- The risk probability matrix, also known as a risk heat map, helps visualize risks based on their probability of occurrence and potential impact. This matrix has two components, namely the risk probability which shows the likelihood of a risk to happen and the risk impact which shows the importance and severity of the risk. This is a simple mechanism to increase the visibility of risks and assist management decision making.
- As shown in the following table, this is a 4 by 4 matrix on a scale of 1 to 4, where 1 or 2 means low risk probability – impact, whereas 4 means high risk probability – impact. Number 3 shows medium risk probability – impact. By multiplying the risk probability with the risk impact, we get the risk evaluation mark that shows if the risk is low, medium or high.
- By multiplying the risk probability with the risk impact, we get the risk evaluation mark that shows if the risk is low, medium or high:
Risk Evaluation mark = Risk Probability mark x Risk Impact mark - In order to use this method and calculate the risk evaluation mark, we need to determine the following risk components:
- The level of risk probability of occurrence
- The level of potential impact of risk occurrence
- “Probability or Likelihood of occurrence” is the probability that a risk will trigger a specific vulnerability.
- Policy makers and users of the risk assessment process should consider each potential risk and vulnerability combination and rate them by the likelihood (or probability) of occurrence.
- Risk probability of occurrence is defined by the following table for threats and vulnerabilities. It shows levels of risk probability of occurrence, starting from very low probability (Unlikely) with the lowest mark (1) and going up to very high probability (Almost certain) with the highest mark (4).
- If a risk triggers a specific vulnerability, there are many potential outcomes.
- Determining the potential impact of risk occurrence involves evaluating the consequences that risks could have on a project, organization or the country as a whole. This assessment helps in prioritizing risks and planning appropriate responses.
- Measuring the impact of a risk occurring in the organization can be performed using different methods.
- These measuring methods need further investigation, internal research with the country and external research with similar organizations and border authorities worldwide.
- The following table presents the various risk impact levels with their corresponding mark that are used for measuring the impacts of a risk triggering a specific vulnerability using a scoring system from 1 to 5. As shown at the table, each risk impact can have 4 levels, where 1 or 2 represent negligible or low risk impact, while 3 or 4 represents significant or severe impact to the organization. Furthermore, the table shows the corresponding levels of each risk impact and how these can affect the country and the society.
- To determine the level of risk, the risk probability mark and the risk impact mark need to be identified.
- Then these risk marks are used to calculate the levels of risk estimation.
- After that, the risk impact-probability matrix is used to assist in determining risk levels, based on the calculated risk estimation. The risk matrix shows the corresponding level of risk, by highlighting the label using a specific colour coding. Each label represents the corresponding risk estimation mark on a scale of 1 to 16. The following table illustrates the labels with their corresponding estimation marking.
- The risk estimation marking with the corresponding risk labels is decided by the corresponding organizations and the policy makers, which is based on the risk appetite of the organization.
- The risk appetite of an organization refers to the amount and type of risk that an organization is willing to take in order to achieve its objectives. It is a critical aspect of risk management and strategic planning, helping to align the organization’s strategies, resources, and risk management practices. Key components of risk appetite can be the following:
- Risk Tolerance: Defines the acceptable level of variation in performance relative to the achievement of objectives. This is often quantified and can vary by risk type.
- Risk Capacity: The maximum amount of risk an organization can absorb, considering its financial strength, resources, and overall resilience.
- Risk Attitude: The overall approach of the organization towards risk, influenced by its culture, values, and the mindset of its leadership.
- Strategic Goals: The specific objectives the organization aims to achieve, which help shape the nature and extent of risks it is willing to take.
- Stakeholder Expectations: The level of risk that stakeholders, including policymakers, border authorities, securities and regulators, are willing to accept.
- Risk analysis, which includes the estimations of risk impact-probability as these described above, determines the level of risk and establishes the exposure of the corresponding organization to risk and uncertainty.
- Next, is the risk evaluation process which is used to determine the significance and urgency of the risk actions, to set priorities.
- The result of the risk analysis can be used to produce a risk profile that gives a rating of significance to each risk and provides a tool for prioritizing risk treatment efforts (AIRMIC, 2010).
- This risk assessment process allows the risks to be mapped to specific risk strategies, which correspond to specific measures and controls in order to mitigate the risk or vulnerability.
- The range of available risk response treatments include avoidance, reduction, monitoring and acceptance or checking.
- The following table shows the risk evaluation matrix with the corresponding risk strategies and risk management action plan. The allocated risk measures and controls for each risk strategy it should be done according to the risk appetite of the corresponding organization. For example, if the risk evaluation mark of a specific risk is higher or equal to 6, which corresponds to “High” or “Medium” risk, then its mitigation is compulsory through allocated measures, controls and actions. Otherwise, if the risk marking is less than 5, which corresponds to “Low” or “Insignificant” risk, then the identification of risk mitigation measures is optional and not urgent like the other two cases. More specifically, if the risk marking is between 3 and 5, which maps to a “Low” risk then it is compulsory for the risk to be monitored and controlled. It is at the discretion of the policymakers and the management unit on whether measures for risk mitigation can also be applied. Finally, if the risk marking is less than 3 then the risk is considered to be “Insignificant” which can be accepted and checked periodically.
Resources
AIRMIC, A. I. (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. United Kingdom : The Public Risk Management Association.
Argyridou E, N. S.-L. (2023, July). Cyber Hygiene Methodology for Raising Cybersecurity and Data Privacy Awareness in Health Care Organizations. J Med Internet Res. DOI: 10.2196/41294.
Guidelines, R. M. (2018). ISO 31001:2018. International Organization for Standardization.