Risks and opportunities by using a risk matrix

Risk Management


Ayse Nordal,

Planning and risk management, Undervisningsbygg Oslo KF

  1. Background

Many organizations choose to visualize and rank their risks and opportunities by using a risk matrix. Several use a 3-scale rating for impact and likelihood. When we ask these organizations the pros and cons of their choice, they tend to answer that the 3*3-matrix is simple and easy to grasp.  Further, the existing standards and guidelines do not have any requirements in that area.

It’s true that COSO, Enterprise Risk Management (2017)[1] suggests in Principle 10 that an organization can choose its techniques depending on the size, geographic footprint, and complexity of the entity. Similarly, ISO 31000 Risk Management Guidelines says that the details and complexity of the analysis will depend on the purpose of the analysis, the availability, and dependability of data as well as organizations’ resources[2].

However, it is important that the organizations are aware of the consequences of choosing a 3*3 matrix. These will be discussed below.

  1. Does the matrix reflect the risk appetite of the organization?

Organizations generally combine a 3*3-risk matrix with risk neutrality. Under these assumptions the matrix will look like the following:

The existing standards and guidelines recommend that the colour coding of the matrix reflects the risk appetite. According to COSO-ERM (2017)”(…), Risk-averse entities may code more squares in red compared to risk aggressive entities…”[3]

If the organization adjusts the colors in accordance with risk-aversion or risk-willingness, the matrix may look like the following:

  1. Is it possible to combine these matrices with an ALARP analysis?

Both ISO 31000 and COSO ERM (2017) recommend that an organization evaluates the costs and benefits of the existing alternatives when they introduce measures to handle their risks and opportunities.

ALARP (as long as reasonably practicable) analysis is a good instrument in that context. The analysis allows the organization to reduce the residual risk in a given area as far as reasonably practicable. As an example, let’s assume that our IT-department wishes to reduce the risk of “insufficient password protection”. Let’s assume that all employees are given an introductory course on password security when they start at the company. There is also an online course. Further, the subject is periodically discussed in company meetings. If the IT-department wishes to order a penetration test in addition, they should evaluate the expected benefits of this measure, i.e. the increased password security against the costs of performing this test.

The risk matrix should show not only the low risks that we accept and the high risks that we handle but also those risks that we tolerate because the expected benefit of the monitoring-measure/handling-measure is lower than the expected cost of introducing this measure. The yellow area in our matrix will indicate the situations where we should perform such analysis.

  1. Conclusion

It is important that the organization is conscious of their choice when they employ a risk matrix. Does a simple matrix represent a hinder for further evaluations?

[1] COSO, Enterprise Risk Management Integrating with Strategy and Performance June 2017

[2] ISO 31000 2018

[3] COSO, June 2017, Principle 11 page 77

Se også; Risikomodell for Start-ups

A Simple Scenario-based Qualitative Model for Assessing Start-up Risk
Vi er så heldig å kunne dele vår kursleder i risikostyring Ayse Nordal sin risiko modell for Star-ups.Ta kontakt om du ønsker å få den tilsendt: info@qrn.no. Denne er publisert og tilgjengelig på Scitepress Library, se digital object identifier og referanse til proceedings.

Author: Y Ayse Nordal

Collapse ButtonQuick Abstract
ISO 31000:2018 Risk Management Guidelines and COSO:2017 Enterprise Risk Management framework have two important and common characteristics. Firstly, they connect risks with business objectives. Secondly, they define risks as potential events that represent both positive and negative deviations from the expected. When a start-up company assesses its risks….  Se www.qrn.no/blog

Y. Ayse B. Nordal
fotokred: qrn/Annlaug

Ayse Nordal – kursleder i Risikostyring/Risk Management

Ayse Nordal er til daglig seniorrådgiver for strategisk planlegging og risikostyring ved Undervisningsbygg, Oslo  kommune. Ayse har B Sc. og M Sc. i økonomi og statistikk (teknisk universitet) og lisensiat i anvendt sosialøkonomi og makroøkonomi (NHH). Hennes spesialområder er strategisk planlegging, internkontroll og risikostyring, og er sertifisert akkreditert risikoleder (Risk Manager).

KRN Academy RM  m/ grunnkurs og lederkurs med mulighet for sertifisering EOQ Risk Manager