Request Demo
Glossary Term

Risk Assessment Matrix

The structured tool that translates risk principles into comparable scoring across decisions — severity, probability, detectability mapped to action thresholds, calibrated to the firm's specific processes.

Complere Reference Team Glossary termRisk & QualityReference Last reviewed

Risk matrices are how Q9(R1) principles meet practical decisions. Done well, they make risk evaluation consistent and decisions defensible. Done poorly, they produce false comparability between unrelated events and disguise judgment as calculation.

Risk assessment matrix showing severity × probability scoring with acceptance thresholds and action requirements
On this page
  1. Definition
  2. Why It Matters
  3. Regulatory Context
  4. In Practice
  5. Key Controls
  6. Complere Approach
  7. Related Terms

What a risk assessment matrix is

A risk assessment matrix is a structured tool that turns risk principles into comparable scoring across decisions. The matrix combines risk factors — typically severity (how serious the consequence), probability or likelihood (how likely the event), and sometimes detectability (how likely the event would be caught if it occurred) — into a risk score that maps to action thresholds: acceptable, requires mitigation, requires immediate action.

The matrix is what makes risk-based decision-making operationally consistent. Without a defined matrix, every assessor produces their own judgment about whether something is high or low risk. With one, scoring is at least nominally comparable across assessments and across assessors. The benefit is consistency. The risk is false comparability if the matrix isn't well-designed or well-applied.

Risk matrices appear across the regulated quality system: change impact assessment, CAPA evaluation, deviation severity classification, supplier risk tiering, validation depth determination, audit scheduling, periodic review prioritisation. ICH Q9(R1) (2023) is the principal pharmaceutical-side reference for the underlying risk principles. ISO 14971:2019 is the device-side equivalent for product risk.

The matrix doesn't make the decision

A risk matrix produces a score. The decision (accept, mitigate, escalate) is made by people interpreting that score. Programs that treat the matrix as automating the decision tend to produce findings where the score said one thing but the actual situation needed another. The matrix supports judgment. It doesn't replace it.

Why matrix quality drives risk-based program credibility

Inspectors increasingly read risk matrices the way they read root cause analyses — looking for evidence the assessor actually thought about the risk, not just filled in the boxes. The 2023 ICH Q9(R1) revision sharpened expectations specifically. Pure-numerical scoring without documented rationale, identical scores across distinct items, generic matrices that don't tie to firm reality — all increasingly cited as evidence that risk-based decision-making is paperwork rather than discipline.

There's a behavioural failure mode that's worth naming. Programs with weak matrix discipline tend to develop a pattern where the assessor scores to the conclusion they want rather than from the evidence. If a change request 'needs' to be minor for timeline reasons, the impact assessment scores it minor. If a supplier issue 'shouldn't' trigger major action, the risk evaluation scores it lower. The matrix becomes a justification tool rather than a decision tool. Inspectors find this pattern through inconsistency analysis — comparing scores across similar items.

The downstream consequence is real. Matrices that aren't calibrated to firm reality produce decisions that are off. Severity scales designed against generic descriptors ('catastrophic / major / moderate / minor / negligible') without operational anchors mean different assessors interpret them differently. Probability scales using generic frequencies ('rare / unlikely / possible / likely / almost certain') without firm-specific data mean scoring is closer to guessing than to evidence-based.

Inspector perspective: two things are usually checked first. Is the matrix itself calibrated to the firm — do severity descriptors mean something in this firm's context, or are they generic? Then consistency: three similar items scored the same way? If similar items score very differently with no documented rationale for the divergence, the matrix is being used to justify rather than to decide.

Where risk matrix expectations come from

Risk matrix use is implicit in quality risk management requirements:

  • ICH Q9(R1) (effective January 2023): the principal QRM framework. R1 specifically addresses subjectivity in scoring, bias awareness, and the need for documented rationale per score. Most direct reference on matrix discipline.
  • ICH Q9 Annex II: lists common QRM tools including FMEA, FMECA, FTA, HACCP, HAZOP, PHA, risk ranking and filtering. Risk matrices are the scoring component of most of these.
  • EU GMP Annex 20: adopts ICH Q9 into EU GMP.
  • EU GMP Chapter 1 §1.13: QRM as a quality system element; matrices are the practical tool.
  • EU GMP Annex 15 §1: risk-based validation; matrices drive validation depth determination.
  • 21 CFR §211.220: post-implementation evaluation; risk-based justification using matrices.
  • 21 CFR §820.30(g): medical device design validation including risk analysis per ISO 14971.
  • ISO 14971:2019: medical device risk management standard. Includes risk evaluation matrix concepts.
  • ISO 13485 §7.1: planning of product realisation includes risk management; matrices are the practical tool.
  • EU MDR Annex I §3: risk management continuous iterative process throughout lifecycle.
  • WHO TRS 981, Annex 2: WHO QRM guidance.
  • ICH Q12: post-approval changes use risk-based categories determined through matrix-based assessment.
  • FDA Computer Software Assurance (Final, September 2024): risk-based CSA approach uses matrix-style classification for test scope determination.
  • GAMP 5 (Second Edition, 2022): GAMP category framework is a risk classification tool; matrices drive validation depth.

What a working risk matrix program contains

A defensible risk matrix program shares a common shape:

  • Methodology document as controlled record. Matrix design, scales, scoring rules, acceptance thresholds, and decision authority captured in a controlled SOP. Periodically reviewed; updated when expectations or firm reality change.
  • Calibrated severity scale. Severity descriptors mean something in the firm's context. 'Critical' anchored to patient harm potential or regulatory action; 'major' to batch loss or significant rework; 'minor' to operational impact. Not generic abstractions.
  • Calibrated probability scale. Probability descriptors anchored to actual firm-specific frequencies where data exists. 'Very likely' might mean more than once per year in this firm's data; 'unlikely' might mean once per decade. Where data doesn't exist, the scale acknowledges that and uses ranges with rationale.
  • Detectability scale where used. If 3-factor matrix, detectability anchored to actual firm detection capability — automated controls vs human-observed vs final-test-only.
  • Documented action thresholds. Defined score ranges map to action requirements: low = acceptable, no action; medium = mitigation required; high = immediate action with senior management involvement. Thresholds documented per matrix use case.
  • Decision authority per threshold. Who can accept low-risk decisions vs medium vs high. Documented and enforced through the workflow approval routing.
  • Per-score rationale captured. Under Q9(R1), each score carries documented reasoning — why severity 4 not 3? What evidence supports the probability score? Without rationale, scores are unfalsifiable and unreviewable.
  • Cross-functional input for significant assessments. Multi-disciplinary review reducing single-perspective bias.
  • Periodic methodology review. The matrix itself is reviewed periodically, typically annually, to confirm scales still match firm reality and that thresholds still drive appropriate action.
  • Risk reassessment on trigger. Risk scores aren't static. Events, new data, regulatory changes, organisational changes trigger reassessment. 'Static risk score' is a finding pattern.
  • Application across QMS workflows. Same methodology (or methodology family) applied to change impact, CAPA, deviation, supplier, validation. Consistency keeps scoring comparable.
  • Training on matrix use. Assessors trained on methodology, bias awareness under Q9(R1), and the specific scales in use.

What strong risk matrix programs do

The patterns that hold up at inspection:

The 'identical scores' inconsistency

An inspector reviews ten change requests and finds the impact assessment scores are essentially identical — same severity, same probability, same conclusion — across changes that are obviously different. The pattern signals copy-paste rather than per-item assessment. Even more telling: ten distinct issues with the same risk score suggests the matrix isn't actually being applied. The fix is per-score rationale capture. With documented reasoning per item, copy-paste becomes harder to do without being obvious.

  • Methodology document controlled. Versioned, approved, periodically reviewed.
  • Calibrated to firm reality. Severity, probability, and detectability scales anchored to firm-specific context.
  • Documented action thresholds. Score-to-action mapping explicit.
  • Decision authority defined. Per threshold; enforced through workflow.
  • Per-score rationale captured. Under Q9(R1) — narrative supporting numerical score.
  • Cross-functional input for significant items. Multi-disciplinary review.
  • Periodic methodology review. Annual or trigger-based.
  • Risk reassessment on trigger. Events, new data, regulatory changes.
  • Application across QMS consistent. Same methodology family across workflows.
  • Training on matrix use. Methodology plus bias awareness.
  • Multi-matrix where appropriate. Different matrices for different decision types if the overall framework is documented.
  • Audit trail per assessment. Scoring history captured.

How Complere supports risk matrix design and application

Your risk methodology is your decision. You design the matrix that fits how your firm actually thinks about risk — your severity descriptors, your probability bands, detectability if you use it, the score-to-action thresholds, and who has the authority to accept what level of risk. Complere takes that design and applies it consistently everywhere risk gets evaluated, so you aren't forced to recreate it inside every workflow.

When your team performs a risk assessment — whether it's a standalone risk record, a change impact, a CAPA evaluation, a supplier tiering, or a deviation severity call — the same matrix applies. Your assessor enters the scores with supporting rationale, the system produces the overall score, and the action threshold is identified automatically. The rationale field is there by design so the Q9(R1) expectation on documented reasoning behind every number is satisfied at the point the score is entered, not reconstructed later.

Risk items can be reassessed when something changes — a new event, fresh data, a regulator update — and the full history of how the score moved over time stays on the record. Where a risk score drives a CAPA, change, or supplier action, the link between records is held in the system, so the matrix output actually drives downstream decisions rather than sitting on a page no one revisits.

What stays your work: the calibration itself (does "critical" actually mean patient harm in your context, do your probability bands match your firm's data), the periodic methodology review, the bias-awareness training your assessors need, and the cross-functional review on the high-stakes items. The platform makes the matrix easy to apply consistently; the quality of the matrix is your quality decision.

Frequently asked questions

Common questions about Risk Assessment Matrix sourced from regulatory references and inspection patterns.

What is a risk assessment matrix?

A structured tool that turns risk principles into comparable scoring. It typically combines severity (how bad if it happens), probability (how likely to happen), and sometimes detectability (how likely to be caught if it happens) into a risk score that maps to action thresholds: acceptable, requires mitigation, requires immediate action. It's used across the regulated quality system to apply consistent decision logic to changes, deviations, CAPAs, supplier evaluations, and other risk-based decisions.

What's the difference between 2-factor and 3-factor matrices?

2-factor matrices use severity × probability (sometimes called likelihood). 3-factor matrices add detectability — the probability the risk would be caught if it occurred. FMEA typically uses 3-factor (Risk Priority Number = S × O × D). HACCP often uses 2-factor. The choice depends on whether detectability is meaningful for the decision. For laboratory data integrity, detectability matters a lot. For some manufacturing process risks, less so. ICH Q9(R1) doesn't mandate 2 or 3; the firm decides based on what's meaningful.

What changed in ICH Q9(R1) about risk matrices specifically?

Q9(R1) (effective January 2023) sharpened expectations on subjectivity awareness and bias mitigation. Pure-numerical scoring without documented rationale is increasingly cited as inadequate. R1 says directly that risk scores are inherently subjective — two assessors using the same matrix on the same hazard often produce different scores — and that programs need to address this through calibration, training, consensus-based scoring, or documented rationale per score. Matrices haven't changed. Expectations on how they're used have.

How should a matrix be designed?

Calibrated to the firm's specific processes and products. Severity scales should reflect what 'high severity' actually means in the firm's context (patient harm, batch loss, regulatory action). Probability scales should reflect actual occurrence rates in the firm's data, not generic descriptors. Detectability (if used) should reflect actual detection capability. Generic off-the-shelf matrices that don't tie to firm reality are a common finding pattern. The matrix is a controlled document under document control with periodic review.

Where is the risk matrix applied?

Across the regulated quality system. Change impact assessment scores changes for classification. CAPA risk assessment decides whether action is needed and at what depth. Deviation severity classification uses risk principles. Supplier risk tiering determines qualification depth. Validation risk evaluation drives test scope (CSV / CSA). Audit planning uses risk to schedule frequency. Periodic review depth often follows risk. The same matrix (or matrices configured per use case) should apply consistently so scoring stays comparable across decisions.

What's risk acceptance, and who makes it?

The decision that a risk is acceptable (no further mitigation needed), tolerable with controls (compensating measures in place), or unacceptable (must be reduced or the activity stopped). Acceptance criteria are defined as part of the matrix design. Acceptance authority depends on risk level: low risks at operational level, medium at QA, high at senior management or governance body. The decision is documented with rationale, not just a signature.

What are the most common risk matrix findings in inspections?

Inconsistent scoring across similar items (same risk scored differently in different assessments). Copy-paste scoring without rationale (numbers identical across distinct items). Generic matrix not calibrated to the firm (FMEA scales straight from a template, not from firm experience). Risk acceptance without documented decision authority. Static risk scores not updated when new information emerges (events, new data, regulatory changes). Q9(R1) sharpened expectations on all of these.

Does the matrix need to be the same across all uses?

Not necessarily. Different decision types benefit from different matrices. A 5×5 severity × probability matrix may be right for change impact; an FMEA RPN approach for failure mode analysis; a 3×3 for routine deviation triage. What matters is that within a given use case the matrix is applied consistently, and that the overall risk methodology is documented and approved. Programs that use ad-hoc matrices per assessment without an overall framework tend to be cited for inconsistency.

Continue Exploring

Explore related topics, modules, and compliance resources for a deeper understanding of your quality system.

Risk Assessments Module
Related

Risk Assessments Module

Explore this topic in more depth to build a complete picture of your quality and compliance operations.

Explore
Risk Management
Related

Risk Management

Explore this topic in more depth to build a complete picture of your quality and compliance operations.

Explore
Validation Approach
Related

Validation Approach

Explore this topic in more depth to build a complete picture of your quality and compliance operations.

Explore

See risk assessment matrix design in Complere

Walk through Complere's configurable risk methodology: matrix design, severity / probability / detectability scales, scoring rules, and action thresholds applied consistently across workflows.

Request a demo Read the Risk Management entry