A risk matrix is used within risk management to define the level of risk by considering the category of Likelihood against Impact severity. This simple tool increases the visibility of risk and supports decision making.
Risks are inevitable. From a start-up to a large multi-national enterprise, all are faced with risks to be controlled and mitigated.
Whether you’re beginning a new business or project or running an established organisation, two of the most critical questions are “what could go wrong?”, and “how can we be successful”.
It’s not a simple task assessing risk, let alone managing a suite of risks. If you don’t identify, evaluate, and manage risk, your people and your organisation are at stake. Successful organisations find the time and resources to identify risks and devise management strategies to control, mitigate, and even plan contingencies to lessen any Impact from a threat risk.
There are essential steps for a successful risk management process. The process begins with risk assessment. It then progresses forward until a definition of what control and mitigating actions are required to manage the risks.
Here are the steps and how each one of them adds to a successful risk management system.
Risk assessment is a series of stages to be taken for effective risk management.
Risk identification associated with an organisation’s operation is one of the first steps in risk management.
Some organisations develop checklists from previous experiences of past projects or changes to manage risks. However, you could be a part of a new start-up, or your organisation is unfamiliar with the concept of risk management, so other methods to use include:
- Industry benchmarking
- Scenario analysis
- Risk workshops
- Incident investigation
- Auditing and inspection
After the identification of the risks, the processes of risk analysis and evaluation begin.
SWOT (Strengths-Weaknesses-Opportunities-Threats) is a technique used to define the organisation’s internal Strengths (opportunities) and Weaknesses (threats) and include culture, structure, finance, and resources. External Opportunities and Threats consist of variables outside the organisation, such as political, economic, social, technological, environmental, and legal risks. Given the scope of this analysis, a PESTEL model can be used to support this stage.
Other methods include:
- Threat analysis
- Fault tree analysis
- FMEA (Failure Mode and Effect Analysis)
- Event tree analysis
When the risk analysis is complete, it’s necessary to compare the estimated risks against the risk criteria of the organisation.
Risk criteria may include, for example, cost, health, safety, environmental standards, legal requirements, socioeconomic factors, and the concerns of stakeholders.
Risk evaluation supports decisions regarding the significance of a risk to the organisation; and if a specific risk should be accepted, controlled, or mitigated.
The risk Likelihood is the probability of a risk occurring. Within GetRiskManager, the Likelihood of risk has five qualitative ranges [Ref. The Institute of Risk Management]:
- Highly Probable
The risk Impact considers the consequence if the risk occurred and within GetRiskManager has five levels [Ref. The Institute of Risk Management]:
The grid assigns a number to the risk; obtained by multiplying Likelihood with Impact.
GetRiskManager provides for three calculations:
- Likelihood x Impact (the default calculation)
- (Likelihood x Impact) + Impact
- (Likelihood x Impact) + (2 x Impact)
So, what about the Risk Matrix?
A Risk Matrix assists in risk evaluation by visualising the Likelihood and Impact of potential risks. It provides a visual representation of all the current risks associated with an organisation, activity, or project.
The GetRiskManager Risk Matrix
Below, is the risk matrix from GetRiskManager indicating all current risks.
The risk matrix consists of a coloured grid, with Likelihood on the X-axis and Impact on the Y-axis.
The circles indicate the number of risks in a zone.
The lower risks are in the bottom left of the matrix and are coloured blue. The top right contains the highest risk and is coloured red.
These four zones provide a clear vision of the risk situation and the future steps to be taken:
- Red Risks: These risks are very significant. Subsequently, are a high priority and need to be addressed immediately through control and mitigating actions that will move the risk into, as a minimum, the Yellow area.
- Yellow Risks: These risks are highly significant, but lower as compared to red risks. These should be addressed as a medium priority and actioned according to an agreed plan and schedule.
- Green Risks: These risks are moderate level risks. They are not highly significant; however, they could Impact if not controlled and mitigated. These should be addressed after the Yellow risks and actioned according to an agreed plan and schedule.
- Blue Risks: Lastly, these risks are low-level. That does not mean they are unimportant, just they should be the last to be addressed or could be monitored over a period and then reassessed.
Advantages of a Risk Matrix
- Visually aligns risk against the Likelihood and Impact
- Visually indicates the level of current risks
- Provides an overview of an organisation’s risks
A risk matrix is only a visual tool; it’s not the full solution for risk management.
As an organisation, you still need to manage risk by assessing and then controlling and mitigating through a range of actions. To help with the risk management process, you can use a tool such as GetRiskManager to protect your people and your organisation.