A key takeaway for attendees at the free interactive webinars I am running with my colleague Dr Andrew Pratley on quantifornication was that when it comes to the field of risk assessment, scrapping the risk matrix is not the first step you should take.
There are many, many risk practitioners who are calling for the scrapping of the risk matrix. When I run the RMIA’s Enterprise Risk Management course I ask participants why the risk matrix came into being. The answer is to navigate a path between two people arguing as to whether a risk is too high to take or not. The risk matrix gives a definition of risk levels based on assessed levels of likelihood and consequence and pre-defined risk criteria. If you are accurate in your assessment of likelihood and consequence and your risk criteria is appropriate for your appetite for risk, it is a good tool for decision making.
So what is the problem?
The problem is that the assessments of likelihood and consequence are simply wrong or misleading. They are either plucked out of thin air or are not presented with information about the underlying probability distributions.
So don’t scrap the risk matrix just yet. People are used to it, it facilitates great conversations that need to be had and it can be used as the starting point of getting accurate with risk analysis. Andrew and I are simply suggesting that you take one of your higher risks on your risk heat map and start asking the right questions about the underlying problem. Is it likelihood that we really don’t understand, or consequence, or both. Do we have a lack of understanding of the reliability and effectiveness of controls?
When you identify one or more problems you can start a journey to getting accurate with risk analysis using the three-question framework Andrew and I introduced you to in our blog From Guestimate to Estimate – As simple as 1,2, 3.
Stay safe and adapt – with better measurement!