What is risk matrix calibration?
Risk matrix calibration, or risk assessment matrix calibration, entails deciding on risk reference values against risk categories such as financial cost, delivery schedule and performance.
Risk categories are the classification of risks per a business’s activities and provide a defined overview of the underlying and potential risks faced by the company. The most commonly used risk category classifications include financial, schedule, performance, reputation, health, safety and environment.
What is a Risk Matrix?
A risk matrix (sometimes called a risk assessment matrix) is used during the risk management process’s risk assessment stage. It identifies and captures risk event likelihood (probability) and evaluates the potential impact (consequences) caused by those risk events.
Risk Evaluation
When the risk analysis is complete, it’s necessary to compare the estimated risks against the risk criteria of the organisation.
Risk criteria may include, for example, cost, health, safety, environmental standards, legal requirements, socioeconomic factors, and the concerns of stakeholders.
Risk evaluation supports decisions regarding the significance of a risk to the organisation and whether a specific risk should be accepted, controlled, or mitigated.
Risk Likelihood
Risk Likelihood is the probability of a risk event occurrence. The likelihood of risk has five qualitative ranges [Ref: The Institute of Risk Management]:
- Remote
- Unlikely
- Possible
- Probable
- Highly Probable
Risk Impact
The Risk Impact considers the consequence if the risk event occurred and has five levels [Ref: The Institute of Risk Management]:
- Insignificant
- Minor
- Moderate
- Major
- Extreme
The risk event is then assigned a risk value, obtained as the function of Likelihood and Impact.
Examples of Risk Matrix Calibration
Likelihood
Likelihood | Example Criteria |
Remote | Not known to have happened anywhere |
Unlikely | Has happened previously somewhere |
Possible | Has happened previously in the local country |
Probable | Has happened previously in the industry sector |
Highly Probable | Has happened previously in the business |
Impact
Financial
Impact | Example Criteria |
Insignificant | A financial loss of <$10k |
Minor | A financial loss of <$100k |
Moderate | A financial loss of <$1m |
Major | A financial loss of <$10m |
Extreme | A financial loss of <$100m |
Schedule
Impact | Example Criteria |
Insignificant | A schedule loss of 1 day |
Minor | A schedule loss of 4 days |
Moderate | A schedule loss of 1 week |
Major | A schedule loss of 1 month |
Extreme | A schedule loss of 1 year |
Reputation
Impact | Example Criteria |
Insignificant | Attention within the business only. Insignificant business impact. |
Minor | Local media attention. Minor business impact. |
Moderate | National media attention and possible public inquiry. Moderate business impact. |
Major | International media attention and public inquiry. Major business impact. |
Extreme | International media attention and public inquiry. Business closes down. |
Performance
Impact | Example Criteria |
Insignificant | Requires minor trade-offs to achieve the target. No impact on business. |
Minor | Performance below target but acceptable.No changes. No business impact. |
Moderate | Performance below target. Moderate changes are required. Limited business impact. |
Major | Performance is unacceptable. Major changes are required. Major business impact. |
Extreme | Performance is unacceptable. |
Health
Impact | Example Criteria |
Insignificant | No harm to people |
Minor | A few people suffer from diseases |
Moderate | Some people suffer from grave diseases |
Major | Possible deaths and/or many people suffering from grave diseases |
Extreme | Likely deaths |
Safety
Impact | Example Criteria |
Insignificant | Minor injury or no harm to people |
Minor | A few minor injuries |
Moderate | Some serious injuries |
Major | Possible deaths and serious injuries |
Extreme | Likely deaths |
Environmental
Impact | Example Criteria |
Insignificant | Minor release |
Minor | Small release |
Moderate | Significant release |
Major | Large release |
Extreme | Large uncontrolled release |
Final Thoughts
Before evaluating a risk event, the risk categories must be calibrated.
Each business and organisation is unique. Therefore, so are the risk reference values. For example, a loss of $100k could have a minor impact on one company but become the final closure factor for another.