Do we need a risk matrix? – part 2
In the December 2018 newsletter I asked a simple question – do we need a risk matrix?
In that blog I detailed the example of a water corporation that had assessed the risk of: unplanned release (loss of containment) of water from a dam as being Major (Consequence) and a Rare (Likelihood), which meant that, when using their corporate risk matrix, the risk was rated as High?
My questions in that blog were: is it really a High risk; and what are the psychological implications when informing management there is a High risk?
So, is there an alternative? I believe there is, however, it turns everything we have been taught about risk management on its head. My belief is that the use of risk matrices is resulting in inappropriate outcomes of risk assessments which leads to potentially inappropriate decisions being made in relation to the management of the risk. In my suggested alternative there is no risk matrix!!!!
So, the question then becomes one of: how do we determine if a risk is acceptable or not if there is no risk matrix? We will get to that – but first I need to revisit the concept of ‘risk appetite”.
In a previous article: How Hungry are you to Understand Risk Appetite – I discussed the different methodologies to determine whether a risk required further action. I identified in that article that some of the current methodologies used for this purpose were less than optimal (read rubbish).
I also highlighted that the most widely used methodology to identify whether a risk required further action was a matrix similar to that below:
I also offered an alternative to highlight that there may be a different level of acceptance for different impact categories within the organisation, as shown below:
Both of these require decisions based on the level of risk as derived from the risk matrix after likelihood and consequence have been determined.
Cue discussion in previous blog about how the level of risk can vary just by using a different matrix.
So, how can we make this less dependent on an arbitrary risk level and more objective? The answer lies in the consequence rating for the risk.
The basis for my theory is that the higher the consequence of the identified risks, the more we should strive to reach and maintain a lower level of likelihood – it’s as simple as that.
So instead of using tables such as those above, we could use a variation which will provide the same result every time because there is no matrix.
My alternative is shown below:
What this methodology does is to focus less on the perceived level of risk and provide more focus on what is most important – doing everything possible to ensure that those potential events (risks) with the highest levels of consequences are being managed effectively through the organisation’s control framework.
It also highlights how fundamental it is that likelihood be based on control effectiveness, rather than time, frequency or probability (as detailed in Risk Tip # 1 – Likelihood).
To me, this is absolutely fundamental in moving from “doing” risk management to managing risk.
So, if we go back to our original risk: unplanned release (loss of containment) of water from a dam the “appetite” for this risk would be as follows:
What we have now is a way of expressing a “risk appetite” that is less about an arbitrary risk level and is focussed on ensuring that the organisation’s highest consequence risks are being controlled.
Used in conjunction with the Operational Risk Report format detailed in Risk Tip #12 – (as shown below) we are no longer assuming controls are effective – we are obtaining assurance.