This Article is intended to clear confusion caused by some Risk Management Professionals who either do not know what a Risk Matrix is or are seeking to advance their not so Knew Ideas by deliberately distorting what a Risk Matrix is and it’s Purpose. Some of the views critising a Risk Matrix remind me when I was a 19 Year old Boy having moved away from home to stay alone, I went to buy knew Pots and almost every day I burnt the food I cooked. I decided to take the Pots back to where I bought them and I requested that they give me new Pots as the ones they gave me were Poor Quality. The Shop Representive smiled and exchanged the Pots and with a smile said “Son there is nothing wrong with the Pots, you must learn how to cook” As I write this Artcle, I am reminded of this Incident, when Professional Risk Managers hide their incompetence or lack of knowledge by blaming effective Tools and/or distorting what a Risk Matrix is and what its Purpose is.
One will never look Handsome by Accusing another Person of being Ugly – That’s a vuluable lesson I learnt from my mom when I was a Small Boy. As we Build Risk Management Knowledge we will never Build it by distorting facts otherwise Managing Risk will forever be seen by many as a Compliance Driven Tick Box Exercise.
Decision Making is typically described as an ongoing process of making choices by identifiying the purpose of a decision, gathering information to inform Decision Making, and assessing alternatives scenarios in order to make the best decision under the circumstances and/or context.
Decision Making Process
Identify the Problem You Want To Resolve or Opportunity You Want To Exploit
Collect Information To Inform Decision Making
Identify Alternative Scenarios that can Solve The Problem and/or Optimize The Opportunitity.
Weigh The Evidence To Decide Which Scenario You Will Go With
Implementation of The Decision Made and Continious Evaluation of the Effectiveness if Decisions Made
Risk Informed Decision Support Matrix
A Risk Matrix is typically a 3 Dimensional Risk Management Dashboard that is normally used to illustrate an Organisation’s Top 6 to 10 Risks (Risk Assesment Output) and how these Risks Should Be Prioritised from a Resource Allocation Point of View and Senior Management Review Point of View. It uses the RAG Rating Approach to Illustrate The Output of a Risk Assessment and is One of the Inputs into the Decision Making Process of an Organisation.
To Create a Risk Matrix The Risk Assessment Context Should Be Clearly Defined and understood as well as the Probability of Occurence of The Risk Scenario and The Potential Impact The Risk Scenario will have on the Achievement of an Organisation’s Vision and Objectives Should It Materialise.
Attributes of a Risk Matrix
It should be noted that a Risk Matrix is not a Risk Assessment neither is it a RAG Rating Diagram even though these two variables do inform the Information Composition of a Risk Matrix. A Risk Matrix is not a One Size Fits All Matrix but should be customised for each and every Context (see example Queensland Government Enterprise Architecture ICT Risk Matrix Above) that it relates to. It should be seen as a Decision Support Tool that at a minimum assists Organisations make the following Decisions;
- Which Objectives will be Impacted by Risks Identified?
- Which Risks should we prioritise within a given time period in terms of Resources and Budget Allocation?
- Which Risks Should be monitored and reviewed at an Activity Level, Functional Level, Department Level, Corporate Level, Board Level and other Stakeholders such as Investors and Governments?
- Which Risks to embrace and not to embrace, i.e. which Risks are On – Strategy or Off – Strategy (e.g. Investments in Politically Volatile Countries, In Insurance which Risk to Retain, Core – Insure, Re-Insure or to decline, credit making decisions in Banking)
- Who will be lead the implementation of Risk Optimisation / Exploitation Action Plans?
At a Minimum A Risk Decision Support Matrix, should give Decision Makers a Bird’s View of the following Risk Information;
- An Organisation’s Top 6 – 10 Risks Profile informed by an in-depth Quantitative (e.g. Actuarial Analysis, Fanancial Analysis, Historical Trends Analysis, Big Data Analytics and/or an other fit for purpose Scientic Analysis) and Qualitative (e.g. Strategic Thinker or Decision Maker Hunch) Analysis of Risks. Top 6 – 10 Risks are a result of a Risk Aggregation and Risk Consolidation Process.
- Likehood or Probability of Occurance of a Risk Scenario within a defined time period (e.g. 1 Year, 5 Years or 10 Years) should be clearly defined.
- Objectives that the Risk Matrix relates to (e.g. Operational – ICT Risks, Strategic – Economic Risks) should be clearly defined.
- Impact the Risk Scenario should it materialise, will have on the Achievement of Objectives should be clearly articulated. (e.g. on Financial Peformance Objectives, Compliance Objectives, Safety Objectives, Service Delivery Objectives, ESG Objectives, Operattional Peformance Objectives etc)
A Risk Decision Support Matrix is not a Risk Assessment Process or Risk Assessment Methodology but a Visual Risk Dashboard which assists with Decison Making. All Risk Management Variables and KPIs can not be in a Risk Decision Support Matrix and it was never intended to be as such. At a minimum it;
- Visually aligns Risk against the The objectives that will be impacted
- Visually aligns Significant Risks identified with Probability of Occurence and Impact within a specifief time period
- Visually Communicates an Organisation’s Risk Profile for a specified time period
- Visually illustrates Significant Organisation Risks, Likelihood of Occurence, Impact on Objectives Should the Risk Occur, Risk Optimisation and Review Responsibilities
- Visually illustrates an Organisation’s Risk Appetite and Tolerance Levels
- Visually Provides Context to an Organisation’s Risk Profile.
“When I was 19 I Burnt Food When Cooking, Now I am Over 40 Years, and I still Burn Food When I am Cooking. I have Accepted That The Problem is not the Pots, But That I am a Bad Cook”Mabutho HLUBI