One of the best tools for assessing and reducing risk is a risk management matrix. Today’s blog provides an example of such a matrix and explains how and why to use one.
The Nebulous Task of Assessing Risk
We’ve been talking about risk a lot lately in the blog for the reason that, if you don’t understand what your organization’s risks are, you can’t put together a functional business continuity or IT disaster recovery plan. Understanding risk across the board is highly important in BCM.
Grasping and assessing the risks facing an organization is a task requiring imagination, knowledge, and judgment. The nebulous nature of the task can make it seem overwhelming.
However, a tool exists that can break this potentially intimidating task up into small, manageable segments.
That tool is the risk management matrix.
A Sample Risk Management Matrix
As with many tools, risk management matrices come in a variety of types, from basic models to complex ones for use on large-scale, highly complex jobs by experienced practitioners.
The matrix below is simpler than the one we use with our consulting clients, but it provides a starting point.
Basically, the matrix is a grader that you use to assess each of the risks facing the organization. Comparing the risk to the matrix will help you determine a risk rating for that item. The matrix also has a scale suggesting the best way of handling each risk item, depending on its rating.
Here’s the sample matrix:
Risk Matrix Instructions:
- For each risk item, identify the Severity of the impact to the organization if the risk occurred (None/Acceptable, Tolerable, Serious, Critical).
- For each risk item, identify the Probability of occurrence of the risk (Low, Medium, High).
- Find the box at the intersection of the risk item’s Severity and Probability of occurrence. This contains its risk rating.
- Based on the risk rating, the following actions are recommended for the item:
- Low (1-2) – No action necessary. Include actions as part of BC plans or identify low-cost mitigation strategies
- Medium (3-5) – Identify low-cost mitigation strategies
- High (6-8) – Identify risk mitigation, risk removal/avoidance, or risk transfer strategies
- Critical (9+) – Identify risk mitigation or risk removal/avoidance strategies
|Risk occurrence has no to minimal business or customer impact||Risk occurrence has noticeable or moderate business or customer impact||Risk occurrence has significant business or customer impact||Risk occurrence causes operations outages for your organization or customers|
|Probability of occurrence||Low||Very unlikely to occur||1||4||7||10|
|High||Likely to occur||2||6||9||12|
|1 – 2||3 – 5||6 – 8||9+|
A risk matrix like this encourages organizations to be rational in how they evaluate and mitigate risks. It channels them into looking at the only two criteria that matter in this area, how likely the risk is to occur and the impact if it did.
The Four Risk Mitigation Strategies
The matrix alludes to the four primary risk mitigation strategies. As a reminder, those strategies are:
- Risk Acceptance. A conscious decision to live with the risk. This strategy is a common option when the cost of other risk management choices outweigh the cost of the risk itself.
- Risk Avoidance. Taking steps to avoid all exposure to the risk. This is usually the most expensive of all risk mitigation options.
- Risk Limitation. The most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It employs a combination of risk acceptance and risk avoidance.
- Risk Transference. This strategy entails handing risk off to a willing third party. The most frequently used and easiest method of risk transference is insurance. Another example is the transference of specific tasks (and the risks associated with them) to third parties, as when organizations hire vendors to handle customer service or payroll services.
The decision of which strategy to use for which risk items should be governed by its risk rating as established by the matrix.
Tips to Help in Using the Matrix
We’ve talked about the risk management matrix and the four risk mitigation strategies. Here are a few more tips to help you make effective use of a risk management matrix:
- Think outside the box. Bad luck does not limit itself to the most obvious scenarios and neither should you. Yes, heavy snowstorms pose risks for companies based in the Upper Midwest. But organizations there have been struck by many other kinds of misfortune as well. Try to anticipate the whole breadth of likely or serious events that might impact your organization.
- Don’t be taken in by recency bias. Suppose you are aware of a certain negative event that happened recently, either to your organization or another company. There’s a natural tendency to let this dominate your thinking, closing you off to considering other risks. Recent occurrences are not necessarily indicative of future risks.
- In drawing up a list of potential risks, it helps to keep in mind the three types of business continuity threat (human, natural, and technological) and the four types of BC disruption (loss of facility or region, loss of human resources, loss of technology, and loss of supplier). Also remember that risks can be internal or external.
- Risk assessment is an area where independent consultants can be especially valuable, owing to their experience of a broad range of organizations, industries, and past disasters.
Using Rationality to Boost Resilience
Risk assessment is one of the most important aspects of business continuity management, but assessing risks is an inherently nebulous process. Using a risk management matrix ensures that, for every risk your organization faces, you look closely at the two aspects that matter most: how likely the risk is to occur and the degree of impact it would have if it did. This provides a rational basis for choosing a mitigation strategy for each risk, thus maximizing the value of your investments and boosting the resilience of your organization over all.
For more information on risk management and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: