Risk Matrix

A risk matrix is an effective and broadly used risk assessment tool. It is quite quick to create, and it is an easy way to identify problems. In some cases, it is also used to rank the risks to understand which one needs to be addressed first. Therefore, this tool has mainly two application:

• Decision making regarding the acceptance of risk
• Prioritize which risk needs to be addressed first.

The matrix has two dimensions, the severity that indicates the extent of damages of the risk and the probability that shows how likely is that risk to happen. A combination of them will allow to collocate a risk inside the matrix. As it can be seen in the figure, three different areas can be isolated:

Acceptable risk

It can be seen that there is a low probability and a low severity and that indicates that the risk of an event is not high enough, or it is controlled. Usually no actions are required in this area.

ALARP (As Low As Reasonably Practicable) risk

This area it’s often indicated in yellow. As long as the event is placed in that zone, the risk can be accepted.k

Non acceptable risk

This red zone is characterized by both high severity and probability. In this case, there is the need of much more control to bring severity or probability down.

Benefit

The main benefits of this tool are that it is easy to apply and in most of the cases it does not require an extensive knowledge in risk management to use it. Furthermore, risk matrices can promote conversation in risk topics that sometimes can be avoided by managers because they may only focus in profits and revenues.

Limitations

The biggest constraint of risk matrices is that it is mainly based on qualitative discussions and thus, it lacks on quantitative and objective data.

Risk Management Process (RMP)

Implementing a risk management process is crucial for an organization. It does not require large investment or high level of knowledge to be effective. The RMP can be implemented follow five steps that are briefly explained.

1. Identify potential risks
   In this first process, potential risks and their characteristics are identified. They can be hazard risks, operational risks, financial risks or strategic risks and thus, this phase can involve internal expertise but also external consultants or researcher. Furthermore, it is important to keep this process update because the risk environment is always changing.
2. Measure frequency and severity
   This step analyses the likelihood of a risk occurring and the impact of it, if it occurs. That process is used to prioritize the risk and therefore, to choose where to spend money and time on. The risk assessment can be done for instance using a risk matrix and it must be kept updated.
3. Examine alternative solutions
   Once an organization has all the potential risk, some solutions need to be evaluated. Usually there are this options:
   1. Accept the risk: the risk is simply accepted because the probability that it happens as well as its severity are low. Accepting the risk does not require any further action.
   2. Avoid the risk: the activity that cause this risk must be stopped because it is too dangerous and perhaps an alternative can be found.
   3. Risk control: in this case a prevention of that risk is involved to reduce its impact if it occurs.
   4. Risk transfer: the risk is transferred to a third part. For instance, a particular activity can be outsourced, or insurance can be purchased.
4. Decide which solution to use and implement it
   Once all the solutions are listed, the organization will choose one of them and will set up a plan to implement it.
5. Monitor result
   It is important to track and monitor risks because risk management is a process and not a project and thus, it needs to be constantly revisited on an ongoing base.