How to Handle Probability And Severity Risk Assessment Matrix on Your Construction Projects
A probability and severity risk assessment matrix gives general contractors a structured way to rank subcontractor threats before they derail a project. Instead of guessing which risks matter most, you plot each one on a grid that scores likelihood against impact. The result is a clear picture of where to focus your limited time and budget.
Below are the steps, common pitfalls, and practical tips that turn a blank matrix into a decision-making tool your project team will actually use.
Why a Probability and Severity Risk Assessment Matrix Belongs in Every GC's Toolkit
Most GCs already evaluate subcontractors. The problem is consistency. One project manager flags a sub's EMR while another ignores it. A risk matrix standardizes the conversation so every evaluator measures threats against the same scale.
When you assign numerical scores to probability (how likely is this event?) and severity (how bad is the damage?), you replace opinion with math. A sub with a 4-out-of-5 probability of missing deadlines and a 5-out-of-5 severity on schedule impact scores a 20. That number travels across teams, projects, and regions without losing meaning.
Step-by-Step: Building Your Matrix
1. Define Probability Levels
Use five levels. Fewer creates false precision. More creates analysis paralysis.
| Score | Label | Meaning |
|---|---|---|
| 1 | Rare | Under 5% chance based on historical records |
| 2 | Unlikely | 5%-20% chance with isolated warning signs |
| 3 | Possible | 20%-50% chance with multiple indicators |
| 4 | Likely | 50%-80% chance with a clear pattern |
| 5 | Almost Certain | Over 80% chance with active issues |
2. Define Severity Levels
Tie severity to measurable project outcomes so scoring stays objective.
| Score | Label | Cost Impact | Schedule Impact |
|---|---|---|---|
| 1 | Negligible | Under $10K | No delay |
| 2 | Minor | $10K-$50K | Up to 1 week |
| 3 | Moderate | $50K-$200K | 2-4 weeks |
| 4 | Major | $200K-$1M | 1-3 months |
| 5 | Critical | Over $1M | Project viability threatened |
3. Score Each Risk Category
Evaluate every subcontractor across financial stability, safety record, insurance adequacy, operational capacity, and legal standing. Multiply probability by severity for each category.
4. Set Action Thresholds
- 1-5: Low risk. Proceed with standard terms.
- 6-12: Moderate risk. Add monitoring checkpoints.
- 13-19: High risk. Require senior review and additional bonding.
- 20-25: Critical risk. Do not award without executive sign-off and extraordinary mitigation.
5. Review and Recalibrate Quarterly
Risk is not static. A sub that scored 6 last quarter may score 14 today after losing a key superintendent or taking on three new projects. Build quarterly recalibration into your project controls calendar.
7 Common Matrix Mistakes GCs Make
- Using the same matrix for all trades. Electrical subs carry different risk profiles than concrete subs. Weight categories by trade.
- Letting one person score alone. Two independent scorers reduce bias. Average their results.
- Ignoring low-probability, high-severity events. A score of 5 (1 x 5) still represents a catastrophic outcome. Flag these separately.
- Failing to document scoring rationale. A number without a note is useless six months later when you need to explain a disqualification.
- Treating the matrix as a one-time exercise. Subcontractor risk changes with market conditions, workforce availability, and project load.
- Skipping calibration sessions. If your team's scores for the same sub vary by more than 3 points, your definitions need tightening.
- Not connecting scores to contract terms. A high-risk score should trigger specific contract provisions such as enhanced reporting, milestone payments, or retention increases.
Data Table: Risk Score Ranges by Trade Category
| Trade | Avg Financial Risk | Avg Safety Risk | Avg Insurance Risk | Avg Operational Risk | Avg Legal Risk |
|---|---|---|---|---|---|
| Electrical | 8 | 12 | 6 | 9 | 5 |
| Mechanical | 7 | 10 | 7 | 8 | 6 |
| Roofing | 9 | 15 | 8 | 10 | 7 |
| Concrete | 8 | 11 | 7 | 11 | 6 |
| Steel Erection | 10 | 16 | 9 | 9 | 8 |
| Plumbing | 6 | 8 | 6 | 7 | 5 |
| Excavation | 9 | 13 | 8 | 10 | 7 |
Source: SubcontractorAudit platform data, Q1 2026. Scores on a 25-point scale.
Frequently Asked Questions
What is a probability and severity risk assessment matrix? It is a grid that scores risks by multiplying how likely an event is (probability) by how damaging it would be (severity). The resulting number helps GCs prioritize which subcontractor risks need immediate attention and which can be monitored passively.
How often should GCs update their risk matrix scores? Quarterly for active subcontractors on current projects. Annually for subs in your approved vendor pool who are not currently under contract. Continuous monitoring platforms can update scores in real time when new data appears.
Can a sub with a high risk score still win a contract? Yes, but only with documented mitigation. That might include additional bonding, increased retention, milestone-based payment schedules, or dedicated oversight. The matrix does not make the decision. It informs the decision.
What data sources feed into matrix scoring? Financial statements, bonding capacity letters, OSHA citation databases, EMR reports, insurance certificates, reference checks from other GCs, and state licensing databases. Compliance platforms aggregate these automatically.
Should the GC or the sub fill out the risk assessment? Both. The sub provides the raw data through prequalification questionnaires. The GC scores that data independently. Self-reported risk scores from subs are unreliable.
How does a risk matrix differ from a compliance scorecard? A risk matrix is a scoring framework. A compliance scorecard is a platform that automates data collection, applies the matrix, monitors changes over time, and alerts you when scores shift. The matrix is the methodology. The scorecard is the technology that scales it.
Turn Your Matrix Into a Living System
A probability and severity risk assessment matrix printed and filed away protects nobody. The GCs who get the most value from this tool connect it to their prequalification workflow, their contract terms, and their project monitoring cadence.
Request a demo of SubcontractorAudit to see how automated compliance scorecards apply your risk matrix across every subcontractor in your portfolio, updating scores as new data flows in.
Founder & CEO
Founder and CEO of SubcontractorAudit. Building AI-powered compliance tools that help general contractors automate insurance tracking, pay application auditing, and lien waiver management.