Pulling together a risk management plan for your company is no easy feat. Firstly, you need to properly identify the full gamete of risks that could impact your business. Then gathering and compiling all the necessary information requires time and resources. But arguably the most important step of all is calculating the level of risk by creating a Risk Assessment Matrix. This is what the business takes out from the assessment and puts into action. It requires a high level of expertise and advanced analytical skills if you want the findings to be accurate and credible.
Risk assessment is a systematic approach to measuring, ranking, comparing and prioritising risk in a consistent way, across your company. According to ISO 31000:2009, the risk is “expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence” [Clause 2.1]. As such, risk is measured as a function of the likelihood that cause(s) trigger an occurrence and impact of the consequence using a full-proof system; the Risk Assessment Matrix.
This post will delve specifically into how you can create a Risk Assessment Matrix using a 5-point rating scale that you can customise to your organisation.
Calculating the Likelihood of Risk
The likelihood of a certain occurrence can be given a rating based on qualitative terms or quantitative terms, like probability or frequency of an occurrence over a specified time frame. For example, you can describe the probability of an event occurring over the course of the project or asset, or the frequency of it happening annually based on historical occurrence. Here is an example of a rating scale with examples of qualitative and quantitative definitions. Keep in mind that assessment criteria – such as probability or frequency – should be tailored to fit the nature of the risk you are assessing and potential causes you have identified. This can be calculated on a spectrum of 1 to 5. 1 = Rare (i.e. <once in 100+ years / <10% chance) 2 = Unlikely (i.e. once in 50-100 years / 10-35% chance) 3 = Possible (i.e. once in 25-50 years / 35-65% chance) 4 = Likely (i.e. once in 2-25 years / 65-90% chance) 5 = Frequent/almost certain (i.e. >once in 2 years / >90% chance)
Calculating the Impact of Risk if it occurred
Just like likelihood, the impact or consequence of a certain occurrence can also be given a rating based on qualitative or quantitative terms. Depending on the nature of risk, impact assessment can be tied to a variety of consequences. These too can be calculated on a scale of 1 to 5 based on their severity of impact to finances, health & safety, security, regulatory, operations, reputation and human resources. 1 = Insignificant 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic A best practice is to assess impact using a combination of considerations and assign a rating where impact is greatest.
Likelihood by Impact = the Risk Assessment Matrix
After effectively evaluating the likelihood and Impact, you are now ready to present the level of risk in the form of a Risk Assessment Matrix with actionable items assigned to each risk. An example of a Risk Assessment Matrix could look something like this.
Once you recognise the level of the risks your business is exposed to, you can prioritise the risks based on their significance and urgency and mitigate them so that your business is protected against financial, reputational and legal losses.