risk assessment: creating a risk matrix
DESCRIPTION
Risk is the big topic of conversation in the compliance industry. Businesses are moving at a faster rate and operations continue to increase in complexity, and yet the need for compliance is stronger than ever. So we need to implement a systematic and objective means to maintain compliance, and keep up with the pace of business. In just 5 minutes, you'll learn why Risk Assessment is the new benchmark, and how to create a simple Risk Matrix for use in your compliance efforts.TRANSCRIPT
CONFIDENTIAL: This document contains information that is confidential and proprietary to EtQ, Inc. Disclosure, copying, distribution or use without the express permission of EtQ is prohibited. Copyright 2013 EtQ, Inc. All rights reserved.
5 minutes on…Risk Assessment: Creating a Risk MatrixTim Lozier, EtQ, Inc.
Risk is the new Benchmark
• Business are moving at a faster rate• Compliance needs to be maintained – need a
systematic, quantitative measure• Risk is becoming the new benchmark for compliance
– Objective, Repeatable– Helps to make better, more informed decisions
Step 1. Defining Risk
• Not easy! Companies spend time and money building a risk taxonomy
• Risk comes from Hazards and Harms– Hazards = A situation that poses a level of threat to life, health,
property or environment (an undesired event)– Harms = resulting damages from the Hazard– Risk = The potential that a chosen action or activity will lead to an
undesirable event– Control = A method of evaluating potential losses and taking
action to reduce or eliminate the potential for an undesired event
Step 2. Quantifying Hazards and Harms• We need a scale – Severity and Frequency
– Define the level of Risk on a pre-defined Scale:Severity Description
Catastrophic Likely to result in death
Critical Potential for severe injury
Moderate Potential for moderate injury
Minor Potential for minor injury
Negligible No significant risk of injury
Frequency Description
Frequent Hazard likely to occur
Probable Hazard will be experienced
Occasional Some manifestations of the hazard are likely to occur
Remote Manifestations of the hazard are possible, but unlikely
Improbable Manifestations of the hazard are very unlikely
Step 3. Build it all into a Risk Matrix
• The Risk Matrix: tool used in the Risk Assessment process, it allows the severity of the risk of an event occurring to be determined.
• Graphically displays the total of each of the hazards/harms that contribute to the risk– Severity = X– Probability = Y– Risk Score = XY
Y
X
RISK(XY)
Hold On – There are some “gray areas”• Risks are not always “black and white”• When defining risk management, some organizations
find it convenient to categorize risks into the following three regions:
• The broadly acceptable region (Generally Acceptable - GA)• The ALARP (As Low As Reasonably Practicable) region; and• The intolerable region (Generally Unacceptable - GU)
GU
GA
ALARP
But how many zones?How to determine ALARP?
Pro
babi
lity
Severity
Step 4. Test your Risk Matrix• You must vet the matrix
– Risk score is a mathematical measure– Use “real world” examples to ensure validity of the matrix– Example: False symmetry in risk matrix – needs to be validated
with real world situations
5 10 15 20 254 8 12 16 203 6 9 12 152 4 6 8 101 2 3 4 5
PR
OB
AB
ILIT
Y
SEVERITY
10
10
A Vetted Risk Matrix is just a Tool• Risk Matrix is designed as a tool, not a solution
– Risk is only quantifying the result– Organizations need to work on interpreting the decision
• Risk Teams review events to make decisions, using the Risk Matrix as a tool for the decision-making process
How to Apply The Risk Matrix - Example• Use Risk Assessment to filter adverse events
– What is the risk of the event, versus when it came into the system– Prioritize events by their RISK not their due date
• Resolve low-priority events at the source where they are found– Minor Complaints/Nonconformances/Audit findings– Events with little impact can be immediately resolved
• Risk Mitigation: Applies risk assessment to verification and effectiveness in Corrective Action– Are we reducing the risk to the right level?– Are we truly mitigating risk of recurrence?
Where’s the Risk here?
Conclusion• Risk Assessment is great tool for making informed decisions• Understand your Hazards and Harms within the organization• Build a scale that makes sense to your organization• Plot the scale on a graph to form a Risk Matrix• Determine where the acceptable and unacceptable risk lie• Then, vet that matrix with real-world historical examples• Use the Risk Matrix as a tool within a Risk team to filter adverse
events by their Risk
For more than 5 minutes…
EtQ’s Blog on Risk Matrixblog.etq.com
Webcasts on EtQ’s Risk Based systemwww.etq.com/webinar