Developing the Consequence Matrix: it’s all about the Key Performance Indicators
Everything we do has a consequence no matter how small or how significant that consequence may be. Similarly, the consequences that arise from incidents that occur in the workplace, can range from the insignificant through to the catastrophic.
So the question is; how do we estimate the consequences of the risks that may arise within our organisations?
The most common approach to the consequence matrix is using “descriptors” as a way of determining how each risk may impact on the organisation. Typical examples of these descriptors are:
- significant impact on the environment;
- catastrophic impact on an organisation’s ability to achieve its objectives;
- irrevocable damage to the reputation of the organisation; and
- high level, frequent litigation.
But, how do you actually quantify what significant or catastrophic looks like in any of these descriptors or what frequent looks like under the same descriptors?
When we are conducting a risk workshop in order to determine the consequence should the risk eventuate there are no absolutes, the best we can hope for is a consensus. Such a consensus becomes much more difficult when consequences are described as previously mentioned. One person may argue that the consequences of a risk, if it were to eventuate, would be severe, whereas another attendee at the workshop may consider the consequences to be moderate. If these are our only parameters then how likely is it that we are going to reach that consensus.
So, what we need is something a little bit more definitive and I call it continuum of performance.
If we look in our organisation, we have a number of key performance indicators (KPIs) and we want to achieve certain levels against those KPIs. It’s one thing to anticipate a consequence and measure its chances of happening, which could be high, medium or low; but it’s a completely different matrix when you place those consequences against your KPIs to understand the actual impact on your organisation’s performance.
As an illustration, a severe consequence against the reputation category may be: Severe negative impact on the reputation of the organisation. But what does this mean? Perhaps a better way to capture the potential consequences is shown below:
As you can see, defining the consequence criteria in this manner rather than through vague references to “significant risk”, “numerous incidents” or “substantial impact” provides greater granularity and will assist in achieving the consensus previously mentioned.
This will become a really powerful tool for you to actually estimate and make judgements around the potential impacts of events as they occur or as they threaten to occur.
If you want to learn more about risk management and consequences, sign up for a Paladin Risk Management course and start today to get better control of the consequences that lie ahead.
At Paladin Risk Management Services, we work closely with our clients to tailor solutions that give you the capability to prepare for the challenges of tomorrow and concentrate on the successes of today.