The risk matrix has served its purpose but falls well short of the data-driven business requirements of today. Enter the Risk & Value Framework.
For more than a decade, the risk matrix has been the go-to decision-making tool for assessing risk, and for good reason. The risk matrix is practical, easy to use and flexible enough to apply to various risk types and situations, including:
- Assessing risks of a particular asset or event
- Deciding which investments or projects have the highest importance
- Choosing which risk controls to implement
Figure 1 Example of a Risk Matrix
The purpose of the risk matrix is to simplify the assessment process, provide and alignment of impacts across several relevant categories of risk, while still providing meaningful results. Technology and data processing tools now allow for more complex assessments using simple interfaces – this plays a major role in supporting the increasing need for improved risk based decision making.
Shortfalls of the risk matrix
Granularity and/or resolution
Risk is not discrete and does not fall into set levels or buckets, but are continuous. Thus, the first shortfall of the risk matrix is that similar risks cannot be separated because they fall in the same level of the matrix, even though there are known differences. This reduced granularity can result in sub-optimal decisions and missed opportunities for improvement, because subtle differences in likelihood or consequence will likely result in the same ‘risk box’ selection.
If you were to prioritize two similar risks with all else being equal, it would make sense to address the slightly higher risk before the lower risk – even though the assigned risk level is the same according to the matrix.
Consider a reduction in the likelihood of an event by 50%, from once in 50 years to once in 100 years i.e. doubling the life of an asset. This is a huge improvement and may mitigate a significant amount of risk, especially if this is then applied at scale. According to some risk matrixes, the likelihood before and after would be ‘rare’, showing no improvement in risk exposure.
Businesses with large volumes of risk data need to be able to resolve very similar risks to make the best decisions possible, especially when constrained on expenditure or resources. This is even more evident when dealing with large fleets of similar assets and risks.
Multiple risks transparency
The next shortfall of the typical risk matrix is the ability to handle and interpret events that cause multiple similar consequences.
Consider an equipment failure that causes a large amount of smoke in a building. The result may be that 50 people require medical treatment for smoke inhalation. If a single medical treatment injury is assessed as a ‘moderate’ safety consequence, at what point does the sum of these injuries constitute the equivalent of a ‘critical’ or ‘catastrophic’ consequence? E.g. 10, 50, 100 persons?
Without the ability to summate or determine a total risk for an event, low impact but high-volume consequences could leave your organization exposed.
Assessing risk based purely on outcome risk levels is only one-half of the equation for making effective decisions. The usual risk matrix methodology prioritizes the highest risk levels first, with little regard for the cost to achieve the mitigation. Because organizations have limited resources, determining the best way to utilize these resources is key to remaining competitive in the marketplace. The missing component is cost (monetary or otherwise), and without a cost component, we are unable to answer the following question.
If I can mitigate one of two ‘moderate’ safety risks with the same likelihood, which one should I mitigate?
Once you identify that mitigation of the first risk costs 50% less in dollars, time and resources, the decision becomes clearer. The answer to this critical question is missing from most risk matrixes and risk frameworks.
To make effective decisions around risk mitigation and exposure, an organization must be able to compare and trade-off the value from different risk types (e.g. stakeholder risk vs. environmental risk). In a budgetary or resource-constrained environment, this is especially important. An organization must understand which consequences are more important relative to others. A risk matrix partially does this by grouping the consequences into ‘negligible’ or ‘moderate’ groupings, however, this does not answer the question of:
If I can spend $1000 and mitigate either a ‘moderate’ stakeholder risk or a ‘moderate’ environmental risk with the same likelihood, which one should I do?
The matrix type framework is not flexible enough for most organizations to achieve exact alignment of risk types.
X by Y grid and descriptions
When thinking about consequences, the risk ‘levels’ must be meaningful to be constantly applied. This is why safety risks are often thought about in terms of ‘first aid’, ‘medical treatment’, ‘disabling’ or ‘fatal’ injuries. These can be measured and conceptually linked to an event as the most likely outcome. The ‘negligible’ and ‘moderate’ descriptions aren’t meaningful enough.
In the safety risk example above, there are four consequence levels. What if an environmental risk type is introduced into the matrix, and it only has three consequence levels (e.g. ‘<100L spill’, ‘100L-500L spill’ and ‘>500L spill’)? Because the number of meaningful levels can be different between risk types, they cannot fit into an X by Y matrix without distortion.
The solution: ‘The Risk & Value Framework’
Identify what is important to your organization (measures)
The first step in creating a risk and value framework is to identify the things that your organization values or considers to be important. An existing risk management framework or risk matrix is a good place to start. Risk types (e.g. safety, environment, stakeholder, legal and compliance etc.) are common values that can be measured and are found in most value frameworks.
Benefits such as financial returns, increases in employee efficiency and so on are also important and should be included. Another common inclusion in a risk and value framework is strategic targets, KPIs or other measures. Everything identified in this step is known as a ‘measure’.
Identify the common levels and calculations
Each ‘measure’ obviously needs to be measured! The next step is to determine the discrete levels for each measure (e.g. for safety, they could be ‘first aid’, ‘medical treatment’, ‘disabling’ or ‘fatal’ injuries). Then add calculations for KPIs or values like ‘employee efficiency’ where an exact value can be obtained. For example:
Employee efficiency = Number of employees affected x hourly rate x hours saved per employee
Once the value measures and their calculations have been identified, they need to be aligned to a common scale. This is to allow a non-biased tradeoff between any of the measures in the framework. Typically, this common scale is dollars or a dollar equivalent unit. Every level and calculation of every value measure needs to be quantified. For most risk types, this is calculated as the direct cost or benefit to the organization.
For example, the cost to the organization for a safety medical treatment injury (MTI) would be:
$10,000 penalty cost + $1,000 legal cost + $1,500 compensation cost = TOTAL $12,500
Now that we have a rational and consistent way to assign a value to every risk, benefit, cost and another measure that an organization values, the value framework can be used to assess every investment the same way.
The risk and value matrix is a great tool for rapid risk qualification, but it cannot be used effectively to make true risk and value-based decisions. More information is required.
Organisations today need to:
Differentiate large volumes of risk, risks with extremely small likelihoods, and risks across different categories with different weightings.
- Evaluate and totalize multiple risks
- Incorporate costs into risk-based decision-making processes
- Trade off one risk type for another achieving a better overall economic outcome
- Have a framework that accomplishes all of the above with consistent application and transparency
Creating a risk and value framework meets these requirements and allows organizations to make effective value-based and risk-informed decisions.