First of all, there is no mandatory requirement in ISO 9001:2015 for a risk management matrix. However, a methodology can definitely help the organization to identify risks and opportunities and plan the necessary actions to effectively address them.
The risk and opportunity matrix could be a spreadsheet, a document, a database, but the most common and clear format is usually a table that may include:
- Description of the risk - Type of risk (business, project, stage) - Likelihood of occurrence - Severity of the risk , that is, the impact that the occurrence of this risk has; - Countermeasures or actions carried out to prevent, reduce, or transfer the risk. - Risk status, either is a current risk or is a past risk
This risk identification should be conducted with the relevant people of your organization and if possible, the relevant parties such as contractors, stakeholders and suppliers. A SWOT analysis can help with this identification, but then you will need to evaluate the level of significance of those risks by applying certain criteria selected by the organization.
The following material will provide you information about risk and opportunity matrix: