HOW DO YOU DEFINE YOUR COMPANY'S RISK MATRIX?
Risk management in organisations is becoming increasingly natural and necessary. When setting up a documented risk management system, the question arises as to which risk analysis methodology is best suited to your business, and in particular which matrix to use. This article offers some food for thought, some questions to ask and some good practices.
The quality of risk management is fundamental to an organisation's performance and efficiency. So choosing the right risk matrix will ensure that your company's risks are properly managed. There are a number of risk management standards, such as the ISO 31000.
You can use examples of existing matrices (SUVA matrix example) or define your own customised risk matrix for your organisation.
The dimensions of the matrix :
There are many possible dimensions for risk matrices. There are generally 5 x 5 matrices, but also 6 x 6. There are also non-symmetrical matrices, for example 6 x 4.
The larger the matrix, the finer your risk analysis will be. Larger matrices (e.g. 10 x 10) will require a more precise assessment, and possibly finer sub-criteria.
Defining risk zones or levels :
This is the number of colours in the matrix. The number of risk zones is generally 3 or 4: high (often red), medium (often orange), low (often green). The more risk zones you define, the more refined your risk prioritisation will be. An important point is the definition of the highest risk zone, because it defines the risk non-acceptance zone.
Be careful when quantifying thresholds!
It is essential that the probability and impact assessment scales are quantified, i.e. that you have an objective scale (with clearly quantified thresholds) so that the risk assessment is as objective as possible, varies as little as possible from one person to another and is traceable over time (i.e. so that you can find out why you set that value at that time).
A single matrix or several matrices?
The advantage of using a single matrix for all the risks in your organisation is that you can easily compare them with each other and get an overall picture. However, in some cases, the use of specific matrices by business line (for example, for safety at work) enables specific analyses to be carried out.
We can help you set up or improve your risk management system, integrate your internal control system with your safety management system, or improve the governance of your internal control system.
In particular, SIRIS+ is the governance-risk-compliance (GRC) software for all sizes of company, small businesses, SMEs and large corporations that want to manage their management system (risks, processes, improvements, internal audits, regulatory compliance) digitally and integrated from A to Z.
In SIRIS+ you can set up your matrices as you wish.
We'd be delighted to talk to you about it. You can contact us using the form below:
