How to use a Risk Matrix in a Bowtie Diagram

As a risk management professional, you may have more in common with Neil Armstrong than you think….

Little known fact –  NASA began employing some of the first risk matrices as part of their risk management strategy for the Apollo space program!

Why? Well, space travel is a pretty hazardous industry, and a risk matrix is an effective way to assess the likelihood and severity of risks in space. But for now, let’s come back down to earth. How can you truly understand 'the risk' when it comes to risk management in your own organisation? 

In this article, we’re going to cover 5 essential elements of a risk matrix and how to use one. So let’s dive in.

What is risk?

Risk can be simply defined as the combination of the likelihood of an incident occurring and the severity of its consequences.

In order to determine how severe a consequence is, you must assess how effective your barriers are in preventing or mitigating that risk.

Now, if that all sounded like a lot of jargon to you, and you’re not familiar with consequences and barriers, definitely check out our video introducing bowtie terminology and diagrams first. 

So we know what ‘risk’ is, what about a risk matrix?

A risk matrix is a tool used to evaluate and prioritise risks based on their probability of occurrence and the severity of its potential impact. It’s a way to measure risk through both a qualitative and quantitative lens.

Risk management professionals use a risk matrix to support decision-making by determining if more should be done to prevent or mitigate risks. You can even implement a risk matrix into your bowtie diagrams, as a way to visualise your risk before and after your barriers come into play. 

But don’t worry, unlike NASA, this isn’t rocket science and we’re going to break down the 5 main elements of a risk matrix and how to use one.

Likelihood and severity

A risk matrix is a grid, where one axis represents likelihood, and the other represents severity. The intersection of each axis is what gives a risk its risk rating. A typical risk matrix is 5x5, but can be made bigger or smaller based on an organisation’s needs.

First, establish the likelihood of an incident occurring and - assuming we’re working with a standard risk matrix - give it a score from one to five.

Once you’ve established this, determine the severity of the consequences, which will be given a score of ‘A’ to ‘E’. Adding these together is what gives you a risk rating. A1 is very low risk; E5 is extremely high. 

But it goes a little deeper, with each likelihood and severity also being given a label and a definition, beyond numbers and letters.

For example, likelihood may be given the following descriptors: 'Very Low,' 'Low,' 'Medium,' 'High,' and 'Very High; while severity may be given 'Negligible,' 'Minor,' 'Moderate,' 'Major,' and 'Catastrophic.'

A good quality risk matrix will include detailed descriptions of each of these labels. These labels and their accompanying descriptions aid in minimising confusion about each level of risk and how to categorise them, ensuring consistency.

Risk Categories:

A risk matrix isn’t a one-size-fits-all solution, and most organisations use more than one risk matrix to categorise their risks. There are a few ways in which you can categorise risks, but allow me to introduce you to the PEAR model.

PEAR stands for People, Environment, Assets, and Reputation - four major areas of an organisation’s operations - and helps make it easier to address specific areas of concern. 

Here’s what it includes:

1. Risks to People: Could this risk involve injury, fatality, or mental health concerns to people? Consider those closest to the risk, whether it be employees or the public.
2. Risks to Environment: List potential environmental hazards, such as pollution risks or compliance issues. Engaging with environmental experts ensures a comprehensive risk identification.
3. Risks to Assets: Damage to buildings and equipment should be considered. Financial risks may be given their own risk matrix, or can be categorised here. And finally,
4. Risks to Reputation: How will these risks affect your reputation, should they occur? Will you face distrust from the public? Consult with your public relations professionals or legal team. 

So there we go, a super easy way to categorise your risks!

Qualitative vs quantitative 

Decide whether each risk should be assessed qualitatively or quantitatively. The greater the risk you’re dealing with, or the greater the complexity of the task, the more important it is to have quantitative data to back up your decision. Things like the cost, number of times something has occurred, and similar figures can be used to back up your decision.

Some risk management professionals argue that qualitative risks can be subjective. Aim for objectivity by coming to a decision with a diverse and knowledgeable team. Where there is any uncertainty, be conservative and aim for more evidence before coming to a decision. 

This is not about trying to get your score to the colour you want; be honest with yourself and ask ‘what more can we do to reduce risk?’

Even if your risks come out green, you should always be following good practice to a ‘T’ and ensuring you’re meeting industry regulations. 

Initial vs residual

Initial and residual risk work together to form a complete picture of your risk.

Initial Risk measures the severity of consequences without any barriers, reflecting the worst case scenario. Understanding this helps in preparing for the most severe outcomes and emphasise the importance of effective barriers.

And Residual Risk takes into account the effectiveness of existing barriers, showing the mitigated risk level with effective barriers in place. This helps in assessing the current risk management strategies and their effectiveness.When implementing a risk matrix into your bowtie diagrams, each consequence should be given both an initial and residual risk rating for a complete picture.

Your initial risk rating will likely be significantly more severe than your residual risk rating, if you have effective barriers in place.

Risk levels

The different levels of risk are about more than just pretty colours. And they are very pretty colours…

The iconic red, amber and green of a typical risk matrix represent the severity and likelihood of each risk. The most basic of risk matrices have just three colours, but many have five or more. 

Remember, the purpose of a risk matrix is to support decision-making. The key for each risk level is determining and understanding your thresholds. Each colour will likely have a designated action. For example, if the risk falls in the red category, more work must be done to minimise the risk and any planned operations cannot proceed until you’ve done so.

Different organisations may have different outcomes for each risk level, but amber could mean it must be signed off by senior managers, and green may mean that the operation is fine to proceed.

IMPORTANT POINT

Incorporating a risk matrix into your bowtie diagrams is one small step for you, but a giant leap for your overall risk management strategy. When attributing risk ratings to your consequences, you should order the consequences on your bowtie diagram by most severe initial risk, top to bottom.

Risk matrices can be complex, even for a seasoned risk management professional. That’s why we recommend tackling a risk matrix as a team. Diverse perspectives will ensure accurate and high-quality outputs. 

Note that a risk matrix may be updated organisation-wide or within a certain department, every few years. When changes are made, ensure you keep up to date with what these new changes mean and how you should adapt your use of the risk matrix. 

By using a risk matrix, you can effectively manage and prioritise risks, enabling proactive risk management strategies to minimise potential negative impacts on your project or organisation.

Have any questions? Get in touch with us at support@salus-suite.com.