'How risk matrices and severity ratings mislead decision makers and why we should focus on risk tolerance instead'

The purpose of the risk matrix, also known as risk map or risk heat map, is to provide a visual representation of the risks that face an organisation. This two-dimensional representation of the risks, usually displaying likelihood along the x-axis and impact along the y-axis, also designates risk levels to squares within the grid.

These levels are commonly represented as colours, red being for those risks perceived as the most in need of attention, with scores determined by multiplying the likelihood with potential impact. Although the grids can take various different forms, the chart below is typical.

The process of identifying and prioritising the risks nearest the top right-hand corner, and then taking steps to reduce them, often forms the basis of a risk management strategy. The trouble is, argues Dean Hughes in his dissertation, it can produce fictitious results that mislead decision makers.

Grenfell Tower - a case in point

Hughes bases his research on his own professional experience spanning a decade plus, among other things, a review of 500 risk assessments from 50 risk registers at organisations with whom he has worked as an ERM specialist at VinciWorks. He also studied readily available risk registers from the UK public sector.

By way of example, he uses the Grenfell Tower disaster to illustrate his argument. Updated just a month before the devastating fire and using the type of methodology described above, the London Risk Register rated buildings like Grenfell Tower as medium risk. That puts them in the third highest category, requiring that they be 'monitored to ensure that they are being appropriately managed and consideration given to their being managed under generic emergency planning arrangements.' Hardly a call to action.

Since the tragedy, of course, that risk-matrix approach has been thrown out the window with similar public buildings all around the country being re-examined, cladding removed and other modifications made to ensure that risks are minimised proactively. The key point here - and this goes to the heart of the dissertation's argument - is that disaster may be deemed very unlikely, but the risk is still unacceptable. And anyhow 'black swan' events can and do happen.

A risk tolerance approach

His paper then presents two alternative methodologies with a focus on risk tolerance, which he says can support organisations to prioritise risk treatment more reliably and allocate resources more effectively. He recommends two approaches: Binary Tolerance; and T-score.

Binary Tolerance

The Binary Tolerance approach may be well suited to smaller, less complex organisations with fewer risk management resources.

To quote the dissertation: "By introducing a qualitative and binary field, 'Tolerance = Acceptable OR Unacceptable', there is evidence from the 50 risk registers analysed for this paper that that low scoring risks are often deemed "unacceptable" and require risk treatment, and high scoring risks are often deemed "acceptable" and do not require risk treatment."

This will sometimes be because of the dynamic nature of certain types of risk - for example ethical risks as shown by the # Me Too movement or pressures from external audits by clients.

"Whatever the reason for this change in tolerance, the risk matrix cannot capture the individual tolerance levels for each risk and may therefore give a false sense of security to decision makers when looking at the low-scoring risks."

T-score

The Binary Tolerance approach may not suit organisations where there are a large number of risks outside of tolerance, as it does not support prioritisation within the list of "unacceptable risks".

To overcome this, one can introduce additional risk assessment criteria in addition to the existing "Inherent" and "Residual" assessments. This new assessment is called "Target", but unlike the severity target which is a combination of likelihood and impact, this target is set individually to both likelihood and impact. Not only can one see which risks are "unacceptable" and require further treatment; but also, by how much and therefore prioritise the risks and their risk treatment. This is calculated by subtracting the "Residual" from the "Target", which gives us the T-score for each of the likelihood and impact.

Target Likelihood - Residual Likelihood = T-Score Likelihood

Target Impact - Residual Impact = T-Score Impact

Looking at the example risk assessment, one can see the T-Score approach below shows us that the risk of Cyber Attack has a residual likelihood above tolerance (T+1) and an impact below tolerance (T-1).

This indicates further actions to implement/improve controls for the impact. It also means that controls to reduce the likelihood could perhaps be lightened as the risk is within tolerance already.

Clarity aids decision making

As the paper emphasises, it is important that risk reports presented to senior management should be simple to use and so assist key decisions about priorities and the allocation of resources.

The famous "risk equation" that multiplies risk likelihood and impact has fundamental flaws that can produce false negatives and positives and should therefore not be used for risk ranking. By contrast, the Binary Tolerance and T-score approaches clearly highlight the gaps in managing the risks that organisations face, says the report. This should make it clear to Boards and leadership teams what decisions need to be made and what options they have.

This is the third in a series of twelve high-quality dissertations written by students taking part in the City Leadership. Any Airmic members wanting more information about the course should contact julia.graham@airmic.com