What is risk matrix calibration?
Risk matrix calibration, or risk assessment matrix calibration, entails deciding on risk reference values against risk categories such as financial cost, delivery schedule and performance.
Risk categories are the classification of risks per a business’s activities and provide a defined overview of the underlying and potential risks faced by the company. The most commonly used risk category classifications include financial, schedule, performance, reputation, health, safety and environment.
What is a Risk Matrix?
A risk matrix (sometimes called a risk assessment matrix) is used during the risk management process’s risk assessment stage. It identifies and captures risk event likelihood (probability) and evaluates the potential impact (consequences) caused by those risk events.
When the risk analysis is complete, it’s necessary to compare the estimated risks against the risk criteria of the organisation.
Risk criteria may include, for example, cost, health, safety, environmental standards, legal requirements, socioeconomic factors, and the concerns of stakeholders.
Risk evaluation supports decisions regarding the significance of a risk to the organisation; and if a specific risk should be accepted, controlled, or mitigated.
The Risk Likelihood is the probability of a risk event occurrence. The likelihood of risk has five qualitative ranges [Ref: The Institute of Risk Management]:
- Highly Probable
The risk event is then assigned a risk value, obtained as the function of Likelihood and Impact.
Examples of Risk Matrix Calibration
|Remote||Not known to have happened anywhere|
|Unlikely||It has happened previously somewhere|
|Possible||It has happened previously in the local country|
|Probable||It has happened previously in the industry sector|
|Highly Probable||This has happened previously in the business|
|Insignificant||A financial loss of <$10k|
|Minor||A financial loss of <$100k|
|Moderate||A financial loss of <$1m|
|Major||A financial loss of <$10m|
|Extreme||A financial loss of <$100m|
|Insignificant||A schedule loss of 1 day|
|Minor||A schedule loss of 4 days|
|Moderate||A schedule loss of 1 week|
|Major||A schedule loss of 1 month|
|Extreme||A schedule loss of 1 year|
|Insignificant||Attention within the business only. Insignificant business impact.|
|Minor||Local media attention. Minor business impact.|
|Moderate||National media attention and possible public inquiry. Moderate business impact.|
|Major||International media attention and public inquiry. Major business impact.|
|Extreme||International media attention and public inquiry. Business closes down.|
|Insignificant||Requires minor trade-offs to achieve the target. No impact on business.|
|Minor||Performance below target but acceptable.No changes. No business impact.|
|Moderate||Performance below target. Moderate changes are required. Limited business impact.|
|Major||Performance is unacceptable. Major changes are required. Major business impact.|
|Extreme||Performance is unacceptable.|
|Insignificant||No harm to people|
|Minor||A few people suffer from diseases|
|Moderate||Some people suffer from grave diseases|
|Major||Possible deaths, and many people suffer from grave diseases|
|Insignificant||Minor injury or no harm to people|
|Minor||A few minor injuries|
|Moderate||Some serious injuries|
|Major||Possible deaths and serious injuries|
|Extreme||Large uncontrolled release|
Before evaluating a risk event, the risk categories must be calibrated.
Each business and organisation is unique. Therefore, so are the risk reference values, i.e. the loss of $100k could be a minor impact for one company but become the final closure factor for another business.