happen and what’ll happen if it does. As a result, you can prioritize your risk management efforts and allocate resources effectively.

To improve decision-making

By clearly outlining all your potential risks, you can make informed decisions about your business growth and development. For example, you can decide where to allocate resources so that you have the funds and capacity to deal with a big hit to the business.

To increase accountability

Creating a risk matrix involves assigning ownership and responsibility for each risk. This creates a sense of accountability and boosts motivation, encouraging everyone to mitigate risks to the best of their ability.

Risk management, risk control, and risk assessment: What’s the difference?

Risk management, risk control, and risk assessment often describe the same (or similar) process. But the truth is, they’re not the same.

Risk assessment and risk control are all part of the risk management process, but they have different objectives and focus areas. Here’s a brief overview of how each process works:

What is risk management?

Risk management looks to  identify, assess, and control risks to achieve business objectives. It typically includes the risk likelihood and risk impact (found in the risk assessment), as well as the risk response strategies (part of the control process). The matrix is then used to monitor the risks and track the progress of risk response strategies.

What is risk assessment?

Risk assessment looks to evaluate and prioritize risks by considering their likelihood and potential impact. The risk assessment matrix typically consists of a grid with the likelihood of a risk occurring on one axis and the potential impact or consequence on the other. The likelihood and impact are usually rated on a numerical scale (such as low, medium, and high).

What is risk control

Risk control identifies and documents the internal controls needed to prevent and mitigate risks. It evaluates the effectiveness of an organization's control processes, which can help with the prevention and mitigation of risks.

How to create a risk matrix

Now that we know what a risk matrix is, let’s walk through the steps you’ll need to take to create a risk matrix of your own.

Choose a platform to create your risk matrix

To analyze risk effectively, you need a platform that allows you to create a visual and collaborative risk matrix. That way, you can work with your team to map all the potential threats clearly and concisely.

When trying to find a platform to create your risk matrix, here are some of the features to look out for:

A simple (but intuitive) interface. A platform that’s easy to use allows you to jump straight in and start creating your matrix. If it’s tricky to use, it’ll make it harder for you and your team to use it effectively.

Access to ready-made templates. A premade template saves you the time and hassle of creating a risk matrix from scratch. Take a look at Miro’s risk matrix template to see for yourself.

Ability to communicate. Creating a risk matrix often involves input from various people across the business. To make sure that everyone can work together throughout this process (especially if they work remotely), you need a platform that enables collaboration.

Identify the risks

With the platform in place, you can now identify potential risks to your business. There are a few ways to tackle this process:

Think about problems that can occur in your line of work. You’ll identify some risks simply by thinking about what your work involves. For example, if you sell clothes online, one of your risks could be a material supplier delaying a shipment.

Review historical data. Analyze historical data (such as past incidents) to find potential risks. If it’s happened in the past, chances are it could happen again.

Take a look at your competitors. Analyze what your competitors are doing and how risks have affected their business. This might help you identify risks you might not have come across otherwise.

During this process, it helps to consult with key stakeholders (both internal and external) about the type of risks that can affect your business. The more people you consult, the wider pool of potential risks you can cover.

However, this doesn’t mean you need to speak to everyone. For example, if you’re analyzing financial risks, you only need to speak to a department head or C-suite employee. You don’t need to contact the entire accounting department.

Define levels for each risk

In the matrix, you'll assign levels to each risk based on its likelihood and impact. With this information, you’ll know what types of risks are the biggest threats and can put them in the matrix accordingly.

A simple risk assessment usually has three risk levels:

Low (color-coded as green or the number 1)

Medium (color-coded as yellow or the number 2)

High (color-coded as red or the number 3).

With this scale, you can now identify which risks are a low, medium, or high threat to the business. Here are some examples of how these levels can be assigned to tasks:

If the impact means you’ll be out of business, it’s a high-risk (number 3)

If the impact means your sales will be reduced by 25%, it’s a medium-risk (number 2)

If the impact means customer shipments will be delayed by three days, it’s a low-risk (number 1)

This is just one example of the scale you can use. You can also create a wider range of levels to add more detail. Take a look at our risk assessment template as an example, which has a more complex scaling system ranging from 1–10.

Create the matrix

You know your risks, and you have your risk criteria to define the level of risk. Now, you can create the matrix.

First, you’ll add the likelihood and impact scale to the X and Y-axes. This will help you categorize your tasks when adding them to the matrix.

If the Y-axis outlines the impact of risk, you might break it down into the following risk matrix categories:

If the X-axis outlines the likelihood of risk, here are the categories you might cover:

Unlikely to happen

More likely to happen than not

Highly likely to happen

These are just examples; you can add more or fewer categories depending on how you choose to organize your risks. For example, our risk matrix template has five categories along each axis.

With your X and Y-axes in place, you can now add risks to your matrix.

Use the categories along each axis to determine where your risks should sit. You’ll also have your levels of risk (low, medium, and high) to help you accurately categorize risks in the matrix.

Prioritize the risks

When all the potential risks are in the matrix, you can now prioritize them based on how likely they will happen and what damage they could cause. This step will help you focus on the most critical risks and allocate resources accordingly.

The great thing about a risk matrix is that it’s visual. You can look at the matrix and instantly see which risks are more likely to happen and will have the biggest impact on the business — especially if you color-code them. With one glance, you know which risks to prioritize.

If you assign scores to your risks (high = 3, medium = 2, and low =1), you can also use this score to identify the top-priority risks.

Outline your risk controls

Now that you know which risks your business has to address, you can outline your risk controls to mitigate and prevent them from happening.

Addressing the top-priority risks first, you can use risk controls to figure out the best way to prevent risks from happening. You’ll also identify how to manage risks if they occur and stop the same risk from happening again.

Here are some of the risk controls you’ll want to consider:

Preventative controls

These controls prevent a risk from occurring in the first place. For example, imagine that the risk is workplace injury to employees. In this situation, your preventative controls could be updating safety procedures, providing safety training, and using safety equipment.

Detective controls

These controls help you detect risks as they occur. Some examples include monitoring systems, internal audits, and incident reporting processes — all of which will show you when a risk is happening so you can step in and fix the problem.

Corrective controls

Corrective controls will correct a risk or prevent it from happening again. For example, repairing damaged equipment, improving processes, or revising policies and procedures.

Mitigating controls

These controls reduce the impact of a risk if it does occur. Examples of mitigating controls include preparing for natural disasters, purchasing insurance, and creating a risk response plan.

Review and update the matrix

Chances are, your risks will change over time. There’ll be new risks to contend with, risks that are no longer relevant, and you may find that some high-level risks are no longer such a threat.

Reviewing and updating your matrix regularly is important to ensure it remains relevant and accurate. This approach will help you stay on top of emerging risks and take appropriate action to mitigate them.

Get on board in seconds

Join thousands of teams using Miro to do their best work yet.

Solutions for

Educator & Staff Training

Improve compliance and deliver critical professional development with online courses and management system

Safety & Compliance

Inclusive Instruction & Interventions

Diversity & Inclusion

School Bus Driver

Cybersecurity Awareness

Facilities Maintenance

Child Sexual Abuse Prevention

Student Safety & Wellness Program NEW

Student Safety & Wellness Program

Keep students safe and healthy with safety, well-being, and social and emotional learning courses and lessons

Substance Misuse Prevention Courses

Mental Health & Well-Being Courses

Healthy Relationships Courses

Personal & Community Safety Courses

Professional Growth Management

Integrated software to manage and track evaluations and professional development and deliver online training

Professional Development Management

Evaluations Management

Anonymous Reporting & Safety Communications

Empower your school community to ask for help to improve school safety and prevent crises before they occur

Incident & EHS Management

Streamline safety incident reporting and management to improve safety, reduce risk, and increase compliance

Higher Education

Student Training

Increase safety, well-being, and belonging with proven-effective training on critical prevention topics

Sexual Assault Prevention

Alcohol & Drug Misuse Prevention

Diversity, Inclusion, & Belonging

Wellness & Safety

Fraternity & Sorority Life

Faculty & Staff Training

Create a safe, healthy, and welcoming campus environment and improve compliance with online training courses

Harassment, Discrimination, & Sexual Assault Prevention

IT & Campus Security

Health & Safety

Human Resources & Workforce Management

Environmental Health & Facilities Management

Campus Climate Surveys

Simplify VAWA compliance with easy, scalable survey deployment, tracking, and reporting

Empower your faculty, staff, and students to take an active role in protecting themselves and others

Manufacturing

Safety Training NEW

Safety Training

Elevate performance and productivity while reducing risk across your entire organization with online training.

MSHA Training

Industrial Skills Training NEW

Industrial Skills Training

Close skills gap, maximize production, and drive consistency with online training

Core Industrial Skills

Preventative Maintenance

Electrical Maintenance

Continuous Improvement

Power Generation

Paper Manufactuing Training

Enhance worker expertise and problem-solving skills while ensuring optimal production efficiency.

HR & Compliance

Provide role-specific knowledge, develop skills, and improve employee retention with career development training.

Professional Development NEW

DEI Training NEW

Anti Harassment Training NEW

Learning Management System (LMS)

Assign, track, and report role-based skills and compliance training for the entire workforce

EHS Management

Track, Analyze, Report Health and Safety Activities and Data for the Industrial Workforce

Incident Management

Inspections & Audits

Real-TIme Safety Metrics and Reports

Behavior-Based Safety

Hazard Reporting

Job Safety Analysis

SDS & Chemical Management

Safety Communication

Enhance the safety for the industrial workforce with two-way risk communications, tools, and resources

Fire Departments

Training Management

A training management system tailored for the fire service--track all training, EMS recerts, skill evaluations, ISO, and more in one place

Training Management System

Skill Evaluations

Firefighter Continuing Education

Online EMS Recertification Training

Fire Academy Automation

Fire Standards and Training

Crew Shift Scheduling

Simplify 24/7 staffing and give firefighters the convenience of accepting callbacks and shifts from a mobile device

Checks & Inventory Management

Streamline truck checks, PPE inspections, controlled substance tracking, and equipment maintenance with a convenient mobile app

Controlled Substance Tracking

Exposure and Critical Incident Monitoring NEW

Exposure and Critical Incident Monitoring

Document exposures and critical incidents and protect your personnels’ mental and physical wellness

Training Management and Recertification

A training management system tailored for EMS services—EMS online courses for recerts, mobile-enabled skill evaluations, and more

EMS Skill Evaluations

EMS Shift Scheduling

Simplify 24/7 staffing and give medics the convenience of managing their schedules from a mobile device

Inventory Management

Streamline vehicle checks, controlled substance tracking, and equipment maintenance with a convenient mobile app

Wellness Monitoring & Exposure Tracking NEW

Wellness Monitoring & Exposure Tracking

Law Enforcement

Training and FTO Management

Increase performance, reduce risk, and ensure compliance with a training management system tailored for your FTO/PTO and in-service training

Training Management System & FTO

Law Enforcement Online Training

Academy Automation

POST and Regulatory Management

Early Intervention & Performance Management

Equip leaders with a tool for performance management and early intervention that helps build positive agency culture

Officer Shift Scheduling

Simplify 24/7 staffing and give officers the convenience of managing their schedules from a mobile device

Asset Mangagement & Inspections

Streamline equipment checks and vehicle maintenance to ensure everything is working correctly and serviced regularly

Energy Skills Training

Empower your team with skills and safety training to ensure compliance and continuous advancement.

Track, analyze, report health and safety activities and data for the industrial workforce

Lone Worker Safety

Enhance lone worker safety with two way risk communications, tools, and resources

Federal Training Management

Lower training costs and increase readiness with a unified system designed for high-risk, complex training and compliance operations.

Military Training Management

Increase mission-readiness and operational efficiency with a unified system that optimizes military training and certification operations.

Local Government Training Management

Technology to train, prepare, and retain your people

Fire Marshall Training & Compliance

Improve fire service certification and renewal operations to ensure compliance and a get a comprehensive single source of truth.

Elevate fire academy training with automation software, enhancing efficiency and compliance.

POST Training & Compliance

Streamline your training and standards operations to ensure compliance and put an end to siloed data.

Law Enforcement Academy Automation

Modernize law enforcement training with automation software that optimizing processes and centralizes academy information in one system.

Simplify incident reporting to OSHA and reduce risk with detailed investigation management.

Architecture, Engineering & Construction

Ensure licensed professionals receive compliance and CE training via online courses and learning management.

Online Continuing Education

Keep AEC staff licensed in all 50 states for 100+ certifications with online training

Architecture

Engineering

Construction

Project Management

Drive organizational success with training that grows skills and aligns with the latest codes and standards

Heath & Safety

Construction and Trades

Track, Analyze, Report Health and Safety Activities and Data for AEC Worksites

Inspections and Audits

Real-Time Safety Metrics and Reports

Enhance AEC workforce safety with two-way risk communications, tools, and resources

Anti-Money Laundering Training

Reduce risk in casino operations with Title 31 and Anti-Money Laundering training compliance

Employee Training

Deliver our leading AML and casino-specific online courses to stay compliant with national and state standards

Streamline training operations, increase employee effectiveness, and reduce liability with our LMS for casinos

Simplify incident reporting to OSHA and reduce risk with detailed investigation management

Employee Scheduling

Equip your employees with a mobile app to manage their schedules and simplify your 24/7 staff scheduling

assigning risk levels

Career & Technical Education NEW

Industrial Manufacturing

Chemical Processing

Pulp & Paper

Food & Beverage NEW

Utilities NEW

Renewables NEW

Distribution & Logistics

Distribution & Warehousing NEW

Public Safety

EMS Agencies

911 Emergency Communications

State Government - Fire Departments

State Government - Law Enforcement

Local Government

Architecture & Engineering

Facilities Management

Course Center

Success Stories

Speak to an Expert

assigning risk levels

Resource Center

Expert insights to boost training

Resource type

Course Catalogs

Whitepapers/Guides

Product Brochures

Acquisitions

Vector Cares

Executive Team

Industry Honors

assigning risk levels

Elevate Training, Elevate Success

Firefighter

See All Industrial Courses

See All AEC Courses

See All Facilities Courses

See All Casino Courses

Risk Matrix Calculations – Severity, Probability, and Risk Assessment

October 26, 2023 8 min read

assigning risk levels

What Is a Risk Assessment Matrix?

Safety Professionals use a risk matrix to assess the various risks of hazards (and the incidents they could potentially result in). Understanding the components of a risk matrix will allow you and your organization to manage hazards more effectively by uncovering “hidden risks” embedded in day-to-day tasks, reduce costly workplace illnesses and injuries by dealing with hazards before they can develop into bigger issues, and increase productivity through proactive prevention of incidents that can grind operations to a halt and result in lost time.

Beyond the financial savings, safety managers also can make more informed decisions based on quantitative risk data, rather than relying on guesswork or a “gut feeling.” By conducting risk assessments using a risk matrix, organizations demonstrate a commitment to safe and responsible operations and better protect their hard-earned reputations, making it easier to attract and retain talent.

Components of a Risk Matrix

The risk assessment matrix works by presenting various risks in a color-coded chart with high risks represented in red, moderate risks in orange or yellow, and low risks in green. Risk matrices can come in many shapes and sizes, but every matrix has two axes: one that measures the likelihood of a risk, and another that measures its severity. In other words, the impact the risk would have on operations.

Using a risk matrix allows you to identify and focus your attention and resources on the highest risks, since these have the biggest impact and can result in significant losses.

Security Risk Matrix

1. Severity

Severity  is first axis of a risk assessment and it measures the amount of damage or harm a hazard could create. Severity it is often ranked on a four-point scale within a risk matrix as follows:

  • Catastrophic – 4:  Operating conditions are such that human error, environment, design deficiencies, element, subsystem or component failure, or procedural deficiencies may commonly cause death or major system loss, thereby requiring immediate cessation of the unsafe activity or operation.
  • Critical – 3:  Operating conditions are such that human error, environment, design deficiencies, element, subsystem or component failure, or procedural deficiencies may commonly cause severe injury or illness or major system damage thereby requiring immediate corrective action.
  •  Marginal – 2:  Operating conditions may commonly cause minor injury or illness or minor systems damage such that human error, environment, design deficiencies, subsystem or component failure, or procedural deficiencies can be counteracted or controlled without severe injury, illness, or major system damage.
  •  Negligible – 1 : Operating conditions are such that personnel error, environment, design deficiencies, subsystem or component failure, or procedural deficiencies will result in no, or less than minor, illness, injury, or system damage.

2. Probability

Probability  is the second axis of a matrix and it measures the likelihood of the hazard occurring. Probability is often tanked on a five-point scale:

  • Frequent – 5:  Likely to occur often in the life of an item.
  • Probable – 4:   Will occur several times in the life of an item.
  • Occasional – 3:   Likely to occur sometime in the life of an item.
  • Remote – 2:  Unlikely but possible to occur in the life of an item.
  • Improbable – 1:  So unlikely, it can be assumed an occurrence may not be experienced.

How to Use the Safety Risk Assessment Matrix

You can calculate a hazard’s overall level of risk by multiplying the two scores you’ve selected for its Probability and Severity values together on your risk matrix.

As an example, consider that a worker is tasked with picking up heavy casters from a box on the floor and carrying them over to a wheel for grinding. The worker typically grinds 20-30 castings per hour.

As part of your risk evaluation, you’ve determined that the worker has a reasonable chance of dropping the heavy item on their foot. Repetitively reaching, twisting, and lifting 15-pound castings could also result in a muscle strain to the worker’s lower back. Using your risk matrix, you’d select a probability value of “Occasional” – or 3 points.

The next step is to consider the consequences the risk could result in. If the worker strains a muscle or breaks a bone in their foot, they could miss at least one shift of work and be put on restricted duty, meaning you’d need to find another employee to fill in for them while they are unable to work. The consequences would be fairly severe, so you select a value of “Critical” – or 3 points on your matrix. By multiplying those values together (3×3), you reach an overall risk level of 9, putting the hazard into the severe (and red) category.

You can then outline and implement controls, like placing the boxes the castings are kept in closer to the grinding wheel — reducing the time the worker would need to carry them. You can also provide them with steel-toed boots to better protect their feet in case they should drop the item. With those controls in place, you can now repeat the exercise of selecting a severity and probability level for the hazard using the risk matrix. The consequences of the hazards would not have changed and would remain at a “Critical” level – 3 points.

This time, however, with controls in place to reduce the likeliness that the hazard would occur, you would select a lower probability level, such as “Remote” – 2 points. By multiplying your severity and probability scores together, you now reach a lower, and more acceptable residual risk level for the hazard in the Medium range (3×2=6). At this point, you might decide that this is an acceptable level of risk for the task, or decide to brainstorm and implement additional controls to bring the hazard’s risk to even lower levels.

Risk Matrix Guide

assigning risk levels

Best Practices for EHS Risk Management

Besides using a risk matrix for your risk assessments, there are other best practices that organizations can follow. These include:

  • Regularly reviewing and updating your risk matrix. Your organization’s risks may change over time, so you should periodically review and determine whether you need to revise your risk matrix to better account for a changing risk landscape.
  • Monitoring operations. EHS managers should monitor day-to-day operations to confirm that safety protocols and control measures are being followed and that risks have been mitigated to an appropriate level.
  • Investigating incidents. Organizations should investigate incidents to determine their root causes and develop strategies to prevent similar incidents from occurring in the future. Root cause analysis can help you to uncover whether the controls that you’ve implemented to mitigate a hazard are falling short and need to be adjusted.

Hazard Risk Mockup

Risk management technology can also save EHS professionals valuable time and resources. Risks pose real-time threats, and you must be able to make informed decisions to mitigate them quickly. Trying to manage assessments using paper and spreadsheets can be unwieldy and time-consuming.

Using safety risk management software, you can continually update and easily modify your risk matrix to meet your specific operational needs. By using a web-based matrix and assessment tool, it also becomes easier to share risk assessments and communicate hazard information across your organization’s locations.

With the help of technology, you can easily revise and add as many levels to your risk matrix as you like and set probability and severity values and their scores. Adding or archiving risk matrix values can be accomplished with a simple click of the mouse. Web-based risk matrices can also automatically calculate a hazard’s risk after you choose its probability and severity, saving you time. Safety software can even help you take your risk assessments a step further by allowing you to calculate a hazard’s residual risk after controls are set.

Beyond streamlining risk assessment steps and calculations, risk management software also allows you to get a clearer picture of risks throughout your organization. You can roll-up your data to get a wholistic perspective or zero in on just a single facility or department, examining each significant hazard along with identified controls.

With safety management software, there’s also less chance that your risk assessments will grow old and out of date. When assessing a new risk, you can determine the period in which the hazard will need to be re-evaluated and ensure that this is completed in a timely fashion.

Vector Solutions has partnered with thousands of organizations who have leveraged our hazard and risk management software to save valuable time and effort in recording, tracking, and analyzing operational risks.

Contact us today to learn more about how Vector EHS Management software can support and simplify your risk mitigation efforts.

assigning risk levels

Vector EHS Management Software  empowers organizations – from global leaders to local businesses – to improve workplace safety and comply with environmental, health, and safety regulations.

Learn more about how our software can save you valuable time and effort in recording, tracking, and analyzing your EHS activities.

Learn more about how we can help:

  • Incident Management Software  →
  • EHS Inspection Software   →
  • Key Safety Metrics Dashboard  →
  • Learning Management System (LMS)  and  Online Training Courses  →
  • Mobile Risk Communication Platform

Download our  EHS Management Software  Buyer’s Guide .

Training lets Stelray workers shine

Fueling Success: How Vector Empowers Their Workforce to Drive Results

Related Resources

assigning risk levels

Vector Solutions Wins Bronze in Brandon Hall Group’s Excellence in Technology Awards

February 1, 2024 min read

assigning risk levels

Protect, Prepare, & Comply: Vector’s Top 5 Training Topics

January 31, 2024 min read

assigning risk levels

Championing Safety From the Top Down

January 24, 2024

assigning risk levels

2023 Recap: Top Advice for Keeping Your Workforce Safer, Smarter, Better

January 24, 2024 min read

Explore our software solutions designed to help your organization succeed

assigning risk levels

  • Professional Services
  • Creative & Design
  • See all teams
  • Project Management
  • Workflow Management
  • Task Management
  • Resource Management
  • See all use cases

Apps & Integrations

  • Microsoft Teams
  • See all integrations

Explore Wrike

  • Book a Demo
  • Take a Product Tour
  • Start With Templates
  • Customer Stories
  • ROI Calculator
  • Find a Reseller
  • Mobile & Desktop Apps
  • Cross-Tagging
  • Kanban Boards
  • Project Resource Planning
  • Gantt Charts
  • Custom Item Types
  • Dynamic Request Forms
  • Integrations
  • See all features

Learn and connect

  • Resource Hub
  • Educational Guides

Become Wrike Pro

  • Submit A Ticket
  • Help Center
  • Premium Support
  • Community Topics
  • Training Courses
  • Facilitated Services

What Is a Risk Matrix?

May 13, 2022 - 10 min read

Kat Boogaard

Imagine you’re the assigned project manager on a high-stakes project. The project scope is defined, key stakeholders are in agreement, you’re confident you can stay within the budget, and the project team is ready to dive in.

They start working tirelessly to meet the agreed-upon objectives — and then an unexpected risk meets you midway through the project. You never saw this one coming, so you have no idea how you’re going to get the project back on track and see it through to success. 

If only you had identified and assessed the risk during the project planning phase , you might have felt more prepared to overcome it. That’s what a risk assessment matrix is used for and why you need one for your projects. 

What is a risk assessment matrix in project management?

Risks in project management are unexpected events that may or may not occur and impact your project outcome in some way. According to the Project Management Institute (PMI) , analyzing and managing risks is a key practice in project management . It improves the chances of successful project completion while reducing the consequences of any risk that occurs. 

Risks can appear related to any aspect of a project, including the budget, resources, processes, or technology, to name just a few. While it can be easy to assume that all risks bring negative consequences to the table, it’s essential to understand that positive risks can also occur during the project life cycle. 

A risk assessment matrix (sometimes called a risk control matrix) is a tool used during the risk assessment stage of project planning. It identifies and captures the likelihood of project risks and evaluates the potential damage or interruption caused by those risks. 

The risk assessment matrix offers a visual representation of the risk analysis and categorizes risks based on their level of probability and severity or impact. This tool is a simple, effective way to get a holistic view of the project risks for all team members and key stakeholders.

Risk matrix example

Let’s take a look at a simple risk matrix example for a project. We’re using a 5x5, five-point scale for the impact and probability in this matrix example, but use a scale system that works best for your team. For example, you can use a 3x3 matrix for less granularity.

In this example, you see risk categories ranging from low to high and likelihood ranging from very likely to very unlikely. Using it is as simple as any other matrix: You look for where both of your criteria meet to get your risk rating. 

Let’s say you’re the project manager for a new organization-wide software tool rollout and will be working with a consultant to implement it. For this project, consultant delays are possible due to a lack of resources on their end, and if a delay happens, the impact would be major because it would impact the entire rollout plan. We’d categorize this risk as medium-high based on the example matrix. 

What are the benefits of a risk assessment matrix?

You might be wondering if it’s worth spending the time to assess risks and create a matrix for all of your projects. Well, the benefits of a risk assessment matrix speak for themselves:  

  • You can prioritize all risks with an understanding of the level of severity. Having an overview of all potential risks allows you to prioritize them against one another if multiple risks occur. This prioritization will benefit your project team and help keep them on track if the project does go awry.
  • You can devise strategies and allocate resources for the unexpected. While it’s impossible to fully plan for uncertainty, acknowledging and understanding what risks could occur provides an opportunity to create action plans for those unexpected events. Appropriately planning for risks increases the likelihood of project completion and success.
  • You’ll reduce or neutralize the impact of risks that occur. The unexpected consequences of a risk that’s not thought about in advance might feel more severe and damaging than a risk identified and analyzed early on. Having an awareness of the potential impact can reduce or neutralize the effect of a project risk before it occurs. Hope for the best, but prepare for the worst. 

What are the challenges of a risk matrix?

While risk matrices can be very useful for identifying and preparing for project risks, they are not an answer to all your project problems. Here are some of the challenges of risk matrices:

  • Inaccurate assessments:  The risk matrix categories may not be specific enough to compare and differentiate between risk levels accurately. The severity and likelihood of certain risks are often subjective and therefore unreliable.
  • Poor decision-making: Incorrectly categorized risks can lead to poor decision-making since you do not have an accurate picture of potential issues.
  • Doesn't account for timeframes: Risk matrices don't differentiate between risks that could occur two weeks from now and risks that could occur in two years' time. There is no consideration of how risks could change over the years.
  • Can oversimplify risks: The complexity and volatility of risks can be oversimplified — some risks remain the same over time, while others can change overnight.

How do you calculate risk in a risk matrix?

A risk matrix is a valuable tool for your project planning, and creating one doesn’t have to be complicated. Follow these steps to calculate risk for a project of your own. 

Step 1: Identify the risks related to your project

To complete your risk assessment matrix, you need to start by having an in-depth understanding of your project — the scope, budget, resources, timeline, and goal. You’ll need this information to help you spot the potential risks.

Identify as many risks as you can with your project team. Consider aspects like scope creep , budgetary constraints , schedule impacts, and resource allocation as the starting points for your risk identification process. Create a risk register complete with all of the identified risks, as it will make it easier to create your matrix. 

Step 2: Define and determine risk criteria for your project 

No two risks and no two risk matrices are alike, which means you’ll need to work with your project team and key stakeholders to define and determine the risk criteria you’ll use to evaluate each risk you’ve identified. 

Remember that two intersecting criteria need to be specified, each with its levels: the probability or likelihood that the risk will occur and the severity or impact the risk will have. 

Step 3: Analyze the risks you’ve identified 

After you’ve identified and described all of the potential risks, the next step is to analyze them. In your analysis, use your risk criteria to categorize each risk within its appropriate severity level and probability. 

Many matrices assign a number value to criteria. So, sticking with our example, you might rate the impact ranging from one (insignificant) to five (catastrophic) and do the same with likelihood, where one represents very unlikely, and five represents very likely.

Using the matrix, it’s then easy to multiply severity times likelihood to get a number value. A risk that’s catastrophic and very likely would rank as a 25, whereas one that’s insignificant and very unlikely would rank as a one. It’s a simple and intuitive way to compare and understand risks. 

Step 4: Prioritize the risks and make an action plan

Your final step is to prioritize the risks and create risk management plans to mitigate or neutralize them, with your risks categorized accordingly. You’ll want to outline the steps you’ll take if the risk does occur and the strategies you’ll deploy to help get the project back on track . 

How do you create a risk matrix in Excel?

Wondering how to make a risk matrix in Excel? Start by building a table that reflects the probability and severity scales you’ve defined for your risk assessment. Here are a few tips to help you get started: 

  • After you’ve created your table, add your labels to the rows and columns. Use the columns for severity and rows for the likelihood of occurrence.
  • Once you’ve labeled all of your column and row headers, add the definitions for each probability and severity level you’ve outlined with your team beneath the header title. This helps ensure the team is on the same page when ranking risks within the matrix.
  • Use formatting options to color coordinate the matrix for the best visual representation. You can use the stoplight system (red, yellow, green) for high, medium, and low risks, respectively. Using different colors allows any viewer to easily distinguish the risks based on the likelihood that they will occur and the amount of damage or interruption they’ll cause. 

How do you create a risk matrix in Wrike? 

If an Excel sheet isn’t your jam when it comes to tracking and monitoring risks, you can use Wrike to create a risk matrix. Some of the key features Wrike has that you can use to assess project risk include: 

  • Custom fields that allow you to build out the severity and probability any way you want to. You could turn these into drop-down rankings on a one-to-five scale or use the text option to label your categories.
  • Table view to provide greater visibility into the risks and a similar table to the one you can create in Excel.
  • Reports and calculated fields to automate the data associated with your assessed risks.
  • Interactive Gantt charts that allow you to create task dependencies and streamlined automation of changing project dates and deadlines. Project progress can be monitored in real-time, which allows your team to keep risks top of mind, so the important stuff doesn’t get overlooked.

The best part about using a platform like Wrike is that it can automatically update and adjust as your project progresses, saving you from the manual work required in Excel. 

What do you do with risk matrix results?

So, what does a risk matrix accomplish for you? The short answer is that your matrix results help you create a risk response plan. 

To start with, it’s crucial to address the risks that are ranked high or extreme. Depending on the project and your team’s resources, you may only need to monitor the medium and low-risk categories rather than taking immediate action. 

Finally, reference your risk matrix throughout the project until it’s marked complete and successful. Don’t make the mistake of not committing to risk management as an ongoing process. Using this tool is a powerful way to support your project team and mitigate any bottlenecks that stand in the way between them and a winning project.

Are you ready to get ahead of the game and stop losing sleep over project risks? Sign up for a free trial of Wrike to start building risk matrices with your team today.

Mobile image promo promo

Kat Boogaard

Kat is a Midwest-based contributing writer. She covers topics related to careers, self-development, and the freelance life. She is also a columnist for Inc., writes for The Muse, is Career Editor for The Everygirl, and a contributor all over the web.

Related articles

What You Need to Know About Governance, Risk & Compliance

What You Need to Know About Governance, Risk & Compliance

Governance, risk, and compliance (GRC) is how you ensure your business is healthy and above board. Dig into the details of GRC management in our guide.

What Are Positive Risks in Project Management?

What Are Positive Risks in Project Management?

What is a positive risk and how can they impact your next project? Identify, track, and manage positive risks in project management with Wrike.

How to Make a Risk Management Plan

How to Make a Risk Management Plan

Learn how to create a risk management plan tailored to your business. Identify, manage, and overcome obstacles with a detailed and effective project risk plan.

Wrike

Get weekly updates in your inbox!

You are now subscribed to wrike news and updates.

Let us know what marketing emails you are interested in by updating your email preferences here .

Sorry, this content is unavailable due to your privacy settings. To view this content, click the “Cookie Preferences” button and accept Advertising Cookies there.

Why Assigning A Risk Owner Is Important And How To Do It Right

Feb 20, 2019 | RIsk Management News

assigning risk levels

Falling in the middle of the risk management cycle (after  developing risk appetite and tolerance  and  identifying , but before  assessing  and  analyzing risks ), the organization then must identify who will “own” or be responsible for a particular risk.

Although the exact definition of what a risk owner is will vary depending on the organization, it can generally be defined as a person or persons responsible for the day-to-day management of a risk. (I will talk later about  when  to assign a risk owner…)

Assigning an owner for these risks is important for a few reasons…

One, a designated risk owner  ensures someone in the organization is accountable for the risk . If there is not one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore it is highly likely the risk will fall through the cracks (a/k/a nothing will be done). Having a risk owner is an important step toward ensuring that a  response plan  is developed and acted upon in a timely manner.

assigning risk levels

Two, risk ownership is one way for executives to not only hold individuals accountable for risks, but to show their support for ERM in general.

The third reason for appointing a risk owner is to  ensure that the ERM function does not own risks .

It’s important to understand that ERM does not actually manage risks, which is a common misnomer. The role of ERM is to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.

The only exception to this rule is if the risk function is responsible for insurance, business continuity, or similar program. This situation applied to me when I was Director of ERM for a large Florida-based property insurance company…in this case, it was only natural for my area to be responsible for these risks. In fact, business continuity can very closely integrate with ERM, so it made perfect sense to have them under a single manager.

In what circumstance will the organization need to assign a risk owner?

Not every identified risk will require an owner. In fact, if your organization has thousands of risks identified through a bottoms-up approach, assigning a risk owner for each one will overwhelm you and your team and nothing will get done.

Instead, start with the most critical risks and then consider adding more once a workable, sustainable process is in place.

Iconic cosmetics brand Estee Lauder  for example  has 46 critical corporate risks where an owner has been assigned. These particular risks met several guidelines which exceeded their respective risk tolerance or could cross this threshold in the near future.

In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn’t mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.

More specifically, the cumulative result of accepted risks and the inter-dependencies of risks have to be carefully considered as well. If Risk A occurs and could trigger Risk B, a risk owner should be appointed and action taken, especially if Risk B is considered critical and falls outside of tolerance levels should it occur.

You also don’t need me to tell you that things are always changing. Perhaps tolerance levels change down the road or the risk itself changes. Of course, this certainty that things change is why I’m a firm believer in having a maximum time limit for a review of both low and accepted risks to ensure nothing is being overlooked.

Risk  Ownership :  K ey  C onsiderations ,  C hallenges, and  O ptions

I could probably write an entire article or even an eBook on how an organization could go about assigning an owner for a particular risk. Before getting into different options though, there are a few key considerations and challenges I should discuss first.

Key  Considerations

  • Ensure there are clear definitions on roles and responsibilities in place before proceeding any further…this is one of the first and most important considerations when it comes to choosing a risk owner. As explained by Chris Corless in this  article  in Strategic Risk, it’s important for everyone involved to have  a clear understanding of expectations  when someone accepts the role of risk owner.
  • Properly train on risk owner responsibilities and how they need to manage and report the risk. Think about it this way – your organization wouldn’t roll out a new time management system and not train employees on how to use it, right? Risk ownership is no different…
  • Maintain consistent language throughout the firm regarding risks. Frank Fronzo of Estee Lauder  explains  how the company has a dictionary of terms it uses to ensure everyone is speaking the same language and stays on the same page.

One of the most common challenges organizations face when assigning a risk owner is the tendency to give it to the highest accountable person in the organization. While this is okay for risks linked to the strategic plan, the fact is that executives and other leaders simply do not have the time to take many of these risks on. In situations like this, the individual may delegate the responsibilities of owning a particular risk to someone else with time to perform them.

In cases like this, the senior-level person becomes a risk “custodian,” meaning they still have an interest in the risk but do not fulfill the day-to-day responsibilities of an owner.

And as I mentioned earlier, risk ownership should extend down the organization chain for a couple of reasons. One reason is limited time on the part of executives and other leadership. Second to that, appointing a mid-level manager as a risk owner can play a huge part in  cultivating a positive risk culture throughout the entire organization.

assigning risk levels

Another challenge many organizations face when assigning and managing risk owners is the tendency for risk management activities to fall back within organizational silos. If this type situation occurs, the case can be made that you’re not really practicing ENTERPRISE risk management.

( Click here  to learn more about risk management that occurs within a singular business unit vs. a top-level, enterprise-wide process.)

To address this challenge or avoid it altogether, a risk information system should be used that contains details about all risks the organization is managing, who the owner(s) of a particular risk is, recent activities and more. This system should be accessible by all risk custodians and owners…

During a recent conversation, a fellow risk professional mentioned that his organization uses  Archer , but other commonly known software tools organizations commonly use include  Logic Manager ,  MetricStream ,  CURA , and  Sword Active Risk . But there are plenty of other options out there, like  Aviron Financial Solutions ,  Audit Comply , and  Vose Software , to name a few…

When developing the process and choosing risk owners, company culture and the accountability structure of the organization will play a huge role…

Broadly speaking, risk ownership can be assigned to an individual or a designated risk committee.

Individual risk owner

If your organization has diverse functions and a weak collaborative culture, you will most certainly want to go with an individual risk owner. This individual (…and the risk custodian if applicable) will be the  one person held accountable for the management of the risk they are charged with handling. I mentioned this in a way in the beginning of this article…having an individual risk owner is not only a way to hold someone accountable for a risk, it is also a way for executives to demonstrate how important they view ERM.

When assigning an individual to be the owner of a particular risk, it’s vitally important they have decision-making authority and the ability to allocate financial and human resources for the risks they are charged with managing.

Another point to consider when determining an individual risk owner is assigning accountability by position rather by name.  (I personally really like this concept!) This is one key point of how Estee Lauder determines the proper owner. Assigning accountability this way ensures risks are continuously managed, even if the individual person moves on from their position.

One situation where an additional person may be involved with managing a risk but not be considered group or committee ownership is when a department is impacted by a risk but another department is better suited to manage the risk. In cases like this, co-ownership and coordination between the departments will be needed, but in the end, one person will still be responsible for monitoring and managing the risk.

Group ownership

For organizations with a strong group or collaborative culture, group ownership of risk(s) may be the way to go. This group can consist of individuals from across the enterprise, which of course can be a positive in that it brings together different perspectives. Specific action-items can be assigned based on responsibilities of individuals within the group.

assigning risk levels

However, one big drawback of group or committee ownership is that it is hard to hold the entire group accountable. Absent any strong oversight from a management-level risk committee, the group can easily end up pointing fingers when things go awry or otherwise sit around and talk about a risk without ever taking any action.

These management-level risk committees can benefit the organization in many ways, including building a positive risk culture.  Click here  to learn more about oversight…

As you can see, your organization’s culture is a key part of determining the best model for assigning risk owner(s).

A Word of Caution

Developing your organization’s risk ownership process will take time and require a bit of trial and error, and above all, patience. Long before any risk owners begin their work and report their activities into a software system and to executives, definitions on roles and responsibilities and a consistent language must be developed, plus training for everyone involved.

This, of course, is all in addition to other phases of the risk management process like identification, risk assessment, setting risk appetite and tolerance, and more. But risk ownership should be embedded throughout the process of managing risks; after all, the risk owner will be your main contact for a risk. And by all means, don’t overlook the  relationship factor  and how it can support ERM success.

If done properly though, having individuals throughout the organization “own” and therefore be responsible for certain risks will go a long way to building a long-term, value-driven ERM program.

Source: ERM Insights

Process Street

Information Security Risk Assessment Template

Identify and list all assets that need to be protected, evaluate the current security measures in place.

  • 1 Physical Access Controls
  • 2 Surveillance Systems
  • 3 Firewalls
  • 4 Encryption
  • 5 Intrusion Detection Systems

Identify threat sources and vulnerabilities

Estimate the potential impact of each threat, determine the likelihood of each threat occurring, assign risk levels to each asset-threat combination, documentation of all risks identified, approval: risk documentation.

  • Identify and list all assets that need to be protected Will be submitted
  • Evaluate the current security measures in place Will be submitted
  • Identify threat sources and vulnerabilities Will be submitted
  • Estimate the potential impact of each threat Will be submitted
  • Determine the likelihood of each threat occurring Will be submitted
  • Assign risk levels to each asset-threat combination Will be submitted

Determine the risks that require treatment

Develop risk mitigation strategies for identified risks, assign responsibility for implementing each mitigation strategy, determine a timeline for risk treatment, document the risk management plan, approval: risk management plan.

  • Determine the risks that require treatment Will be submitted
  • Develop risk mitigation strategies for identified risks Will be submitted
  • Assign responsibility for implementing each mitigation strategy Will be submitted
  • Determine a timeline for risk treatment Will be submitted
  • Document the risk management plan Will be submitted

Implement the risk mitigation strategies

Monitor and review the effectiveness of the mitigation strategies.

  • 1 Highly Effective
  • 2 Moderately Effective
  • 3 Ineffective

Update the risk register as necessary

Routine risk assessment review, approval: risk assessment review.

  • Routine risk assessment review Will be submitted

Update and revise the risk assessment as required

Take control of your workflows today., more templates like this.

IT Security

Old capitol building with flowers

System Risk Analysis

Per Security Policy (IT-18), Data Stewards are expected to assess institutional risks and threats to the data for which they are responsible. This risk analysis is then used by Data Stewards to classify systems (endpoints, servers, applications) into one of three risk categories:

  • System processes and/or stores public data
  • System is easily recoverable and reproducible
  • System provides an informational / non-critical service
  • System processes and/or stores non-public or internal-use data
  • System is internally trusted by other networked systems
  • System provides a normal or important service
  • System processes and/or stores confidential or restricted data
  • System is highly trusted by UI networked systems
  • System provides a critical or campus-wide service

Risk Analysis must take into consideration the sensitivity of data processed and stored by the system, as well as the likelihood and impact of potential threat events.  We use a simple methodology to translate these probabilities into risk levels and an overall system risk level.

Threat Event Assessment

Risk assessment is the compilation of risks associated with various potential threat events.  A "threat event" is any event which may cause a loss of confidentiality, integrity, or availability of the system and the data it stores and/or processes.

Although there may be hundreds of potential threat events related to a system, they can be generally organized into three main categories:

  • The system and its data is compromised by external hackers
  • The system and its data is released publicly without approval
  • The system and its data erroneously publishes data on public-facing portions of the system (i.e. web page) without authorization
  • The system and its data can no longer be trusted
  • The system and its data is not complete or incorrect
  • The system and its data no longer exists (e.g. hard drive failure, system destroyed)
  • The system and its data no longer responds to valid queries from the user or users (system fault)
  • The system and its data cannot be retrieved by an authorized user (e.g. Denial of Service Attack)

These threat event categories can then be used to calculate their associated risk level, as well as the overall risk of the system:

System Risk Assesment

Calculating Risk Levels

Risk levels are calculated as the product of the LIKELIHOOD and IMPACT (to the University) of a potential threat event / threat event category:

Risk Matrix

For example, a threat event where the likelihood is "unlikely" and the impact is "moderate" equals an assessed risk of "Moderate":

Risk Calculation

As a general rule, networked systems that process regulated data (e.g. HIPAA, FERPA, FISMA, ITAR, PCI-DSS etc.) are considered high-risk systems.  This is because the likelihood of compromise is (at a minimum) possible, while the impact (due to regulatory or industry standard violation) is considered a severe loss of confidentiality.

The risk level for each threat event category is then calculated. The overall risk level for the system is equal to the HIGHEST risk level for any risk event.  For example:

IT Admin

Because one of the risk events was rated as "High Risk", the overall risk level for the system is High.

Additional Examples

System Faculty Laptop

Applications

Student Administrative Application - MyUI

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Help dynamically mitigate risks with adaptive protection (preview)

  • 2 contributors

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Adaptive protection in Microsoft Purview uses machine learning to identify and mitigate the most critical risks with the most effective data loss prevention (DLP) protection controls dynamically, saving security teams valuable time while ensuring better data security. Adaptive protection helps increase risk mitigation by extending and managing preventative options associated with detected risky action to the capabilities provided by DLP policies.

Adaptive protection helps mitigate these potential risks by using:

  • Context-aware detection . Helps identify the most critical risks with ML-driven analysis of both content and user activities.
  • Dynamic controls . Helps enforce effective controls on high-risk users while others maintain productivity.
  • Automated mitigation . Helps to minimize the impact of potential data security incidents and reduce admin overhead.

Adaptive protection dynamically assigns appropriate DLP policies to users based on the risk levels defined and analyzed by the machine learning models in insider risk management. With this new capability, static DLP policies become adaptive based on user context, ensuring that the most effective policy, such as blocking data sharing, is applied only to high-risk users while low-risk users can maintain productivity. The policy controls constantly adjust, so when a user's risk level changes, an appropriate policy is dynamically applied to match the new risk level.

Insider risk management is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that the insider risk management solution is supported for your organization, see Azure dependency availability by country/region .

Watch the following video for a summary of how adaptive protection can help identify and mitigate the most critical risks in your organization:

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub . Learn details about signing up and trial terms .

Risk levels and preventive controls

With adaptive protection, your administrators can configure the risk factors or activities for customizable risk levels based on your organization's needs. The risk levels for adaptive protection update continuously and automatically based on the users' risk factors and insights, so when users' data security risks increase or decrease, their risk levels are adjusted accordingly. Based on the risk levels, DLP policies automatically apply the right level of preventative controls as configured by admins (such as block , block with override , or warning ).

Depending on the insider risk management policy assigned in adaptive protection, different criteria (users, groups, indicators, thresholds, etc.) are used to determine applicable risk levels. Risk levels are based on user insights, not solely on the number of instances of specific user activities. Insights are a calculation of the aggregate number of activities and the severity level of these activities.

For example, risk levels for User A wouldn't be determined by User A performing a potentially risky activity more than three times. The risk levels for User A would be determined by an insight of the aggregate number of activities and risk scores would be assigned to the activity based on the thresholds configured in the selected policy.

Risk levels

Risk levels in adaptive protection define how risky a user's activity is and can be based on criteria such as how many exfiltration activities they performed or whether their activity generated a high severity insider risk alert. These risk levels have built-in risk level definitions, but these definitions can be customized as needed:

  • Elevated risk level : This is the highest risk level. It includes built-in definitions for users with high severity alerts, users with at least three sequence insights that each have a high severity alert for specific risk activities, or one or more confirmed high severity alerts.
  • Moderate risk level : The medium risk level includes built-in definitions for users with medium severity alerts or users with at least two data exfiltration activities with high severity scores.
  • Minor risk level : The lowest risk level includes built-in definitions for users with low severity alerts or users with at least one data exfiltration activity with a high severity score.

For a risk level to be assigned to a user, the number of insights and the severity assigned to the activity need to match the definition for the risk level. The number of activities for an insight may be a single activity or multiple activities accruing to the single insight. The number of insights are evaluated for the risk level definition, not the number of activities contained in an insight.

For example, suppose the conditions in the insider risk management policy assigned to adaptive protection is scoped for identifying downloads from SharePoint sites in your organization. If the policy detects that a user downloaded 10 files from a SharePoint site in a single day that are determined to be high severity, this would count as a single insight that consists of 10 activity events. In order for this activity to qualify for assigning an Elevated risk level to the user, two additional insights (with high severity) would be required for the user. The additional insights may or may not contain one or more activities.

Insider risk management adaptive protection risk levels.

Customizing risk levels

Custom risk levels allow you to create risk levels based on your organization's needs. You can customize criteria that the risk level is based on, and then define conditions to control when the risk level is assigned to users.

For example, adaptive protection settings and DLP policies can allow users in the minor or medium risk level to receive policy tips and education on best practices of handling sensitive data, influencing positive behavior changes over time to reduce organizational data risks. For users in the elevated risk level, administrators can use the strictest protection controls, such as blocking users from saving or sharing sensitive data, to minimize the impact of potential data incidents.

Risk level criteria and conditions

Risk level criteria and conditions customization can be based on the following areas:

  • Alerts generated or confirmed for a user : This option allows you to choose conditions based on the severity level for alerts that are generated or confirmed for a user for the selected insider risk management policy. Conditions for alerts aren't additive and the risk level is assigned to a user if one of the conditions is met.
  • Specific user activity : This option allows you to choose conditions for activity to detect, its severity, and the number of daily occurrences during the past activity detection window (optional). Conditions for user activity are additive and the risk level is assigned to a user only if all the conditions are met.

Past activity detection

This risk level setting determines how many days back adaptive protection examines to detect whether a user meets the conditions defined by any of the risk levels. The default setting is 7 days, but you can choose between 5 and 30 days of previous activity to apply risk level conditions. This setting only applies to risk levels that are based on a user's daily activity and excludes risk levels based on alerts.

For following example illustrates how past activity detection settings and risk levels interact to determine if a user's past activity is in-scope:

  • Elevated risk level setting: User performs at least three sequences, each with a high severity risk score (67 to 100)
  • Past activity detection setting: 3 days

Risk level timeframe

This risk level setting determines how long a risk level remains assigned to a user before it's automatically reset. The default setting is 7 days, but you can choose between 5 and 30 days before resetting the risk level for a user.

Risk levels also reset for a user when:

  • The associated alert for the user is dismissed
  • The associated case for the user is resolved
  • The risk level end date is manually expired

If a user is currently assigned a risk level and that user meets the criteria again for that risk level, then the risk level timeframe is extended for the defined number of days for the user.

Permissions for adaptive protection

Depending on how you're using insider risk management built-in role groups and role groups for DLP, you may need to update permissions for administrators, analysts, and investigators in your organization.

The following table describes the permissions required for specific adaptive protection tasks.

The three categories of role groups correspond to the following tabs on the Adaptive Protection page: Risk levels for Adaptive Protection , Users assigned risk levels , DLP policies . If you're not assigned to the appropriate role group, the tab won't appear on the Adaptive Protection page.

Learn more about role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance

Configure adaptive protection

Depending on the needs of your organization or where you're currently configured with insider risk management and DLP, you have two options to get started with adaptive protection:

Quick setup

Custom setup.

The quick setup option is the fastest way to get started with adaptive protection. With this option, you don't need any pre-existing insider risk management or DLP policies, and you don't need to pre-configure any settings or features. If your organization doesn't have a current subscription or license that supports insider risk management or DLP, sign up for a Microsoft Purview risk and compliance solutions trial before starting the quick setup process.

You can get started by selecting Turn on Adaptive Protection from the adaptive protection cards on the compliance portal home page or DLP overview pages. You can also get started with the quick setup process by going to Insider risk management > Adaptive Protection > Dashboard > Quick setup .

If you're already a scoped admin for Microsoft Purview, you can't turn on quick setup.

Here's what is configured when you use the quick setup process for adaptive protection:

Once the quick setup process is started, it may take up to 72 hours before analytics are completed, the associated insider risk management and DLP policies are created, and you can expect to see adaptive protection risk levels and DLP actions applied to applicable user activities. Administrators receive a notification email once the quick setup process is completed.

The custom setup option allows you to customize the insider risk management policy, the risk levels, and the DLP policies configured for adaptive protection. This option also allows you to configure these items before actually enabling the adaptive protection connections between insider risk management and DLP. In most cases, this option should be used by organizations that already have insider risk management and/or DLP policies in place.

Complete the following steps to configure adaptive protection using the custom setup:

Step 1: Create insider risk management policy

Risk levels are assigned to users when a policy assigned in adaptive protection either detects user activity or generates alerts that match the risk level conditions you define in the next step. If you don't want to use an existing insider risk management policy (selected in Step 2), you must create a new insider risk management policy. Your insider risk management policy for adaptive protection should include:

  • Users whose activity you want to detect . This can be all users and groups in your organization or just a subset for specific risk mitigation scenarios or testing purposes.
  • Activities you consider risky and custom thresholds that influence an activity's risk score . Risky activities might include emailing people outside your organization or copying files to USB devices.

Select Create insider risk policy to launch the new policy wizard. The Data leaks policy template is automatically selected in the wizard, but you can select any policy template if needed.

Depending on the policy template selected, you may need to configure additional settings for the policy to properly detect potentially risky activities and to create applicable alerts

Step 2: Configure risk level settings

Select the Risk levels for Adaptive Protection tab. Start by selecting the insider risk management policy you want to use for adaptive protection. This can either be the new policy you created in Step 1 or an existing policy or policies that you've already configured.

Next, accept the applicable built-in risk level conditions or create your own. Depending on the type of policy you've selected, the risk level conditions will reflect the applicable conditions associated with indicators and activities you've configured in the policy.

For example, if you've chosen a policy based on the Data leaks policy template, the built-in risk level condition choices apply to indicators and activities available in that policy. If you've selected a policy based on the Security policy violations policy template, the built-in risk level conditions are automatically scoped to indicators and activities available in that policy.

To customize a risk level for your policy, complete the following steps:

On the Risk levels for Adaptive Protection tab, select Edit for the risk level you'd like to customize ( Elevated , Moderate , or Minor ).

On the Custom risk level pane, select an option in the Risk level based on section:

  • Alert generated or confirmed for a user
  • Specific user activity

If you've selected the Alert generated or confirmed for a user option, you'll choose the severity levels for alerts that are generated or confirmed for a user that should use this risk level. You can keep the Severity for generated alerts and the Severity for confirmed alerts conditions or remove one of these conditions if you only want to use one. If you need to add one of these conditions back, select Add condition and select the condition. For each condition, choose the severity level that should be applied for the condition ( High , Medium , or Low ). If the any of the conditions are met, the risk level is assigned to a user.

If you've selected the Specific user activity option, choose the activity to detect, its severity, and number of daily occurrences during the past activity detection window. You must configure the Activities , Activity severity , and Activity occurrences during detection window conditions for this risk level.

For the Activities condition, the options you can choose from are automatically updated for the types of activities you've defined with the indicators configured in the associated policy. If needed, select the Assign this risk level to any user who has a future alert confirmed, even if conditions above aren't met checkbox. If the all of the conditions are met, the risk level is assigned to a user.

For the Activity severity condition, specify the severity level for the activities included in the daily activity insight. The options are High , Medium , and Low , and are based on risk score ranges.

For the Activity occurrences during detection window condition, you'll specify number of times selected activities must be detected within the specified Past activity detection period. This number isn't related to the number of events that might occur for an activity. For example, if the policy detects that a user downloaded 20 files from SharePoint in one day that counts as one daily activity insight consisting of 20 events.

Select Confirm to apply the custom risk level conditions or Cancel to discard your changes.

How risk level is assigned if a user is in scope for multiple policies

If a user is in scope for multiple policies, if a user receives alerts of different severity levels, by default, the user is assigned the highest severity level received. For example, consider a policy that assigns an Elevated risk level if users receive a high severity alert. If a user receives a low severity alert from policy 1, a medium severity alert from policy 2, and a high severity alert from policy 3, the user is assigned an Elevated risk level — the level for the highest alert severity received.

Note that risk level conditions must be present in selected policies to be detected. For example, if you select the Copy to USB activity to assign a Moderate risk level, but the activity is selected in just one of three selected policies, then only activity from that one policy will assign a Moderate risk level for that activity.​

Step 3: Create or edit a DLP policy

Next, create (or edit) an existing DLP policy to restrict actions for users who match your risk level conditions in adaptive protection. Use the following guidelines for your DLP policy configuration:

  • You must include the User's risk level for Adaptive Protection is condition in your DLP policy. This DLP policy can include other conditions as needed.
  • Although you can include other locations in the DLP policy, adaptive protection currently supports only Exchange, Microsoft Teams, and devices.

Select Create DLP policy to launch the DLP policy wizard to create a new DLP policy. If you have an existing DLP policy that you'd like to configure for adaptive protection, go to Data loss prevention > Policies in the compliance portal and select the DLP policy you'd like to update for adaptive protection. For guidance on how to configure a new DLP policy or update an existing DLP policy for adaptive protection, see Learn about adaptive protection in data loss prevention: Manual configuration .

We recommend testing the DLP policy (with policy tips) so you can review DLP alerts to verify that the policy is working as expected before enabling AP.

Step 4: Turn on adaptive protection

After you've completed all three of the previous steps, you're ready to enable adaptive protection. When you turn on adaptive protection:

  • The insider risk management policy starts looking for user activity matching your risk level conditions. If detected, the risk levels are assigned to users.
  • Users who are assigned risk levels appear on the Users in scope tab in adaptive protection.
  • The DLP policy applies protection actions for any user assigned to risk levels included in the DLP policy.
  • The DLP policy is added to the DLP policies tab in Adaptive Protection (preview) . You can view details about the DLP policy and edit policy conditions from the dashboard.

To enable adaptive protection, select the Adaptive Protection settings tab and toggle Enable Adaptive Protection to On . It may take up to 36 hours before you can expect to see adaptive protection risk levels and DLP actions applied to applicable user activities.

Watch the following video on the Microsoft Mechanics channel to see how adaptive protection can automatically adjust the strength of data protection based on calculated data security risk levels of users .

Manage adaptive protection

Once you've enabled adaptive protection and your insider risk management and DLP policies are configured, you'll have access to information about policy metrics, current in-scope users, and risk levels currently in-scope.

After you've completed either the Quick or Custom setup process, the Dashboard tab in Adaptive Protection (preview) displays widgets for summary information about DLP policies and user risk levels:

  • DLP policies : Displays the number of DLP policies configured for adaptive protection and the number of users currently in-scope for the DLP policies.
  • Users assigned risk levels : Displays the number of users for each risk level ( Elevated risk , Moderate risk , and Minor risk ).

Insider risk management Adaptive Protection dashboard.

Users assigned risk levels

Users that have been assigned a risk level in adaptive protection appear on the Users assigned risk levels tab. You can review the following information for each user:

Users : Lists the user name, unless the Show anonymized versions of usernames option is selected in insider risk management settings for your organization. if this option is selected, you'll see anonymized user names.

To maintain referential integrity, anonymization of usernames (if turned on) isn't preserved for users from adaptive protection who have alerts or activity appear outside insider risk management. Actual usernames will appear in related DLP alerts and the activity explorer.

Risk level : The current risk level assigned to the user.

Assigned to user : The number of days or months that have passed since the user was assigned a risk level.

Risk level resets : The number of days until the risk level is automatically reset for the user.

To manually reset the risk level for a user, select the user, and then select Expire . This user will no longer be assigned a risk level. Existing alerts or cases for this user won't be removed. If this user is included in the selected insider risk management policy, a risk level will be assigned again if a triggering event is detected.

Active alerts : The number of current insider risk management alerts for the user.

Cases confirmed as violation : The number of confirmed cases for the user.

Case : The name of the case.

If needed, you can filter users by Risk level .

Insider risk management adaptive protection users.

To view detailed insider risk and adaptive protection information for a specific user, select the user to open the user details pane. The details pane contains three tabs, User profile , User activity , and Adaptive Protection summary . For information about the User profile and User activity tabs, see View user details .

The Adaptive Protection summary tab aggregates information in three sections:

  • Adaptive Protection : This section displays information about the current Risk level , Risk level assigned on , and Risk level reset on for the user.
  • DLP policies in scope (dynamic) : This section displays all the DLP policies currently in scope for the user and the start and end date for the policy. This is based on the risk level for the user and DLP policy configuration for risk levels. For example, if a user has activities that have been defined as Elevated risk levels for insider risk management policies, and two DLP policies are configured with the Elevated risk level condition, these two DLP policies will be displayed here for the user.
  • Insider risk policy for Adaptive Protection : This section displays any insider risk management policy where the user is currently in-scope.

Insider risk management adaptive protection user details.

DLP policies

The DLP policies page displays all DLP policies that are using the User's risk level for Adaptive Protection is condition. You can review the following information for each policy:

  • Policy name : The name of the DLP policy.
  • Policy state : The current state of the policy. Values are Active or Inactive .
  • Policy location : The locations included in the DLP policy. Currently, adaptive protection only supports Exchange, Teams, and Devices.
  • Risk levels included : The risk levels included in the DLP policy using the User's risk level for Adaptive Protection is condition. The options are Elevated , Moderate , or Minor risk levels.
  • Policy status : The current status of the DLP policy. The options are On or Test with notifications .
  • Created : The date the DLP policy was created.
  • Last modified : The date the DLP policy was last edited.

Insider risk management adaptive protection DLP policies.

Tune your risk level settings

You may find after reviewing users with risk levels that you have too many or too few users that are assigned a risk level. You can use two methods to tune your policy configurations to decrease or increase the number of users that are assigned risk levels:

  • Increase or decrease the severity of the activity required to assign a risk level. For example, if you're seeing too few users with risk levels, you can reduce the activity or alert severity.
  • If the risk level is based on a specific user activity, increase or decrease the activity occurrences during the detection window. For example, if you're seeing too few users with risk levels, you can reduce the activity occurrences.
  • Change what the risk level is based on. For example, if you're seeing too many users with risk levels, to decrease the number of users, you could assign a risk level only if the alert is confirmed.
  • Modify policy thresholds . Since risk levels are assigned based on policy detections, you can also modify your policy, which will in turn change the requirements to assign a risk level. You can modify a policy by increasing or decreasing the policy thresholds that lead to high/medium/low severity activities and alerts.

Disable adaptive protection

There may be certain scenarios when you might need to disable adaptive protection temporarily. To disable adaptive protection, select the Adaptive Protection settings tab and toggle Enable Adaptive Protection to Off .

If adaptive protection is turned off after having been on and active, risk levels will stop being assigned to users and shared with DLP, and all existing risk levels for users will be reset. After turning adaptive protection off, it might take up to 6 hours to stop assigning risk levels to user activity and reset them all. The insider risk management and DLP policies aren't automatically deleted.

Insider risk management adaptive protection enable.

Was this page helpful?

Submit and view feedback for

Additional resources

Value-based Payment

Aafp tools ease patient risk stratification, care planning.

May 5, 2021, 4:33 p.m.  News Staff  — In 2001, the Institute of Medicine (now the National Academy of Medicine) declared that fundamental health care reform was necessary “to ensure that all Americans receive care that is safe, effective, patient-centered, timely, efficient and equitable.” Spurred by that and similar calls for high-quality care, value-based payment evolved as a methodology for balancing health care effectiveness with efficiency. 

assigning risk levels

The AAFP has for many years recognized the potential of VBP  as a way of assuring that patients receive the right care at the right time in the right setting and, in 2009, set forth a lengthy roster of principles and guidelines  that should be considered when designing and deploying VBP programs.

According to policy adopted by the 2016 Congress of Delegates , VBP’s focus on health outcomes dictates that practices maintain an infrastructure that supports population health management using risk-stratification care strategies, which starts with attributing patients to a primary care physician. “By identifying panels, physicians and their care teams are able to risk-stratify patients based on the individual care and support needs of each individual patient, thereby allowing for a current state assessment of the health of the population and a gap analysis of resource needs,” the policy states.

At the practice level, risk stratification is typically performed using an algorithm in the EHR, registry or population health system. Such tools are designed to identify patients who require outreach, have care gaps, or who are due for preventive screenings. Once identified, the care team can reach out to them with reminders and follow up via telephone, the patient portal, mailings or other means.

For practices that do not have access to these types of systems, the AAFP’s Risk-Stratified Care Management Scoring Algorithm  can be useful in stratifying patients into three risk levels based on utilization, chronic disease status, behavioral and mental health, and social determinants of health. The tool enables practices to generate a score and associated risk level to identify patients who may benefit from longitudinal care management services.  

After a patient’s score and initial risk level have been determined, the care team may wish to use the Risk-Stratified Care Management Rubric to further explore the patient’s risk status and identify care plan suggestions and opportunities for planned care, if appropriate.

Created by AAFP subject matter experts, the rubric offers a conceptual framework to guide the physician and care team through the process of stratifying patients into six risk-based levels based on health severity, social determinants and utilization of care services. In addition to aiding clinicians in identifying and assigning a patient's health risk level, the rubric can be used to offer care plan suggestions. It includes a diabetes example case that illustrates different risk levels and associated care plan suggestions.

Both of these risk-stratification resources are available free to members ― that’s a $50 value for each tool.

Copyright © 2024 American Academy of Family Physicians. All Rights Reserved.

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

  • View all journals
  • My Account Login
  • Explore content
  • About the journal
  • Publish with us
  • Sign up for alerts
  • Open access
  • Published: 19 February 2024

An integrative approach to medical laboratory equipment risk management

  • Neven Saleh   ORCID: orcid.org/0000-0002-6304-9819 1 , 2 ,
  • Omnia Gamal 3 ,
  • Mohamed A. A. Eldosoky 3 &
  • Abdel Rahman Shaaban 2  

Scientific Reports volume  14 , Article number:  4045 ( 2024 ) Cite this article

Metrics details

  • Engineering
  • Health care
  • Risk factors

Medical Laboratory Equipment (MLE) is one of the most influential means for diagnosing a patient in healthcare facilities. The accuracy and dependability of clinical laboratory testing is essential for making disease diagnosis. A risk-reduction plan for managing MLE is presented in the study. The methodology was initially based on the Failure Mode and Effects Analysis (FMEA) method. Because of the drawbacks of standard FMEA implementation, a Technique for Ordering Preference by Similarity to the Ideal Solution (TOPSIS) was adopted in addition to the Simple Additive Weighting (SAW) method. Each piece of MLE under investigation was given a risk priority number (RPN), which in turn assigned its risk level. The equipment performance can be improved, and maintenance work can be prioritized using the generated RPN values. Moreover, five machine learning classifiers were employed to classify TOPSIS results for appropriate decision-making. The current study was conducted on 15 various hospitals in Egypt, utilizing a 150 MLE set of data from an actual laboratory, considering three different types of MLE. By applying the TOPSIS and SAW methods, new RPN values were obtained to rank the MLE risk. Because of its stability in ranking the MLE risk value compared to the conventional FMEA and SAW methods, the TOPSIS approach has been accepted. Thus, a prioritized list of MLEs was identified to make decisions related to appropriate incoming maintenance and scrapping strategies according to the guidance of machine learning classifiers.

Introduction

Risk management has become an essential concept in hospitals to guarantee standard compliance, competency, reliability, and patient safety 1 . Techniques for risk management have an essential role in enhancing work environment. The risk management approach’s initial step is to identify potential hazards. Next, each hazard’s likelihood and degree of severity are evaluated. A risk number is computed to evaluate the risk connected to each hazard; hazards are then ranked to be reduced according to this number. This study aims to manage and mitigate risks including medical laboratory equipment (MLE) because of inadequate use and poor management.

A common technique for evaluating risk is the FMEA which stands for Failure Mode and Effect Analysis. By figuring out the likelihood, impact, and detectability of a failure, risk assessment is carried out using such a method. Utilizing a risk priority number (RPN), potential MLE failure scenarios are assessed. Three indicators on a range of 1 to 5 are multiplied to create the RPN, which is an aggregate index: probability (P), severity (S), and detection (D). Based on the failure’s likelihood, consequence level, and degree of detectability, an integrated risk score is proposed to compare failures 1 , 2 , 3 .

Multi-criteria decision-making (MCDM) is the approach to choosing the most appropriate option. In literature, several MCDM methods have been developed. One form of the MCDM is the Technique for Order Preference by Similarity to the Ideal Solution (TOPSIS) technique 4 . Mainly, it is used to select a superior alternative according to a set of conflict criteria. There are several domains in which the TOPSIS conduct has been used, such as, energy 5 , medicine 6 , 7 , industrial engineering systems 8 , environmental and safety issues 9 , 10 , research on water resources 11 , 12 , 13 , and various applications in chemical engineering 11 , 12 . Simple Additive Weighting (SAW) is one of the earliest methods of MCDM that has proven its consistency in various applications 4 .

The study suggests using both the TOPSIS and the SAW methods to compensate for the drawbacks of the conventional FMEA, which may result in different RPN values depending on the values of P, S, and D. This could be explained as an improper assessment of failures among different experts. Furthermore, the FMEA does not take the decision-making into account. Additionally, to classify the output of utilized MCDM methods, an application of machine learning (ML) was conducted. Therefore, the study’s contributions are shown to be (i) getting beyond the limitations of conventional FMEA through applying the TOPSIS and SAW for MLE risk sorting; (ii) collecting actual set of data that belongs to 3 types of MLE; (iii) proposing new factors for risk assessment; (iv) applying five ML classifiers to classify the MLE according to its real status; and (v) presenting a framework to assist biomedical engineers make decisions on MLE risk management.

This is the structure of the remaining part of the article. A Literature review of the study includes a review of the conducted literature. All explanations and descriptions of the methodology were covered in Materials and Methods. The findings of conducting the study are presented in Results, and the discussion of the results is presented in Discussion. Beside outlining the study, Conclusions offer recommendations for additional work.

Literature review

In the healthcare sector, more concentration has been placed on risk management to guarantee regulatory compliance, efficacy, stability, and safety. Several strategies are offered for medical purposes to minimize the risks associated with medical devices. The study is an improved version of the work presented in 1 . The authors discuss more details and explanations of the proposed approach. Besides, additional techniques are presented to control the risk of each MLE under investigation.

An ordered weighted aggregation operator was suggested by Parand et al. 2 to investigate potential hazards related to medical equipment. To compute the RPN, an innovative application was used in the model’s development. In another study, Sally et al. 14 introduced the dynamic risk and how it could be automatically controlled for different modalities of radiology devices. The study proposed that poor management was the main cause of this kind of risk. The study reduced the risks related to device mismanagement by utilizing cloud applications and FMEA techniques. Behnam Vahdani et al. 15 conducted a new presentation for the FMEA. It combines the TOPSIS technique and fuzzy belief structure into one paradigm to enhance the risk assessment process.

In developing nations, a dynamic system-based concept for cutting down on medical laboratory turnaround times was introduced by Abeer et al. 16 . Another study introduced the FMEA throughout the life cycle of medical device to assess associated risks. Highlighting key elements of different processes was the aim of the study, and then by calculating the RPN, potential casualties and losses can be avoided 17 . In 18 , for applied FMEA, the Deng entropy weighted risk priority number (DEWRPN) technique was first presented. The model gives a new DEWRPN in relation to the Dempster-Shafer Evidence Theory (DST).

Materials and methods

The study was conducted by applying three methods for risk assessment of MLE: the FMEA, TOPSIS, and SAW. By applying the FMEA, every piece of MLE was ranked according to the determined RPN. Besides, the risk score, which ranked all MLEs under assessment, was computed using the TOPSIS and SAW methods. Considering the results of SAW and TOPSIS, the method that presents the most robust results will be adopted for the next stage. Moreover, five ML classifiers have been employed to classify the output of the best MCDM method based on a specific threshold. The overall methodology is depicted in Fig.  1 . The criteria that are proposed by the study are covered and described in the following sub-sections:

figure 1

Overall methodology adopted for risk management model applied to medical laboratory equipment.

Criteria identification

A series of criteria need to be defined for measuring and evaluating the hazards connected to any process to identify the risk. By implementing this rule, we put out five criteria for figuring out the MLE’s risk level. The annual count of complaints, the annual count of preventive maintenance (PM), the annual count of corrective maintenance (CM), the hourly mean response time (MRT) for visits, and the annual count of quality control (QC) are all noteworthy criteria 1 . As far as we are aware, in contrast to earlier studies, the quantity of QC is a new criterion.

Methods implementation

In this study, a risk-reduction method for managing MLE is presented. The FMEA was used to calculate each MLE’s RPN. Also, the MCDM approach is used because of the shortcomings of the conventional FMEA. The TOPSIS has been selected for this purpose. It is widely employed in the healthcare domain 19 , 20 , 21 . Finding the opposing criteria and their respective weights is essential to ranking each alternative in the MCDM technique. There are numerous techniques for determining criteria weights, comprising both the CRITIC (Criterion Importance via Inter Criteria Correlation) entropy methods 22 . The entropy method was employed since it is appropriate for the underlined problem. This fitness is due to its ability to measure the degree of uncertainty for each criterion separately, which thereby indicates the differentiation between all criteria 21 .

FMEA method

The FMEA can be viewed as a bottom–up analysis method that is used to identify potential failures in a system or a service 23 . In another words, it is an inductive method that includes drawing general conclusions by reasoning through circumstances. The FMEA was employed to identify failures of MLE with high risks to seek proper management action. In its implementation, a questionnaire was conducted through five medical experts to assign steps of the FMEA as follows 1 :

Determine each MLE failure mode and its associated impact.

Evaluate each MLE failure mode’s relative risk as well as the consequences (severity).

For every failure, every likely cause is identified.

Assess the relative risk of each MLE failure (Occurrence)

Describe the existed process controls to determine the failure mode.

Assess the relative risk of all process controls (detection)

Calculate the values of RPN as described in Eq. ( 1 ) and prioritize the list.

As demonstrated in Tables 1 , 2 , and 3 , a range from 1 to 5 on Likert scale is used to score the probability, severity, and detectability indications. The most likely, the worst, but the least noticeable is shown in number five. Conversely, number one offers the least probable, lowest severe, and most noticeable 1 .

Entropy method

The entropy method is used for criteria weighting. It is based on measuring information discrimination among criteria. A high divergence index reflects high criterion dispersion 22 . Based on the next procedures, the entropy method is used 1 , 4 , 24 .

Step 1 The function of normalized decision matrix N is given in Eq. ( 2 ), where x presents alternative i against criterion j.

Step 2 Utilizing the Eq. ( 3 ) to compute the entropy measure (E) for every normalized value, where m represents the number of alternatives.

Step 3 Computing the relative weight taking into consideration the entropy measure (E) as in Eq. ( 4 ), where n represents the number of criteria.

TOPSIS method

Of all the MCDM strategies, the most utilized is the distance-based Technique for Order Preference by Similarity to the Ideal Solution (TOPSIS) 25 . Finding the best option should be determined by how far it is from both the superior positive and negative solutions. The following listed procedures are used to implement the TOPSIS technique 1 , 4 , 26 .

Step 1 Define the decision matrix X  = [ x ij ] in which each element x presents alternative i against criterion j . Give definitions for both non-beneficial and beneficial factors. Maximum values are the best values under beneficial criteria, whereas lowest numbers are the best numbers under non-beneficial criteria.

Step 2 Normalized decision matrix is calculated through the Eq. ( 5 ), where each element x ij is mapped.

Step 3 Determine the decision matrix’s weighted normalized state S  = [v ij ] where each element r ij is assigned a weight based on the computed weight (W) as indicated by Eq. ( 6 ).

Step 4 Calculate the optimal worst and the optimal best values. Assume that S − represents the least desirable option, while S + indicates the most preferred option. Equations ( 7 ) and ( 8 ) indicate both cases. The V - value presents the minimum value of each weighted normalized element for beneficial criteria and the maximum value of each weighted normalized element for non-beneficial criteria. In contrast, the V + presents the maximum value of each weighted normalized element for the beneficial criteria and the minimum value of each weighted normalized element for the non-beneficial criteria.

Step 5 Compute the Euclidean distance between the optimal worst and optimal best solutions. The process of deviating from a positive superior solution is referred to as “ideal differentiation,” in accordance with Eq. ( 9 ). Conversely, Eq. ( 10 ) can be used to calculate “negative ideal differentiation,” which is the process of diverging from a negative ideal solution.

Step 6 Eq. ( 11 ) is used to calculate the relative proximity between each alternative and the best solution for alternative ranking. The option with an RC value that is closest to 1 is the best choice because the RC value falls between 0 and 1.

Regarding the TOPSIS procedures implementation, the new values of the probability, severity, and detectability are determined, therefore, the new RPN values are calculated. Noting that, RC range is between 0 and 1. The best alternative is with the largest value of RC. In case of TOPSIS method records the best results, and to decide about scrapping or not, the RC for each device is mapped on a new scale called the transformed score value (TSV) 27 , as described by Eq. ( 12 ). The term “min” points to the minimum value of the RC, and “max” indicates the maximum value of the RC.

The selected threshold is taken into consideration when making decisions after applying TSV to TOPSIS results. If the equipment’s evaluated score is at least this amount, it must be repaired or maintained; if not, it should be discarded. Five consultant engineers with an average experience of 15 ± 4.1 years were selected as the number of specialists to serve as a reference guide when choosing the threshold range. As a result, 70% is the ideal cutoff point.

The definition of Simple Additive Weighting (SAW) is a value function that is established by multiplying the weights by the simple addition of scores that indicate objective achievement under each criterion 4 . Variations in criterion can be offset by it. The SAW method is the traditional, simple, and widely used multi-criteria assessment method that it is also known as the weighing direct merging method. Implementation of this method entails simple two steps as shown below 4 , 21 .

Step 1 Calculate the normalized r ij value as shown in Eq. ( 13 ) for both beneficial and non-beneficial criteria. The parameters x ij , i , j are identical to those explained in the TOPSIS method.

Step 2 Assign a preference index (L) for each alternative by calculating total summation of each normalized value multiplied by each criterion weight as presented in Eq. ( 14 ). The parameters w, r , i , j , and m are identical to those explained in the TOPSIS method.

According to a computed preference index for each alternative, all alternatives are ranked. The highest preference index is given to the best alternative, and vice versa for the lowest preference index. If the SAW method yields the best results, Eq. ( 12 ) will be applied to SAW output and RC will be replaced with L value.

Machine learning classifiers

Machine learning techniques, either supervised or non-supervised, are widely utilized to classify different forms of data. Based on the input data, ML has produced several patterns that can be recognized to make wise decisions. For predicting outcomes, the ML is an especially effective technique. Creating a model that incorporates relationships that result in the most potent out-of-sample predictions involves recognizing patterns or relationships in a sample of data. To find the most potent predictors, the model is run on data subsamples several times, and then it is tested on other data subsamples 28 . In application, many classifiers are employed for various classification tasks; disease diagnosis is an example 28 , 29 . One advantage of using supervised ML algorithms in classification is their ability to conduct over non-parametric data regardless of the type of relationship among variables 30 . The Support Vector Machine (SVM), Decision Tree (DT), Naïve Bayes (NB), Random Forest (RF), K-Nearest Neighbor (K-NN), and Artificial Neural Network (ANN) are the most common classifiers that fall into this category 30 . The K-NN is a simple and quick algorithm, in addition to its superiority for multimodal classes. The NB algorithm is characterized by its ease implementation for predicting discrete and continuous data. Besides, it requires less data for training and is not influenced by non-contributing features. The SVM can achieve reliable performance with small-scale data. A decision tree is characterized by its special behavior in finding local optimal solutions rather than global optimal solutions. To overcome this shortage, the random forest algorithm is revealed. The ANN mimics the human brain in data processing and analysis. Interactions among neurons control the input–output relationship 31 . As far as the authors know, the application of ML algorithms to classify the risk level for MLE is rarely conducted. In this way, no comparative studies present specific ML classifiers for comparison. The study therefore suggested five distinct ML classifiers employing K-NN, SVM, NB, RF, and ANN to classify the output of the best MCDM model based on the applicability of these classifiers.

Typically used in supervised machine learning, SVM is a classifier powered by creating an appropriate hyperplane for separating distinguished classes 29 . The classification principle of the K-NN is that related objects tend to be near one another 29 . Random forest is an ensemble model that uses decision trees in which a set of data is divided to minimize variability. Each tree selects a random training sample, and then a subset of variables is randomly chosen per tree. Finally, the individual trees are combined to form what is called a random forest for voting 30 . A simple probabilistic classifier known as NB depends on the probability of inputs and whether these inputs are independent 32 . Despite its simplicity, it is widely applied in various areas. The ANN is composed of many highly connected units called neurons, which are connected in specific arrangement to solve a problem. The network’s architecture comprises three layers: input, hidden, and output. A connection weight, which is assigned based on the neurons’ training, controls all connections 31 .

To evaluate the performance of SVM, K-NN, RF, NB, and ANN an array of evaluation metrics has been applied, as presented in Eqs. ( 15 )–( 18 ). The metrics incorporate, accuracy , recall , precision , and F1-score 33 , 34 . Remember that TN stands for true negative, FP for false positive, TP for true positive, and FN abbreviates false negative.

A set of MLEs was selected to test the methodology that integrates the FMEA the TOPSIS, and the SAW. Datasets belonging to 150 MLEs were gathered from true laboratory data from 15 various Egyptian hospitals. It was divided equally among 50 centrifuge devices, 50 hematology analyzers, and 50 chemistry analyzers. The datasets were collected between January 2020 and December 2020, spanning a full year. Considering the small size of data, it was due to a lack of documentation for some hospitals, and not all targeted hospitals have responded to data requirement.

FMEA results

Five professionals from five public hospitals in Egypt developed the FMEA model. The P, S, and D parameters are first assigned on a scale ranging from 1 to 5 throughout the questionnaire. Subsequently, the average of each parameter for each of the five criteria yields the P, S, and D scores. A data sample comprising four chemistry analyzers is presented as an example for FMEA implementation. Table 4 shows the P, S, and D grades according to experts’ ratings. On the other side, the RPN, average values of complaints (C1), QC (C2), PM (C3), CM (C4), and MRT hours (C5) are determined individually. Table 5 demonstrates only the number of preventive maintenance as a sample. The other four parameters are calculated exactly as in Table 5 . The highest value of the RPN among the five parameters is considered the equipment RPN score. Table 6 illustrates the RPN calculations for the sample under investigation.

TOPSIS results

Using the TOPSIS technique to address the duplicate RPN issue that the FMEA resolves. Firstly, usage of the entropy method yielded the weights of the employed criteria as described in “ Entropy method ” section. Obviously, the criteria are categorized as non-beneficial and beneficial. Beneficial criteria are QC counting and PM counting, with resultant weights of 0.143939791 and 0.224379498, respectively. On the other hand, non-beneficial criteria are CM counting, complaint counting, and MRT in hours, with weights of 0.268065177, 0.248527193, and 0.115088341, respectively. As a result of applying the TOPSIS stages as described in “ TOPSIS method ” section, the new P, S, D, and RPN are computed. Table 7 presents the resultant RND based on the displayed P, S, and D related to the chemistry analyzer sample.

SAW results

The SAW method was used to conquer the problem of repeatable RPNs due to the usage of the FMEA method. Like the TOPSIS method, new RPNs were calculated for each MLE. Using the entropy weighting methods, all alternatives were ranked based on the calculated RPN. Table 8 illustrates results of the new RPN according to the application of the SAW method to the chemistry analyzer.

As noted in Table 8 , the results of the SAW method were less convenient than the results of the TOPSIS method. For this reason, only the results of the TOPSIS method were approved to continue for the next stage, in which ML classifiers should be applied to classify the risk level of MLEs.

Machine learning classifiers results

Machine learning classifiers have been applied to the TOPSIS output to classify each MLE into three classes: stable, maintenance, and scrapping. Two scenarios were conducted for this purpose, using the output of the TOPSIS directly and using the TSV values. Due to the small size of the data, a fivefold cross-validation test was carried out for both scenarios. For the first scenario, the five classifiers were used on the 150 MLE’s TOPSIS output without being mapped to the TSV values as shown in Table 9 . It is worth mentioning that the TOPSIS method’s results have been labeled for training purposes by two experts from various hospitals. Additionally, feature vectors that are given to all classifiers comprise the five criteria (C1–C5), the RPN value for the first scenario, and TSV value for the second scenario.

For the second scenario, all ML classifiers have been applied to devices whose TSV is less than or equal to 70%. Each classifier classified the device into two classes: replacement and scrapping. WEKA is a cutting-edge platform for developing and applying machine learning algorithms. It provides visual tools for data processing and visualization. Also, it is open-source software licensed under a public license. This study has used WEKA program version 3.8.6 for implementation. The performance metrics results for the second scenario are introduced in Table 10 . According to the proposed algorithms, the K number for K-NN was 3, for SVM, a linear kernel function was used, and 6 trees were selected for training RF. As shown in Tables 9 and 10 , the RF algorithm yields the best classification results for both scenarios.

According to the results of classification, each device under investigation should be placed in one of three categories: stable device, replacement required, and scrapping or risk reassessment. According to the dataset that belongs to 150 MLE, results of RF for the second scenario revealed that 54 devices (36%) would be stable, 75 devices (50%) would be serviceable, and 21 devices (14%) would be scrapped (those with TSV ≥ 70%), as shown in Fig.  2 . In summary, Table 11 provides an overview of the raw data of an MLE sample along with the categorization status that was obtained.

figure 2

Classification results of total MLE after applying TOPSIS and RF models.

The study presented three methods for evaluating the risk number for MLE, and this number is used to determine the priority of maintenance and risk reduction. In this application, three methods were used: the FMEA, the TOPSIS, and the SAW. The shortcomings in typical FMEA were alleviated using TOPSIS and SAW by avoiding repeatable RPNs. However, the results of TOPSIS have demonstrated convenient performance compared to the SAW method, leading to the adoption of TOPSIS. Consequently, the TOPSIS technique gives each MLE a distinct RPN, leading to greater consistency in outcomes. By applying the FMEA, it is noted that there are similarities in RPN value. For hematology analyzers, for instance, devices 11 and 15 are ranked first and have the same RPN. Devices 5 and 7 in the chemistry analyzer category are ranked ninth and share the same RPN. In terms of centrifuge analyzers, devices 9 and 27 are placed 34th and each has an identical RPN. Even though the number of complaints is different for all of them.

To prevent this issue, the TOPSIS technique was used. For example, for hematology analyzers, device 11 is ranked first, while device 15 is ranked at 16. For chemistry analyzers, devices 5 and 7 are ranked at 15 and 23, respectively. Similarly, centrifuge analyzers, devices 9 and 27, have different values of the RPN, and consequently different rankings being 3 for device 9 and 41 for device 27. Besides that, applying ML classifiers is a robust solution to categorize the MLE into discard, and scrapping/risk reassessment. For this, two scenarios were run: one using the TSV values and the other directly using the TOPSIS result. According to the results, using the TSV values yielded robust performance. This solution has been applied to only risky MLEs based on the calculated TSV percentage. As a result, three categories of MLE are presented in the study. The RF classifier produced the most convenient results for classification, as shown in Table 10 . This can be interpreted as reliability of RF for training small databases. Also, RF is appropriate for handling a mixture of categorical and numerical features 34 . Sometimes it works outside the box ( Supplementary information ).

According to the results of the paradigm, 36% of the devices are stable, and 50% of them require service or risk reassessment. For model validation, two professionals with twelve years of combined experience were asked to assess a total of 86% of the devices as either stable or serviceable. As a result, depending on the given criteria for investigated devices, they classified the devices into 68 stable devices (46%), and 61 serviceable devices (40%). Comparing the paradigm’s results with the experts’ result, we notice how accurately the paradigm classifies the MLEs. Furthermore, the paradigm enlarges the margin of serviceable MLEs by 10%, which leads to improving the safety of selected MLEs.

Since the problem underlined is rarely focused on literature, few articles could be considered for benchmarking. We found that our study’s objective is like that of the Sally et al . 14 study when we compared it to prior studies, but it differs in methodology and medical equipment type. Although our study is relevant to Vahdani et al. 15 in methodology, the fuzzy TOPSIS was employed instead of standard TOPSIS. Furthermore, the application was steel production, not medical devices.

Conclusions

The study concerns risk assessment in medical laboratory equipment management, using two distinct methodologies. Both the MCDM approach in the forms of the TOPSIS and the SAW and the risk analysis tool, the FMEA, are used. The drawbacks of the FMEA are resolved by TOPSIS and SAW; however, TOPSIS was the best. A unique RPN is generated for each piece of equipment to identify the risk priority. The ranking of the MLE list is rational with respect to equipment raw data. It guides the proper incoming action for the decision-maker. For example, maintenance and scrapping phases are investigated for further improved strategies. For this reason, machine learning classifiers were applied to distinguish risky devices as either reusable or disposable. The RF classifier was approved as robust for solving this problem. Also, the proposed criteria have reflected their significance in identifying the risk priority of the MLE. Some criteria are highlighted because they affect risk levels, such as complaint registration and quality control recording. To this point, quality control work must be done constantly for the devices, and the response to complaints must be speedy within 48 h. Moreover, the PM should be frequently carried out at least four times a year. This study’s future work will encompass the use of Evaluation based on Distance from Average Solution (EDAS) as an alternative MCDM paradigm. Furthermore, additional criteria, such as mean time between failures, downtime, and failure rate, could be examined. Besides, more devices from different types of MLE should be placed under investigation. In this way, other machine learning classifiers would be tested.

Data availability

All data generated or analyzed during this study are included in this published article [and its supplementary information files].

Saleh, N., Gamal, O., Eldosoky, M. A. & Shaaban, A. R. A technique of risk management for medical laboratory equipment, in The International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA) (IEEE, 2022).

Parand, F. A., Tavakoli-Golpaygani, A. & Rezvani, F. Medical device risk assessment based on ordered weighted averaging aggregation operator. J. Biomed. Phys. Eng. 11 (5), 621 (2021).

Google Scholar  

Liu, H. C., You, J. X., Fan, X. J. & Lin, Q. L. Failure mode and effects analysis using D numbers and grey relational projection method. Expert Syst. Appl. 41 (10), 4670–4679 (2014).

Article   Google Scholar  

Saleh, N., Gaber, M. N., Eldosoky, M. A. & Soliman, A. M. Vendor evaluation platform for acquisition of medical equipment based on multi-criteria decision-making approach. Sci. Rep. 13 , 1–11 (2023).

Muhammad, R. et al. Application of interval valued fuzzy soft max-min decision making method. Int. J. Math. Res. 9 (1), 11–19 (2020).

Bi, Y., Lai, D. & Yan, H. Synthetic evaluation of the effect of health promotion: impact of a UNICEF project in 40 poor western counties of China. Public Health. 124 (7), 376–391 (2010).

Article   PubMed   Google Scholar  

Kuo, R. J., Wu, Y. H. & Hsu, T. S. Integration of fuzzy set theory and TOPSIS into HFMEA to improve outpatient service for elderly patients in Taiwan. J. Chin. Med. Assoc. 75 (7), 341–348 (2012).

Im, K. & Cho, H. A systematic approach for developing a new business model using morphological analysis and integrated fuzzy approach. Expert Syst. Appl. 40 (11), 4463–4477 (2013).

Li, P., Qian, H., Wu, J. & Chen, J. Sensitivity analysis of TOPSIS method in water quality assessment: I. Sensitivity to the parameter weights. Environ. Monitor. Assess. 185 , 2453–2461 (2013).

Krohling, R. A. & Campanharo, V. C. Fuzzy TOPSIS for group decision making: A case study for accidents with oil spill in the sea. Expert Syst. Appl. 38 (4), 4190–4197 (2011).

Li, P., Wu, J. & Qian, H. Groundwater quality assessment based on rough sets attribute reduction and TOPSIS method in a semi-arid area, China. Environ. Monitor. Assess. 184 , 4841–4854 (2012).

Behzadian, M., Otaghsara, S. K., Yazdani, M. & Ignatius, J. A state-of the-art survey of TOPSIS applications. Expert Syst. Appl. 39 (17), 13051–13069 (2012).

Kim, Y., Chung, E. S., Jun, S. M. & Kim, S. U. Prioritizing the best sites for treated wastewater instream use in an urban watershed using fuzzy TOPSIS. Resour. Conserv. Recyc. 73 , 23–32 (2013).

Ghanem, S. M., Abdel Wahed, M. & Saleh, N. Automated risk control in medical imaging equipment management using cloud application. J. Healthc. Eng. 2018 , 1–8 (2018).

Vahdani, B., Salimi, M. & Charkhchian, M. A new FMEA method by integrating fuzzy belief structure and TOPSIS to improve risk evaluation process. Int. J. Adv. Manuf. Technol. 77 , 357–368 (2015).

Bastawi, A. M., Sayed, A. M. & Eldosoky, M. A. A dynamic system based model for reducing medical laboratory turnaround time in developing countries. J. Clin. Eng. 45 (2), 123–127 (2020).

Zhao, X. & Bai, X. The application of FMEA method in the risk management of medical device during the lifecycle, in 2010 2nd International Conference on E-business and Information System Security (IEEE, 2010).

Deng, Y. Deng entropy. Chaos Solitons Fractals 91 , 549–553 (2016).

Article   ADS   Google Scholar  

Gaber, M. N., Saleh, N., Eldosoky, A. M. & Soliman, A. M. An automated evaluation system for medical equipment based on standardization, in 2020 12th International Conference on Electrical Engineering (ICEENG) (IEEE, 2020).

Hamza, N., Majid, M. A. & Hujainah, F. Sim-pfed: A simulation-based decision making model of patient flow for improving patient throughput time in emergency department. IEEE Access. 9 , 103419–103439 (2021).

Saleh, N. & Salaheldin, A. M. A benchmarking platform for selecting optimal retinal diseases diagnosis model based on a multi-criteria decision-making approach. J. Chin. Inst. Eng. 45 (1), 27–34 (2022).

Vujičić, M. D., Papić, M. Z. & Blagojević, M. D. Comparative analysis of objective techniques for criteria weighing in two MCDM methods on example of an air conditioner selection. Tehnika 72 (3), 422–429 (2017).

Zhang, X., Li, Y., Ran, Y. & Zhang, G. A hybrid multilevel FTA-FMEA method for a flexible manufacturing cell based on meta-action and TOPSIS. IEEE Access. 7 , 110306–110315 (2019).

Zheng, H. & Tang, Y. Deng entropy weighted risk priority number model for failure mode and effects analysis. Entropy 22 (3), 1–15 (2020).

Adalı, E. A. & Tuş, A. Hospital site selection with distance-based multi-criteria decision-making methods. Int. J. Healthc. Manag. 14 (2), 534–544 (2021).

Chakraborty, S. TOPSIS and modified TOPSIS: A comparative analysis. Decis. Anal. J. 2 , 100021 (2022).

Osman, A. M., Al-Atabany, W. I., Saleh, N. S. & El-Deib, A. M. Decision support system for medical equipment failure analysis, in 2018 9th Cairo International Biomedical Engineering Conference (CIBEC) (IEEE, 2018).

Saleh, N., Yacoub, K. M. & Salaheldin, A. M. Machine learning-based paradigm for diagnosis of gestational diabetes, in 3rd IEEE International Conference on Electronic Engineering, Menoufia University (ICEEM) (IEEE, 2023).

Saleh, N., Abdel-Wahed, M. & Salaheldin, A. M. Computer-aided diagnosis system for retinal disorder classification using optical coherence tomography images. Biomed. Eng./Biomedizinische Technik 67 (4), 283–294 (2022).

Van Liebergen, B. Machine learning: A revolution in risk management and compliance?. J. Financ. Transf. 45 , 60–67 (2017).

Sheth, V., Tripathi, U. & Sharma, A. A comparative analysis of machine learning algorithms for classification purpose. Procedia Comput. Sci. 215 , 422–431 (2022).

Van der Heide, E. M. M. et al. Comparing regression, naive Bayes, and random forest methods in the prediction of individual survival to second lactation in Holstein cattle. J. Dairy Sci. 102 (10), 9409–9421 (2019).

Saleh, N., Abdel Wahed, M. & Salaheldin, A. M. Transfer learning-based platform for detecting multi-classification retinal disorders using optical coherence tomography images. Int. J. Imaging Syst. Technol. 32 (3), 740–752 (2022).

Olaniran, O. R. & Abdullah, M. A. Bayesian weighted random forest for classification of high-dimensional genomics data. Kuwait J. Sci. 50 (4), 477–484 (2023).

Download references

Open access funding provided by The Science, Technology & Innovation Funding Authority (STDF) in cooperation with The Egyptian Knowledge Bank (EKB).

Author information

Authors and affiliations.

Electrical Communication and Electronic Systems Engineering Department, Faculty of Engineering, October University for Modern Sciences and Arts (MSA), 6th of October City, Giza, Egypt

Neven Saleh

Systems and Biomedical Engineering Department, Higher Institute of Engineering, Shorouk Academy, Al Shorouk City, Cairo, Egypt

Neven Saleh & Abdel Rahman Shaaban

Biomedical Engineering Department, Faculty of Engineering, Helwan University, Cairo, Egypt

Omnia Gamal & Mohamed A. A. Eldosoky

You can also search for this author in PubMed   Google Scholar

Contributions

N.S. contributed to supervision, study plan, results analysis, implementation, Fig.  1 portrayal, and article writing and reviewing. O.G. contributed to the study plan, literature review, survey conduct, methodology implementation, and results analysis and interpretation. M.A.A.E. contributed to the study plan, supervision, and article reviewing. A.S. contributed to the study plan, methodology implementation, and results analysis.

Corresponding author

Correspondence to Neven Saleh .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Supplementary information., rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Saleh, N., Gamal, O., Eldosoky, M.A.A. et al. An integrative approach to medical laboratory equipment risk management. Sci Rep 14 , 4045 (2024). https://doi.org/10.1038/s41598-024-54334-z

Download citation

Received : 28 November 2023

Accepted : 12 February 2024

Published : 19 February 2024

DOI : https://doi.org/10.1038/s41598-024-54334-z

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

  • Risk management
  • Machine learning
  • Medical laboratory
  • Multi-criteria decision-making

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

  • Explore articles by subject
  • Guide to authors
  • Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

assigning risk levels

  • Request a Demo

Assigning Authentication Risk Levels, the Problem with the Traditional Approach

Share on Facebook

All these different types of employees carry different levels of risk. As the individual responsible for managing all these employees as IT users, it’s up to you to determine those different levels of risk and ensure appropriate security is in place to keep your corporate assets and data protected.

But how do you know the appropriate level of risk for any given employee?

How Risk Level is Traditionally Assigned

Many Identity and Access Management (IAM) vendors suggest assigning entitlements and roles to users. Both entitlements and roles make identity and access management easier.

Entitlements are the privileges needed for an individual to do his or her job. These could include application or system accounts, groups, privileges, or specific business views. In essence, entitlements are the technology or “access” aspect of identity and access management.

Roles are the human or “identity” aspect of identity and access management. They are used to put a descriptive label on the responsibilities of an individual. They are often based on the department of an employee—roles for those in accounting or marketing or HR. An example of  a role would be Marketing Manager APAC, or to get even more defined, Sales Associate North  America Weekends.

When identifying the risk associated with an individual, each entitlement and role is assigned a point value. An accounting role has a certain number of points, a Salesforce.com entitlement has a certain number of points, and so on.

An employee’s overall risk level is defined by the sum of his or her entitlements and roles. That number aligns to a number structure the organization has set, such as:

0 - 100 points: LOW RISK 101 - 200 points: MEDIUM RISK 201 - 300 points: HIGH RISK

An organization could have more or less risk tiers and distribute the points using a narrower or wider range, but the overall concept holds.

Drawbacks to the Traditional Method

The main drawback to the Traditional Method of assigning risk to users is that the point sums don’t capture the full picture and can be misleading.

Using the point system listed above, let’s say, for instance, that Melanie, an entry-level HR analyst has risks and entitlements that equal 20 points—with the exception of her entitlement for accessing the organization’s employment software that lists individualized data for each employee, including salary and social security number. That entitlement carries a 75 point value.

While Melanie’s total risk score is only 95, one of her entitlements is very high risk and worth 79% of all her points. This could be an indication that her actual risk level may be higher than the sum of her points would appear. Even one high risk entitlement can mean an employee should be treated as a high risk employee.

Taking a Better Approach

When classifying risk, your organization must do so in a way that accounts for anomalies that can occur within entitlements and roles, such as the situation above. Rather than adding all of an employee’s points up, we advocate a more modern approach that instead, uses whatever is the highest risk level given to any of an employee’s roles or entitlements. This modern method takes an approach that is much more inclusive of everything an employee uses and does within your organization.

Our guidebook, Assigning Risk Levels & Choosing Authentication Policies , further explains this approach and how to select the best ways to secure your organization’s users. Download it now to learn more about assigning risk levels, as well as which authentication methods are best for which level of risk.

Download our guidebook to learn which authentication methods are recommended for different user scenarios.

Additional Resources

Businesses need to adopt a zero-trust approach to stay secure while working remotely.

*Disclaimer: This article originally appeared on Forbes .

With COVID-19 forcing organizations of...

Government and Cybersecurity: Conquering Secure Remote Access

COVID-19 has forced hundreds of thousands of government and public safety staff to rapidly shift...

How to Best Celebrate World Password Day: Implement Passwordless Authentication

Today is the first Thursday of May, which means it’s World Password Day. World Password Day is a...

Subscribe Here!

  • Upgrading Your Identity Solution
  • Connecting to All Apps
  • Lifecycle Management for All Users
  • Picking the Right Authentication Methods
  • Preventing Your Upcoming Breach
  • Higher Education
  • K-12 Education
  • RapidIdentity IAM
  • Support Services
  • IAM Maturity Assessment
  • RapidIdentity Cloud Reference Architecture
  • Success Stories
  • White Papers & eBooks
  • Brochures & Data Sheets
  • Videos & Webinars

Toll Free: 877-221-8401

Voice: 281-220-0021

Other Information

© 2024 Copyright Identity Automation. All Rights Reserved.

  • Privacy Policy
  • Terms of Use

assigning risk levels

IMAGES

  1. Risk Assessment Matrices

    assigning risk levels

  2. Assessing Your Risk: Risk Analysis

    assigning risk levels

  3. Assigning Severity Ratings to Safety Observation Findings

    assigning risk levels

  4. How to Assign a Risk Assessments Risk Rating

    assigning risk levels

  5. the Risk Matrix and Sample Risk Assessment Tables

    assigning risk levels

  6. Assigning responsibility for managing risk, using Risk Management

    assigning risk levels

VIDEO

  1. Measurement of Risk 1

  2. Risk, types and measurement (COM)

  3. Risk Criteria

  4. 11.6 Implement Risk Responses

  5. Risk Analytics 2.0

  6. Risk Analysis 3

COMMENTS

  1. Assigning patient risk levels in two steps

    Assigning patient risk levels in two steps Identifying which of your patients are at highest risk of an adverse clinical outcome is the first step to preventing those health problems. Your...

  2. What is a 5x5 Risk Matrix & How to Use it?

    As a comprehensive tool used by organizations during the risk assessment stage of project planning, operations management, or job hazard analysis, a 5×5 risk matrix aims to identify the probability and impact levels of injury and risk exposure to a worker concerning workplace hazards.

  3. Levels of a Risk Assessment Matrix

    A risk assessment matrix contains a set of values for a hazard's probability and severity. A 3×3 risk matrix has 3 levels of probability and 3 levels of severity. For example, a standard 3×3 risk matrix contains the following values: Severity of Risk:

  4. Guidance on Risk Analysis

    The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels. The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164 ...

  5. Risk Matrix Template: Assess Risk for Project Success [2023 ...

    A risk matrix helps you analyze risk by assigning each event as high, medium, or low impact on a scale of one through 25. Once you assess the severity and likelihood of each risk, you'll prioritize your risks and prepare for them accordingly.

  6. What is a Risk Matrix and How to Use One

    Define levels for each risk. In the matrix, you'll assign levels to each risk based on its likelihood and impact. With this information, you'll know what types of risks are the biggest threats and can put them in the matrix accordingly. A simple risk assessment usually has three risk levels: Low (color-coded as green or the number 1)

  7. PDF Risk Stratification: A Two-Step Process for Identifying Your Sickest

    In step two we assign each patient to one of six risk levels based on how physicians and staf answer the following questions: Is the patient healthy with no medical problems? If so, are his or her biometrics in or out of range? Does the patient have chronic condi-tions but he or she is doing well?

  8. Risk Assessment Matrix Calculations

    Solution: Risk Management Vector EHS Management What Is a Risk Assessment Matrix? Safety Professionals use a risk matrix to assess the various risks of hazards (and the incidents they could potentially result in).

  9. What is a Risk Matrix? (With Example)

    A risk assessment matrix (sometimes called a risk control matrix) is a tool used during the risk assessment stage of project planning. It identifies and captures the likelihood of project risks and evaluates the potential damage or interruption caused by those risks. The risk assessment matrix offers a visual representation of the risk analysis ...

  10. Implementing Risk Stratification in Primary Care: Challenges and

    The process generally involves several steps: defining the included population, systematically assigning risk levels through algorithmic calculations and/or clinical intuition, and subsequently employing a population-based approach to mitigate or address risk, such as complex care management or care coordination. ...

  11. Tips for Scoring or Rating Impact Criteria

    For example, many organizations currently using a measurement scale of high, medium and low will arbitrarily assign the risk rating scale to the numbers 1 (high), 2 (medium) or 3 (low) to rank-stack a list of risk. Using a numeric scale to plot identified risk on a chart does not equal quantitative risk analysis.

  12. Explaining risk maturity models and how they work

    No matter the specific model framework, the levels in an RMM typically progress from reactive to proactive as the organization becomes more risk mature. How to assess your level of risk maturity. Audit the company's risk maturity against the criteria laid out in the RMM. Assign the organization the appropriate level of maturity for each attribute.

  13. Why Assigning A Risk Owner Is Important And How To Do It Right

    In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn't mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.

  14. Three easy ways to add risk stratification to your workflow

    1. Use a daily team huddle to discuss and assign risk levels to the patients who are scheduled to be seen that day or the next. 2. Focus on a specific patient population, such as patients...

  15. Information Security Risk Assessment Template

    This task involves assigning risk levels to each combination of assets and threats identified. Consider the estimated potential impact and likelihood of each threat, and evaluate their overall risk levels. Assess the severity of the risk by combining the impact and likelihood ratings. By assigning risk levels, you can prioritize the resources ...

  16. System Risk Analysis

    Awareness Data types and regulations System risk analysis System Risk Analysis System Risk Analysis Per Security Policy (IT-18), Data Stewards are expected to assess institutional risks and threats to the data for which they are responsible.

  17. How risk scores are calculated in Asset Risk Predictor

    Step 3: Assigning risk scores. Next, the algorithm averages the results from the 3 calculation methods in the step above. Using this average allows for more reliable, accurate predictions than just using one calculation method. It then uses this value to assign hourly and daily risk scores between 0 - 1000. Step 4: Assigning risk levels

  18. PDF NIST Cyber Risk Scoring (CRS)

    Tableau: View risk at multiple organizational levels Integrate vulnerability data into risk scoring Drill-down into specific assets and their current vulnerability exposures Respond to data calls quickly with details (e.g. CVEs and affected assets) Analyze risks against the CSF CRS Inputs

  19. Help dynamically mitigate risks with adaptive protection (preview)

    Users assigned risk levels: Displays the number of users for each risk level (Elevated risk, Moderate risk, and Minor risk). Users assigned risk levels. Users that have been assigned a risk level in adaptive protection appear on the Users assigned risk levels tab. You can review the following information for each user:

  20. AAFP Tools Ease Patient Risk Stratification, Care Planning

    In addition to aiding clinicians in identifying and assigning a patient's health risk level, the rubric can be used to offer care plan suggestions. It includes a diabetes example case that ...

  21. An integrative approach to medical laboratory equipment risk ...

    Each piece of MLE under investigation was given a risk priority number (RPN), which in turn assigned its risk level. The equipment performance can be improved, and maintenance work can be ...

  22. Assigning Authentication Risk Levels, the Problem with the Traditional

    The main drawback to the Traditional Method of assigning risk to users is that the point sums don't capture the full picture and can be misleading. Using the point system listed above, let's say, for instance, that Melanie, an entry-level HR analyst has risks and entitlements that equal 20 points—with the exception of her entitlement for ...