Risk matrix

From apppm
Revision as of 04:02, 25 September 2016 by ARCR (Talk | contribs)

Jump to: navigation, search


To successfully execute its projects, especially in surrounding unstable environment, the companies, need to be aware about significant uncertainties, which will undoubtedly face projects during different stages of its life cycle regardless its complexity and time completion.

The uncertainties imply risks of (generally adverse) events those effect on the outcome or/and objectives of projects. In order to understand the variety of risks that a project face Risk Management activities in a project need to be performed. Effective project management need to identify what types of risk may influence particular stage of project. Furthermore, the management have to analyze and prioritize risks in terms of most severity and perform decision making in order to treat the risk and finally treat relevant risks in a structured way in order to avoid or at least mitigate any harm that may cause this certain risk.

However, how to decide and prioritize which risk is more dangerous and need to be treat first?

The one of the useful risk assessment tool supports project management to decide which risk need to be consider at first called “Risk Matrix” or also known as “Probability and Impact Matrix”.

Risk Matrix (Probability and Impact Matrix) is a broadly used risk assessment tool to define the different levels of risk as the product of the harm probability categories and harm severity categories. [1]

It is a common graphical tool used to simply and quickly visualize and categorize already identified risks, source of risks or risk treatments based on its probability and impact on a project. [1]

The aim of current article is to give an overview and summary of Risk Matrix. At the beginning, the article will provide briefly introduction to the risk management with its important elements. and the core idea of the risk matrices. Furthermore the article will defined the applications of presented tool as well as a practical usage within Project Management activities. Finally, the strengths and limitations of presented tool will determined and outlined.


Contents

Introduction and main idea

Figure 1: Risk Management process [1]. Primary focus in this article is on risk assessment.

Any projects during its different lifecycle stage are facing a variety of risks, defined as state of uncertainty where some possible outcomes have an negative effects on objectives, significant loss or other adverse or unwelcome circumstance.

Effective project manager need to be aware about potential types of risks in order to response and prevent unexpected event. This can be achieved by risk assessment process (shown in figure 1) which “aims to improve decision making process by identifying, assessing and mitigating relevant risks in a structured way” [2] The detailed description of Risk Assessment process is beyond the scope of this article, but for the deeper insight please follow the link Risk Assessment where the all relevant information can be found). Each of these activities is very comprehensive and takes a huge amount of resources, money and time consumption. Thus, in order to balance cost, time and resource of particular project, the management have to prioritize risks instead of trying to address each and every risk that particular project might face.

The one of the very useful risk assessment tool supports project management to decide which risk need to be consider at first called “Risk Matrix” or also known as “Probability and Impact Matrix”.

Risk Matrix (Probability and Impact Matrix) is a broadly used risk assessment tool to define the different levels of risk as the product of the harm probability categories and harm severity categories.

The main aim of risk matrix is to classify and prioritize hazard of adverse events based on the level of risk in order to facilitate management to make decision whether certain risks can be admit or whether not. [3]

According to ISO 31000 [4]the definition of risk outlined as combination of two basis criteria:

  1. The consequences or the severity of the impact of an adverse event caused by the risk.
  1. The probability or likelihood that this event may occur

In its turn the level of risk or risk value is defined as multiplication of these two criteria

"Level of Risk=Probability x Consequence”[3]

The combination of these parameters created risk matrix as two-dimension grid with consequence/impact on one axis (commonly X-axis) and probability or likelihood on the other (Y-axis) as shown on figure 2.

Figure 2: Risk Matrix. [3] A 5 x 5 risk matrix in principle to 25 distinguishable risk categories.

The severity or consequences scale describes the range of different types of impact of the adverse events that, if it occurs, will have an effect on the objectives and/or values such as physical health, social status, emotional well-being or financial wealth [5]

The consequence scale are commonly extended from the lowest potential impact to the highest as illustrated in figure 02 and can comprise any number of criteria with nominal or textual description such as ““No impact”, “Minor”, “Medium”, or “C1”, “C2”, “C3” and etc.

The example of possible consequences criteria can defined as follows:

1. No impact: Limited hazard that will cause a near insignificant amount of harm to the overall progress of the project.

2. Minor impact: A minor hazard which lead to less significant extent of harm which in its turn not cause of a difference to the overall progress of the project are classified as minor risk.

3. Medium impact: Moderate hazard which do not imply a huge harm, though yet a considerable harm portrayed as medium.

4. Major impact: Critical risks with significantly large impact that may lead to a huge amount of loss or harm identified as major.

5. Extensive impact : The most adverse hazard that lead to a catastrophic consequences such as high amount of lives losses or harm that totally destroyed a project (for example tsunami) is outlined as extensive impact.

The other dimension of risk matrix is the likelihood scale describes the range of probability of the occurrence of a risk. As the consequence scale, the probability scale is also extended from the lowest potential likelihood to the highest as portrayed in figure 02 and comprised variety numbers of criteria with nominal or textual description such as ““High unlikely”, “Unlikely”, “Possible”, or “P1”, “P2”, “P3” and etc.

The example of possible probability criteria can outlines as follows:

1. Highly unlikely: Unlikely risks, which have a rare level occurrence such as less than 10%.

2. Unlikely: Seldom risk contains low probability of occurrence however cannot yet excluded entirely.

3. Possible: Hazard, which have occasional (50/50) likelihood of occurrence harm

4. Likely: Risks that lies among 60-80% chances of occurrence can be grouped as likely.

5. Very likely: A definite hazard that has highest frequency (generally more than 80 %) of reveal during certain project stages. [6]

The definition of both criteria consequence and probability scales could vary in different organization and project areas, thus it is worth mentioning that mentioned above descriptors is recommended as a guide only. Finally, based on combination of probability and impact the level of risk can easily counted and ranked by placing adverse event into risk matrix according to assigned consequence and probability as shown on figure 3

Figure 3: Allocation of risk based on the level of risk value

As example the undesired event R25 displayed on the figure 3 has the highest risk value equal to “25”, or the risk R22 and R10 have the identical risk value ”10”.


Application and use

Application

Generally, the risk matrices have two main applications:

  • decision making regarding the acceptance of risk
  • prioritization which risk needs to be addressed first.

Decision making regarding the acceptance of risk

Figure 4: Three color levels of risk in terms of risk acceptance within riskmatrix[7]

In terms of risk acceptance, at least three levels of risk have to be isolated as illustrated in figure 04:

Display these interpretations to the body of grid, the color matrix can be outline as shown in figure 5

Figure 5: Example of a risk matrix with color risk levels . [7]

Prioritization which risk needs to be addressed first.

In cases where the risk matrix is used for ranking, a larger number of risk levels may be necessary in order to obtain sufficient resolution to rank events or hazards in order of priority as shown in figure 06

Figure 6: Example of ranking risk. [7]

Consequences Categories C1 No impact C2 Minor impact C3 Medium impact C4 Major impact C5 Extensive impact Probability categories P5 Very likely 5 10 15 20 25 P4 Likely 4 8 12 16 20 P3 Possible 3 6 9 12 15 P2 Unlikely 2 4 6 8 10 P1 Highly unlikely 1 2 3 4 5

However, the risk matrix have one important implications during the ranking of events those have a very low probability, but an extensive severity and in contrary the events with highest probability and lowest impact. The user and designer of a risk matrix have to be aware about major risk aversion or major hazard aversion. Major risk aversion means that events with the lowest probability – highest severity should always assigned with higher priority than events with the highest probability and lowest severity, even the risk value for both events is the same. Those implication based on the nature of risk that originally includes aversion to the probability rather than consequence severity. [3]

Usage of Risk matrix

It is it is worth to mentioning the main aim of risk matrix: classification and prioritization the list with already identified risks in order to make decision whether the certain risks can be tolerated. Frequently, in some cases it may be enough merely to rank risks against each other to identify relative prioritisation Cite error: Closing </ref> missing for <ref> tag also includes an invaluable summary of the advantages and disadvantages of risk matrices, together with recommendations for their usage.

Strengths:

- relatively easy to use;

- provides a rapid ranking of risks into different significance levels.


Limitations:

- a matrix should be designed to be appropriate for the circumstances so it may be difficult to have a common system applying across the range of circumstances relevant to an organization;

- it is difficult to define the scales unambiguously;

- use is very subjective and there tend to be significant variation between raters;

- risk can not be aggregated (i.e. one cannot define that a particular number of low risks or a low risk identified a particular number of ties is equivalent to a medium risk);

- it is difficult to combine or compare the level of risk for the different categories of consequences(impact)

Results will depend of the level of detail of the analysis, i.e. the more detailed the analysis the higher the number of scenarios, each with a lower probability. This will underestimate the actual level of risk. The way in which scenarios are grouped together in describing risk should be consistent and defined at the start of the study. [1]

Annotated bibliography

For further reading on the subject or related subjects, the reader is encouraged to check out the following:

  • Nijs Jan Duijm (2015), Recommendation on the use and design of risk matrix, Safety Science 76, DTU, Denmark .[3]
    • “The article explore the weakness of risk matrices and provide recommendation for the use and design of risk matrix
  • ALARP [8]
    • “The wiki-article describes a term often used in the milieu of safety-critical and safety-involved systems.
  • Risk Management [9]
    • The wiki-article describes the concept of the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities
  • Risk Management - Risk assessment techniques, Dansk Standart DS/EN ISO 31010, 2010

[1]

    • The international standard (ISO) 31010 contains guidance on selection and application of systematic techniques for risk assessment. .

Videos

A short video to visualyse the usage and benefits of Risk Matrix as explained in the article.


Video 1:Risk assessment matrix

References

  1. 1.0 1.1 1.2 1.3 1.4 [Risk Management - Risk assessment techniques] Dansk Standart DS/EN ISO 31010, 2010
  2. [How to Do Projects”] “JoanaGeraldi, Chrisitan Thuesen, JosefOehmen, Textbook DTU 2016
  3. 3.0 3.1 3.2 3.3 3.4 [Recommendation on the use and design of risk matrices'] Nijs Jan Duijm, Safety Science 76, p.21-31, DTU, 2015
  4. [Risk Management – Principles and Guidelines] Dansk Standart DS/EN ISO 31000, 2009
  5. [Risk Definition'] https://en.wikipedia.org/wiki/Risk
  6. [A Critical Tool for Assessing Project Risk] http://www.brighthubpm.com/risk-management/88566-tool-for-assessing-project-risk/#imgn_0
  7. 7.0 7.1 7.2
  8. Cite error: Invalid <ref> tag; no text was provided for refs named alarp
  9. Cite error: Invalid <ref> tag; no text was provided for refs named RM
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox