How to design a risk assessment matrix. We have 5 grades for impact: Extreme, Major, Moderate, Minor, and Insignificant. These are 5 domains we use for the assessment: Financial, Operational, Reputational, Regulatory and Strategical. The question is what measures, and factors should considered for the assessment for each of the categories above? It should be measurable and as precise as possible. We would rather avoid vague measures.
Sort by:
Gartner has a good set of tools for building out a risk management framework, which would include the risk assessment matrix (aka 5x5).
In the meantime, some measures that come to mind are:
Financial - dollar loss (could be profit, income, capital, etc depending on your business)
Operational - downtime in hours or days to critical services or operations
Reputational - The duration, severity, sentiment of negative news coverage
Regulatory - Fines, reportable breaches, loss of licence, enforcable undertakings, criminal proceedings can all be mapped to different levels of impact
Strategic- The impact in months or years of a risk event on the company's ability to achieve its strategy (for example, a large remediation program might mean a key strategic project is delayed by 6 months).
You do not want to build the risk assessment tool in isolation. You should consider the risk appetite of the board and top management and define a risk appetite statement while you define the thresholds for each impact level to ensure your risk assessments are fit for purpose and aligned to the expectations of the Board.
Also keep in mind the above is not a definitive list of things to consider for your risk matrix. You should consider the scope and activities of your business and get input from a range of sources when developing your initial risk matrix.
You can create a risk heat map and start factoring each risk to assess the likelihood and impact of an occurrence.