by The risk assessment matrix will help your organization identify and prioritize different risks, by estimating the probability of the risk occurring and how severe the impact would be if it were to happen.
A risk assessment matrix is a common tool used by organizations of all sizes for three major reasons:
- To measure the size and scope of risk
- To determine if they have the appropriate resources to minimize the risk
- To triage and prioritize the list of risks in a legible, easy-to-read matrix
The risk assessment matrix can help identify risks at a widespread scope of a company at the enterprise, business process, and individual process level.
The risk assessment process in 4 steps
The risk assessment process may seem like an intimidating process. But I’d like to offer a simplified view without a bunch of mathematical computations.
The process:
- Identify the risk universe
- Determine the risk criteria
- Assess the risks
- Prioritize the risks
Step 1: Identifying the risk universe
The goal with this first step is to capture the full scope of the present risk.
To start off, you’ll want to make sure you cast as wide a net as possible. The most effective way to do this is with free-flow brainstorming sessions. These brainstorming sessions will generate a list of ideas that will serve as the foundation of the risk assessment matrix.
Now, let’s get the creative juices flowing!
From my own personal experience, I like to start with high-level risk categories that align to business functions, and then drill down to specific processes within those functions. This helps me narrow the focus down after a broad brainstorming session.
Additionally, your risk universe will contain concerns specific to your industry, along with concerns unique to your company.
Here’s one way that I would organize my risks:
- Strategic: Increased competition
- Operational: Lack of available resources
- Financial: Cost of capital
- Market: Social media presence
- Technology: Data security
Step 2: Determining the risk criteria
Before assessing each risk, you’ll want to develop a common set of factors to help evaluate your organization’s risk universe.
A typical risk assessment matrix uses two main criteria:
- Likelihood (the level of possibility)
- Consequence (the level of impact)
However, some organizations may add other factors such as vulnerability and speed of onset. This is a critical step, as these criteria will drive the discussions throughout the rest of the process.
Beware of underestimating the importance of reaching consensus on the criteria. After all, you can’t manage what you can’t measure.
Step 3: Assessing the risks
This next step is where things start to get fun. (Well, as fun as a risk assessment matrix can be.) We’re going to assess the risks based on the criteria we laid out in the previous steps.
If the identification step was qualitative in nature, this step includes a quantitative analysis of the most important risks.
Most organizations use a common, three-part “High, Medium, and Low” scale at this stage, but taking a more granular approach could be beneficial to your organization expanding the scale to “1–5,” for instance.
Step 4: Prioritizing the risks
In the last step, we’re going to compare the different levels of risk (from step three) to the target risk criteria (from step two). In other words, prioritizing risk accounts for the impact, possibility, and importance of the risk, and outputs a plan.
If these last two steps sound subjective that’s because they are. Expert judgment is involved in risk assessment and prioritization techniques to identify potential impacts, define inputs, and interpret the data.
One thought on “ERM Matrix”