MANAGING BEST PRACTICES: Setting risk response priorities
One purpose of a risk assessment is to establish priorities â€” what risks must we deal with now, and what risks should we address as time permits?
A risk assessment matrix is a tool that can be used to help quantify a risk assessment and establish priorities. Table I is an example of a risk assessment matrix specified by the Department of Defenseâ€™s Standard Practice for System Safety. See http://akss.dau.mil/docs/ 882d.pdf.
The matrix shown in Table I breaks down probability and severity into manageable categories. Each cell â€” such as â€œfrequent and catastrophicâ€ â€” in the matrix is provided a number. These numbers characterize the overall risk for an identified hazard. The numbers may be combined to further categorize risk. For example, numbers 1-5 may be called â€œhighâ€ risk; 6-9 â€œseriousâ€ risk; 10-17 â€œmediumâ€ risk; and, 18-20 â€œlow risk.â€
The groups of numbers within the table can also be shaded with colors to further visualize risk. Generally, high risk is red; serious risk is yellow; medium risk is orange; and, low risk is green.
Matrix designThe first step in developing a risk assessment matrix is to have a team agree on its design and intended use. For example, Table I has 20 cells to score risk. Would 40 cells be better? Probably not, as too many cells complicate the process. A team, however, must decide on the matrixâ€™s functionality and ease of use.
The team must agree on definitions for words or terms used in the matrix. Tables II and III are examples of matrix summary definitions.
ResponseA major purpose of a risk assessment matrix is to determine response based upon where a hazard is ranked. Table IV provides an example of how this may be done.
IntegrationA risk assessment matrix is generally not a stand-alone tool. The matrix usually supplements other hazard and risk assessment tools such as Hazard and Operability Study (HAZOP), Failure Mode and Effects Analysis (FEMA), and Fault Tree Analysis.
Hazard and risk assessment tools should be integrated because no tool alone may be fully effective in determining adequate response to risk, particularly when a risk may be complex and involve numerous variables.
Qualitative vs. quantitativeAll risks are initially determined by perception. Skilled professional judgment may narrow the perception but subjectivity is still at play. The risk assessment matrix takes something that begins mostly as a qualitative process and makes it more quantitative. Management of risk is made more comfortable when numbers are applied.
But herein lies a problem. In attempts to make a risk assessment matrix more quantitative, some designers add 50 or more cells (beyond 24 is probably too many). They have lengthy definitions for words and terms used with the matrix, or they employ complex equations and other actions to remove cells to devise â€œiso-risk contourâ€ lines, etc. These actions may not improve the matrix and may give a false sense of security.
An effective risk assessment matrix should be easy to understand, have clear objectives and purpose, and not require extensive technical risk assessment knowledge or skills to use. The primary objective for a risk assessment matrix is to effectively prioritize response to risks. When this is done properly it is easier to discuss â€” and visualize â€” risks with employees or managers and get buy-in on how quickly or deliberately risks should be controlled.