Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Assessment: Creating a Risk Matrix


Published on

Risk is the big topic of conversation in the compliance industry. Businesses are moving at a faster rate and operations continue to increase in complexity, and yet the need for compliance is stronger than ever. So we need to implement a systematic and objective means to maintain compliance, and keep up with the pace of business.

In just 5 minutes, you'll learn why Risk Assessment is the new benchmark, and how to create a simple Risk Matrix for use in your compliance efforts.

Risk Assessment: Creating a Risk Matrix

  1. 1. CONFIDENTIAL: This document contains information that is confidential and proprietary to EtQ, Inc. Disclosure, copying, distribution or use without the express permission of EtQ is prohibited. Copyright 2013 EtQ, Inc. All rights reserved. 5 minutes on… Risk Assessment: Creating a Risk Matrix Tim Lozier, EtQ, Inc.
  2. 2. Risk is the new Benchmark • Business are moving at a faster rate • Compliance needs to be maintained – need a systematic, quantitative measure • Risk is becoming the new benchmark for compliance – Objective, Repeatable – Helps to make better, more informed decisions
  3. 3. Step 1. Defining Risk • Not easy! Companies spend time and money building a risk taxonomy • Risk comes from Hazards and Harms – Hazards = A situation that poses a level of threat to life, health, property or environment (an undesired event) – Harms = resulting damages from the Hazard – Risk = The potential that a chosen action or activity will lead to an undesirable event – Control = A method of evaluating potential losses and taking action to reduce or eliminate the potential for an undesired event
  4. 4. Step 2. Quantifying Hazards and Harms • We need a scale – Severity and Frequency – Define the level of Risk on a pre-defined Scale: Severity Description Catastrophic Likely to result in death Critical Potential for severe injury Moderate Potential for moderate injury Minor Potential for minor injury Negligible No significant risk of injury Frequency Description Frequent Hazard likely to occur Probable Hazard will be experienced Occasional Some manifestations of the hazard are likely to occur Remote Manifestations of the hazard are possible, but unlikely Improbable Manifestations of the hazard are very unlikely
  5. 5. Step 3. Build it all into a Risk Matrix • The Risk Matrix: tool used in the Risk Assessment process, it allows the severity of the risk of an event occurring to be determined. • Graphically displays the total of each of the hazards/harms that contribute to the risk – Severity = X – Probability = Y – Risk Score = XY Y X RISK (XY)
  6. 6. Hold On – There are some “gray areas” • Risks are not always “black and white” • When defining risk management, some organizations find it convenient to categorize risks into the following three regions: • The broadly acceptable region (Generally Acceptable - GA) • The ALARP (As Low As Reasonably Practicable) region; and • The intolerable region (Generally Unacceptable - GU) GU GA ALARP But how many zones? How to determine ALARP? Probability Severity
  7. 7. Step 4. Test your Risk Matrix • You must vet the matrix – Risk score is a mathematical measure – Use “real world” examples to ensure validity of the matrix – Example: False symmetry in risk matrix – needs to be validated with real world situations 5 10 15 20 25 4 8 12 16 20 3 6 9 12 15 2 4 6 8 10 1 2 3 4 5 PROBABILITY SEVERITY 10 10
  8. 8. A Vetted Risk Matrix is just a Tool • Risk Matrix is designed as a tool, not a solution – Risk is only quantifying the result – Organizations need to work on interpreting the decision • Risk Teams review events to make decisions, using the Risk Matrix as a tool for the decision-making process
  9. 9. How to Apply The Risk Matrix - Example • Use Risk Assessment to filter adverse events – What is the risk of the event, versus when it came into the system – Prioritize events by their RISK not their due date • Resolve low-priority events at the source where they are found – Minor Complaints/Nonconformances/Audit findings – Events with little impact can be immediately resolved • Risk Mitigation: Applies risk assessment to verification and effectiveness in Corrective Action – Are we reducing the risk to the right level? – Are we truly mitigating risk of recurrence? Where’s the Risk here?
  10. 10. Conclusion • Risk Assessment is great tool for making informed decisions • Understand your Hazards and Harms within the organization • Build a scale that makes sense to your organization • Plot the scale on a graph to form a Risk Matrix • Determine where the acceptable and unacceptable risk lie • Then, vet that matrix with real-world historical examples • Use the Risk Matrix as a tool within a Risk team to filter adverse events by their Risk
  11. 11. For more than 5 minutes… EtQ’s Blog on Risk Matrix Webcasts on EtQ’s Risk Based system 516.293.0946