IS IT POSSIBLE TO GIVE DUE ATTENTION TO RISK APPETITE AND ALARP IF WE USE 3*3 RISK MATRIX WHEN WE ASSESS OUR RISKS?
Planning and risk management, Undervisningsbygg Oslo KF
Many organizations choose to visualize and rank their risks and opportunities by using a risk matrix. Several use a 3-scale rating for impact and likelihood. When we ask these organizations the pros and cons of their choice, they tend to answer that the 3*3-matrix is simple and easy to grasp. Further, the existing standards and guidelines do not have any requirements in that area.
It’s true that COSO, Enterprise Risk Management (2017) suggests in Principle 10 that an organization can choose its techniques depending on the size, geographic footprint, and complexity of the entity. Similarly, ISO 31000 Risk Management Guidelines says that the details and complexity of the analysis will depend on the purpose of the analysis, the availability, and dependability of data as well as organizations’ resources.
However, it is important that the organizations are aware of the consequences of choosing a 3*3 matrix. These will be discussed below.
- Does the matrix reflect the risk appetite of the organization?
Organizations generally combine a 3*3-risk matrix with risk neutrality. Under these assumptions the matrix will look like the following:
The existing standards and guidelines recommend that the colour coding of the matrix reflects the risk appetite. According to COSO-ERM (2017)”(…), Risk-averse entities may code more squares in red compared to risk aggressive entities…”
If the organization adjusts the colors in accordance with risk-aversion or risk-willingness, the matrix may look like the following:
- Is it possible to combine these matrices with an ALARP analysis?
Both ISO 31000 and COSO ERM (2017) recommend that an organization evaluates the costs and benefits of the existing alternatives when they introduce measures to handle their risks and opportunities.
ALARP (as long as reasonably practicable) analysis is a good instrument in that context. The analysis allows the organization to reduce the residual risk in a given area as far as reasonably practicable. As an example, let’s assume that our IT-department wishes to reduce the risk of “insufficient password protection”. Let’s assume that all employees are given an introductory course on password security when they start at the company. There is also an online course. Further, the subject is periodically discussed in company meetings. If the IT-department wishes to order a penetration test in addition, they should evaluate the expected benefits of this measure, i.e. the increased password security against the costs of performing this test.
The risk matrix should show not only the low risks that we accept and the high risks that we handle but also those risks that we tolerate because the expected benefit of the monitoring-measure/handling-measure is lower than the expected cost of introducing this measure. The yellow area in our matrix will indicate the situations where we should perform such analysis.
It is important that the organization is conscious of their choice when they employ a risk matrix. Does a simple matrix represent a hinder for further evaluations?
 COSO, Enterprise Risk Management Integrating with Strategy and Performance June 2017
 ISO 31000 2018
 COSO, June 2017, Principle 11 page 77