A risk management risk matrix can trick you into leaving high consequences uncontrolled and convince you it is fine to do nothing to reduce the impacts of failure. Whether you think a bad event cannot happen has no standing in Law. The likelihood of an adverse event is unimportant; only the resultant severity is how the Law will gauge your risk abatement efforts. Did you do ‘reasonably practicable’ risk control?
Keywords: risk management, risk matrix, risk mitigation, risk control
One of the biggest dangers you face when you do risk management is you will use a risk matrix and believe it. A standard risk matrix is developed using mathematically correct principles, hardly any of which you should use to manage risk in the real business world. If you use a risk matrix to justify your choices to do nothing because the risk is so low, you are doing crazy risk management with a risk matrix.
When you manage your personal risk you do not use a risk matrix. You only cross a road when you are confident you will not be hurt during the passage. You do not first look up a risk matrix to determine if the consequence and likelihood multiply together low enough to make crossing the road a journey you are willing to take. You do not want to be hurt at all. It is the consequential harm you want to prevent and you will wait at the side of the road until the traffic conditions are clearly safe for the crossing. Managing risk in a business or the workplace also should not be based solely on using a risk matrix. The logic in a risk matrix is crazy if you use it literally for decision making at work or in your own life.
Figure 1 is a 16×13 risk matrix developed from the advice in ISO 31000-2009 Risk management – Principles and guidelines. It is just a 5×5 risk matrix expanded to 16×13 by adding more columns and rows to show the minor values between the major units. I would prefer that real log10 scales be used in a risk matrix; that would at least be mathematically correct. It would actually make the matrix useful to see the amount of risk move as you selected mitigation options.
Figure 1 reflects risk for a small business. The acceptable risk boundary is set at a total business-wide loss of $3,000 per year from one adverse event. Meaning the small business will accept a Total Defect and Failure Cost to the operation of up to $3,000 per event per year and do nothing to prevent the risk happening. Mathematically that is the same as if you lost $300 ten times a year, or you lost $30,000 once every ten years—the annual average is $3,000. Risks identified to be above the TDAF Cost boundary are addressed to bring the remaining risk down to below the boundary value. If you controlled risk in the real business world like that you would often be legally wrong.
After the North Sea Piper Alpha oil platform disaster in 1988, legislation and regulations started applying the ALARP, as low as reasonably practicable, judgement on what is legally acceptable risk. The acceptable risk boundary on a risk matrix counts for nothing in Law. What you thought was sufficiently low risk by your risk management risk matrix does not count. What counts is did you make the risk as low as reasonably practicable? What was ‘Reasonably Practicable’ in the given situation and context is the measure used in Law. That is not the same as what you think is acceptable risk according to the risks you are willing to carry.
The legal view that has developed over the years is that risk should be SFAIRP (“So Far As Is Reasonably Practicable (SFAIRP)”, National Transport Commission, Melbourne, Australia, 2007). “In essence, it requires weighing the risk against the resources needed to eliminate or reduce the risk. It does not require every possible measure to be implemented to eliminate or reduce risk, but it places the onus on the person holding the duty to demonstrate (or be in a position to demonstrate) that the cost of additional measures to control the risk (over and above those risk controls already in place) would be grossly disproportionate to the benefit of the risk reduction associated with the implementation of the additional risk control.” It requires going to the fullest extent to cut risk that is technically and financially justifiable in the circumstances, no matter how unlikely you think an event is to happen. The consequence of a risk is what matters most; the likelihood of the risk is a far, far smaller consideration.
You would be wise to realize any risk management risk matrix used in a business is purely a financial tool to help make business decisions. It is not to be used alone to justify the acceptance of a business risk, and definitely not for a workplace safety risk.
Even as a financial tool a risk matrix can get you making crazy business decisions. If you use the risk boundary on a risk matrix to make accept-or-reject business risk choices you will lose a lot of money, maybe even go out of business. For our small business that accepts a $3,000/yr. loss event with a shrug, it does not also mean they do nothing for a $30,000 event that happens on average once every 10 years. Can this business afford a $30,000 loss event at any time? Can it afford a $300,000 loss event that on average happens once in a hundred years, and it happens to them today? Around the world hundred-year events happen all the time. If you used the mathematical value of risk for a hundred-year event you would do nothing to prevent it because it would be such a low likelihood. But mathematical risk is not important—it is the consequence of the risk should the event happen that must be your prime consideration in choosing risk abatements. Applying the mathematical average risk makes for crazy risk taking. What consequential size of a single adverse event can your business afford to pay from its own pocket and still survive to continue trading? That is a better view to have of risk than a purely mathematical consideration.
If this small business can only handle one $30,000 consequential TDAF Cost event and still continue trading, then it must not have a $30,001 event at any time, and it must not enter into situations where a $300,000 disaster is even a very rare outcome. Risks either above the ‘event risk boundary’ or the ‘event consequence boundary’ in Figure 1 are unacceptable and should be mitigated to below both boundaries. This small business needs to carry insurance for any adverse event that costs more than $30,000 should it happen. For its safety risks it must drive them all to SFAIRP, which on the matrix in Figure 1 will be far closer to the left-hand bottom corner than the ‘event risk boundary’ indicates.
When can you only use a risk management risk matrix for making decisions? Probably never is the safe answer. A risk matrix is only a mathematical device to help you visualize risk. It is not the answer to controlling risk. Use a risk matrix to show you the potential remaining severity after implementing your choices. Do not use a risk matrix to make the choices for you. Doing that will one-day get you into deep trouble, because you’ve done crazy risk management with a risk matrix.