Risk Matrix: The Benefits & Challenges09-06-2016
For very good reason, risk matrices have been widely promoted in risk management standards and reference books, and despite much criticism, they’ve been widely adopted by many organisations. In the right hands, they are a practical and easy to use tool, which can help most organisations in most circumstances to:
- Promote full-bodied discussion on the hazards and risks
- Provide some consistency to prioritizing risks
- Increase buy-in from workers
- Help keep participants in a facilitated risk workshop on track
- Focus decision makers on the highest priority risks
- Present complex risk data in a concise visual fashion (e.g. bubble charts).
They are not without flaws however and are definitely not an answer for all ills. In the hands of the inexperienced, the biased or individuals with an agenda, they can of course generate misleading ratings. Risk Matrices they have the following limitations:
- They can correctly and unambiguously compare only a small fraction of randomly selected pairs of hazards and can assign identical ratings to quantitatively different risks.
- They can mistakenly assign higher qualitative ratings to quantitatively smaller risks to the point where with risks that have negatively correlated frequencies and severities; they can lead to worse-than-random decisions.
- The can result in suboptimal resource allocation as effective allocation of resources to risk treatments cannot be based on the categories provided by risk matrices
- Categorizations of severity cannot be made objectively for uncertain consequences. Assessment of likelihood and consequence and resulting risk ratings require subjective interpretation, and different users may obtain opposite ratings of the same quantitative risks.
- Don’t include any assessment of timeframes (e.g.: The risk of a terrorist attack in the next 2 weeks might be very different from the risk of a terrorist attack in the next 2 years)
- They can oversimplify the complexity or volatility of a risk insomuch as some risks are relatively static over time while others can change for better or worse almost overnight
Overcoming the limitations
The last point above is the most significant of all. If you use a risk matrix in conjunction with at least the following tools, they can be highly effective in supporting quality decision-making:
- A clearly defined risk statement
- Robust likelihood and consequence definitions
- A hierarchy of controls to prioritise risk treatments
- Expected monetary value (EMV) or equivalent cost/benefit of risk treatments
In addition, it is important to have a process for considering all risks and risk treatments collectively. Each treatment is likely to mitigate several risks, albeit to differing degrees, therefore optimal allocation of resources is likely to be a complex decision making process. The last two tools on the above list are not really specific to risk matrices as they are about prioritising risk treatments. A hierarchy of controls enables an optimized approach for selecting the relative effectiveness of controls but does not consider cost/benefit which is a separate although linked process.
The really critical issues for successfully using risk matrices to assess risks however are the first two items in this list. If sufficient rigor has been put into defining the risk statement and the likelihood/consequence definitions then meaningful risk ratings can be quickly and consistently obtained from a risk matrix. If these 2 items have been adequately defined then you are likely to get similar if not identical risk ratings from knowledgeable people conducting independent assessments.
Many risk matrices have inadequate likelihood and consequence definitions and even more commonly, users attempt to use them to assess poorly defined risks. Without these two things in place a risk matrix will provide meaningless if any information.