What's new?

Risky business: the risk matrix

Risky business: the risk matrix

In my previous two posts, I explored better ways of capturing your key assets, threats, and vulnerabilities. Now, we will take these ingredients and plot them on a risk matrix.

First, download Lootok’s risk matrix.

The risk martrix
The risk matrix

The risk matrix provides a way to think about the probability and consequences of risks. Typically, risk is measured using two variables: impact and probability, which make up the axes of matrix.

Both of these variables should be specifically defined before using the risk matrix to plot your risks. The first variable, impact, is a measure of how harmed or disrupted your business would be if the risk occurred. Impacts can occur across different areas, such as finance, regulation, or reputation. Within each impact area, a risk can cause a low or high impact.

For example, a risk could cause a high financial impact to the business because it yields a loss of $1 million per day. These measures should be carefully defined by your risk team before plotting starts.

The second variable, probability, is a measure of how likely it is that this risk will impact the business. This can be defined in terms of months, days, years or other measure as relevant. For example, a low probability risk may only occur once in a lifetime, where a high probably risk could occur several times in a year. Like the impact variable, the probability variable should be clearly defined before plotting your risks on the matrix. To define probability, you can use historical data, threat intelligence sources, public data, or other sources of information.

Now, using the definitions you came up with for impact and probability, determine the potential impact and probability of each risk scenario and place in the appropriate spot on the risk matrix. You can use sticky notes to place your risk on the matrix.

The output of the risk matrix can help answer three questions:

  1. What should managers focus on?
  2. What can be done to reduce the probability of a disruption?
  3. What can be done to reduce the impact of a disruption?

We recommend two ways for managers to interpret the risk matrix data. The first is to list and prioritize events (such as earthquake, hurricane, strike, and sabotage) that can lead to disruption. The second is to list and prioritize disruptions (for example, reduced production capacity, shortage of a critical part, or a severed transportation link) and analyze their causes and consequences. The first is more useful when thinking about reducing the probability of a disruption, since the relevant action involve treating the source of the problem. The second is more useful when considering how to recover from disruption, since the cause may be less relevant than the consequences and their severity at that point.

To determine which to use, you will need to consider your existing recovery capabilities and resiliency, and determine the availability of resources to address risks.

The risk matrix has four quadrants. Each quadrant represents a specific category of risk and indicates potential strategies or approaches to managing risks. Each quadrant has a specific meaning. For example, the risk is highest when both the likelihood and the impact are high. For these risks, you’ll want to invest resources and training towards mitigation. Similarly, rare, low-consequence events represent the lowest levels of risk. Resources are typically not invested in mitigating these risks, but they should be monitored to ensure they do not grow over time.

This completes my five posts on risk assessments. You can download the activities for all five posts here. Please let me know what you think of the materials, and if they were helpful.

Looking for more guidance about risk assessments, or other ways to improve your BC practice. We can help. Contact info@lootok.com to speak with a Lootok expert.

Go to post 1: Risky business: What is risk?
Go to post 2: Risky business: Who cares about risk?
Go to post 3: Risky business: Value Map™
Go to post 4: Risky business: Attackers and Defenders™