Every organization is exposed to multiple risks on a daily basis. Knowing how to identify and manage threats is a differentiating value and a guarantee of sustainability for any company. In the following article, you will find best practices for designing and implementing an appropriate risk matrix.
According to the ISO 31000 standard of the Spanish Association for Standardization (UNE), the purpose of risk management is to create and protect the value of an organization, improve performance, promote innovation and contribute to the achievement of objectives.
To achieve this purpose, it is necessary to have a tool to visualize the risk level of an organization: the risk matrix. This matrix consists of a double axis, probability and impact, which graphically facilitates decision making regarding the treatment of each risk according to the zone it occupies in the matrix.
The first thing to be clear about iswhat do we mean by risk?
Based on the nomenclature used in “Risk Management, An Approach Guide for the Entrepreneur“published by the National Cybersecurity Institute (INCIBE), we understand risk to be the probability that a threat exploits a vulnerability of an asset, generating an impact that affects the fulfillment of business objectives. While threat is an unfavorable circumstance that may occur and that when it happens has negative consequences on the assets causing their unavailability, incorrect operation or loss of value.
From these definitions, and after carrying out the process of identification, analysis and evaluation of risks, we have recently designed a matrix in Grupo Oesía that allows us to evaluate in a graphic way which are the risks we face and what level of risk they represent. From the work we have done, we have learned some lessons that I would like to share with you.
Top management support
The impetus from top management is essential for the smooth running of the process. The development of the risk matrix is a long and exciting journey, so having the guidance and support of senior management will define the degree of success of the project.
At this point we must be proactive; that is, we must not wait until we are stuck in the process, but anticipate and foresee possible obstacles before they arise, relying on senior management to seek solutions when necessary.
2. Scope definition
It is essential for the organization to define whether it wants to reach a macro, micro or intermediate level of risk information.
If a micro level of detail is chosen in a large and heterogeneous company, we run the risk of not being able to manage the information correctly. It is advisable to identify risks at the level of each management of the organization, starting at the base levels and moving upwards. In this way, a higher level manager can help us to contextualize and refine information from the departments under his or her responsibility that have previously notified us of their risks.
3. Knowing the risk appetite
A risk matrix typically shows three or four colored zones (risk levels), where the green zone indicates acceptable risks and the red zone indicates those that should be acted upon immediately.
However, each organization will have a different level of risk tolerance, known as risk appetite. The same risk in two different companies, located in the same quadrant, may be tolerable for one and intolerable for the other, as can be seen in the matrices shown below. Therefore, the first thing we need to know is what is the risk appetite of the organization?
4. Integral vision
We must have a global vision. Risk management must be transversal and contemplate both financial and non-financial risks (strategic, operational, regulatory, reputational, etc.). It is also advisable to carry out a good risk benchmarking, both sectorial and national and international, which will undoubtedly help us to know our context well.
5. Common Nomenclature
The same risk language must be spoken throughout the organization. It is important to have a glossary defined and shared by all participants in the process. In other words, it must be clearly described what is considered a risk and what is not, as well as all the information fields that are parameterized, such as the different probability and impact levels, the origin of the risk, the risk zones of the matrix, etc.
6. Well-defined roles and responsibilities
Risk owners should be clearly identified, as well as the oversight bodies and who is accountable, when and to whom. Roles should not be names of individuals, but the names of the positions they hold in the organization.
7. Risk owner vs. risk treatment manager
The risk owner is the person who has the responsibility and authority for the management of a risk. However, it is possible that we may encounter a case in which the owner of a risk needs another department of the organization to carry out a specific risk treatment action. In this case we are dealing with the person responsible for risk treatment. It is important to differentiate and identify both roles.
Assessing the impact and probability of a risk occurring can be based on subjective information, especially if we have many risk owners, who will have different sensitivities when assessing them. Therefore, some risks may need to be viewed in a global perspective of the organization and their level of impact or probability may need to be adjusted (calibrated) before being reflected in the risk matrix. For example, a risk that may be very high for one department could be of medium level for the whole organization.
9. Grouping and catalog
In the risk identification process, we will encounter risks that are practically the same or very similar. In such cases, it is better to group them together, and just as it is necessary to have a common nomenclature, as mentioned above, it would be equally essential to have a risk catalog. Ideally, once the information has been collected, an organization’s own risk catalog should be created with a maximum of two or three levels of grouping.
10. Helping to be helped
For this process to really work, it will not be enough to train each participant and send them a risk collection questionnaire to be returned to us. Sit down with each of them and help them through the process, taking as much time as necessary, especially if this is the first time this process is being done in the organization.
Finally, it should be remembered that the development of a risk matrix will be a living, dynamic and sometimes difficult process. We will have to be patient and resilient. The end result is well worth the effort.
Daniel Garrido, SRI and CSR director, Grupo Oesía