| Determining the risk approach is important. A turbo explanation is not a luxury then, quite the contrary. After all, every organization wants to achieve its goals. To do so, it must undertake things. But inherently and inextricably linked to doing business is that this includes taking risks. Important concepts are risks, risk matrices, probability and impact, risk register, risk appetite and risk capacity. | In this contribution I write my own opinion, not that of any organization |
Risk Matrices
In doing so, one must therefore ask the question of how much risk one is willing to take. For this purpose, there is the concept of risk appetite in ISO 31000. One can define this as the amount of risk an organization is willing to take in order to meet its objectives. That’s fine in theory. But how do you determine this? I hypothesize that risks can be identified. Then, first, there is the concept of a “risk matrix.” A simplified example of this is shown below:
In this matrix one then places the various risks according to probability and impact, see below.
One can then decide which risks to address/take based on the completed matrix. As an organization accepts more risks with greater probability and impact, there is greater risk appetite.
But sometimes circumstances require one to challenge all the risks. Then one must take measures to reduce these risks to the yellow and/or green areas. For this purpose then exists the “risk register,” see below.
Probability and impact
Prior to the risk matrix exercise, one determined the risk statements, estimating for the organization the operational or strategic threats, with the corresponding causes and consequences.
To then determine the probability and impact of each statement, one uses these causes and consequences, respectively, in mind. One then uses gut feeling to determine the probability and impact based on past events and prevailing environmental factors.
With probability, one can reason in terms of frequency: how often per year does a cause occur? For impact, one often thinks of the maximum financial or reputational damage the organization would suffer if the consequences occurred. One then assigns the label Low, Medium or High for both parameters, for each risk statement. One can then visualize this risk statement on the matrix with e.g. a post-it note.
Risk Register
After filling in on the risk matrix, one must prioritize. One goes through the colors from red to green. If several risks fall into one color, they must be ranked within the color. One can do this depending on whether one experiences a motivated urgency for it.
One then lists the risks in order and assigns measures. With measures, one has two types of measures: preventive and reactive.
Preventive measures work toward causes, helping to prevent a cause from occurring. Reactive measures soak toward consequences and prevent a particular consequence from manifesting and causing harm.
One enters these measures in the risk register, and assigns a trigger and a sponsor, a budget and a deadline.
Then it’s about working out the defined projects of the measures.
| Risk Statement | Priority | Measure | Responsible | Deadline |
Risk appetite and risk capacity
Risk appetite is a limit below which the total residual risk of, for example, a project must remain. This risk appetite is determined per project by top management and the sum of all risk appetites of all projects and processes and services of the organization together must remain below the risk capacity of the organization.
Risk capacity can be intuitively grasped as that risk at which the organization is in trouble if the “worst case scenario” becomes a reality. Top management must also scale this concept.
Defining risk capacity involves looking ahead and establishing reserves for when things go wrong. This can be done, for example, with a captive.