The Risk Matrix: Jenmark John F. Jacolbe Gapor Taha

The Risk Matrix
JENMARK JOHN F. JACOLBE

GAPOR TAHA
Session outcomes
• Understanding the principles and practicalities of risk assessment
• Understanding risk evaluation
• Selecting control measures
• Implementing control measures
• Monitoring and reviewing
RISK MATRIX
- matrix that
is used during risk assessment to define
the level of risk by considering the category of
probability or likelihood against the category of
consequence severity. This is a simple mechanism
to increase visibility of risks and assist management
decision making.
Benefits of a Risk Matrix
• Simple to use
• Common approach
• Compare and Analyze risk across all operations
• Prioritize risk for tolerance or further action
Risk Assessment
• What are the hazards?
• Who is doing what, where & when? (WWW)
AND
Who else might be affected by what is done?
• What is the degree of risk?

• What do we need to, or can we, do to control (eliminate/minimise) exposure to
the risk?
• How will we monitor the work/people?

Risk Assessment Steps
Step 1. Identifying Risk
Risk comes from Hazards and Harms
– Hazards = A situation that poses a level of threat to life, health, property or
environment (an undesired event)
– Harms = resulting damages from the Hazard
– Risk = The potential that a chosen action or activity will lead to an undesirable
event
– Control = A method of evaluating potential losses and taking action to reduce or
eliminate the potential for an undesired event
Step 2. Quantifying Hazards and Harms
In a risk assessment matrix risks are placed on the matrix based on two
criteria:
• Likelihood: the probability of a risk
• Consequences: the severity of the impact or the extent of damage caused
by the risk.
Likelihood of Occurrence
Based on the likelihood of the occurrence of a risk the risks can be classified under one of
the five categories:
5- Definite: A risk that is almost certain to show-up during project execution. If you’re
looking at percentages a risk that is more than 80% likely to cause problems will fall
under this category.
4- Likely: Risks that have 60-80% chances of occurrence can be grouped as likely.
3- Occasional: Risks which have a near 50/50 probability of occurrence.
2- Seldom: Risks that have a low probability of occurrence but still can not be ruled out
completely.
1- Unlikely: Rare and exceptional risks which have a less than 10% chance of occurrence.
Consequences
The consequences of a risk can again be ranked and classified into one of the five categories, based on
how severe the damage can be.
5- Insignificant: Risks that will cause a near negligible amount of damage to the overall progress of
the project.
4- Marginal: If a risk will result in some damage, but the extent of damage is not too significant and is
not likely to make much of a difference to the overall progress of the project.
3- Moderate: Risks which do not impose a great threat, but yet a sizable damage can be classified as
moderate.
2- Critical: Risks with significantly large consequences which can lead to a great amount of loss are
classified as critical.
1- Catastrophic: These are the risks which can make the project completely unproductive and
unfruitful, and must be a top priority during risk management.
Step 3. Build it all into a Risk Matrix
• The Risk Matrix: tool used in the Risk Assessment process, it allows the severity
of the risk of an event occurring to be determined.
• Graphically displays the total of each of the hazards/harms that contribute to
the risk
– Severity = X
– Probability = Y
– Risk Score = XY
When defining risk management, some organizations find it convenient to
categorize risks into the following three regions:
• The broadly acceptable region (Generally Acceptable - GA)
• The ALARP (As Low As Reasonably Practicable) region; and
• The intolerable region (Generally Unacceptable - GU)
Step 4. Test your Risk Matrix
Step 5. Risk Evaluation
• Acceptance: taking the risk in order to pursue an opportunity. This means making
an informed decision to retain the risk.
Risk Treatments
Further action may be required if the risk level is not acceptable:
1.Elimination: avoiding the risk by deciding not to start or continue with the activity
that gives rise to the risk.
2.Reduction: implement new controls to change the likelihood or the consequence.
3.Transfer/Sharing: sharing the risk with another party or parties (including
contracts and risk financing or insurance). In many cases you can share the financial
or legal risk, but the reputation risk is not easily transferred.
References:
• "What's right with risk matrices?". Julian Talbot on Risk, Success and Leadership. Retrieved 2018-06-18.
• ^ "Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs" (PDF). United States
Department of Defense. January 2017. Retrieved 2018-06-18.
• ^ "NASA, Goddard Space Flight Center, Goddard Technical Standard GSFC-STD-0002, Risk Management Reporting"
(PDF). 2009-05-08. Retrieved 2018-06-17.
• ^ International Organization for Standardization, Space Systems Risk Management, ISO 17666,
• ^ Cox, L.A. Jr., 'What's Wrong with Risk Matrices?', Risk Analysis, Vol. 28, No. 2, 2008, doi:
10.1111/j.1539-6924.2008.01030.x
• ^ Thomas, Philip, Reidar Bratvold, and J. Eric Bickel, 'The Risk of Using Risk Matrices,' SPE Economics &
Management, Vol. 6, No. 2, pp. 56-66, 2014, doi:10.2118/166269-PA.
• ^ Hubbard, Douglas W.; Seiersen, Richard (2016). How to Measure Anything in Cybersecurity Risk. Wiley. pp. Kindle
Locations 2636–2639.

The Risk Matrix: Jenmark John F. Jacolbe Gapor Taha

Uploaded by

The Risk Matrix: Jenmark John F. Jacolbe Gapor Taha

Uploaded by

The Risk Matrix

JENMARK JOHN F. JACOLBE

• What is the degree of risk?

• How will we monitor the work/people?

You might also like