Risk is the big topic of conversation in the compliance industry. Businesses are moving at a faster rate and operations continue to increase in complexity, and yet the need for compliance is stronger than ever. So we need to implement a systematic and objective means to maintain compliance, and keep up with the pace of business.
In just 5 minutes, you'll learn why Risk Assessment is the new benchmark, and how to create a simple Risk Matrix for use in your compliance efforts.
1. CONFIDENTIAL: This document contains information that is confidential and proprietary to EtQ, Inc. Disclosure, copying, distribution
or use without the express permission of EtQ is prohibited. Copyright 2013 EtQ, Inc. All rights reserved.
5 minutes on…
Risk Assessment: Creating a Risk
Matrix
Tim Lozier, EtQ, Inc.
2. Risk is the new Benchmark
• Business are moving at a faster rate
• Compliance needs to be maintained – need a
systematic, quantitative measure
• Risk is becoming the new benchmark for compliance
– Objective, Repeatable
– Helps to make better, more informed decisions
3. Step 1. Defining Risk
• Not easy! Companies spend time and money building a
risk taxonomy
• Risk comes from Hazards and Harms
– Hazards = A situation that poses a level of threat to life, health,
property or environment (an undesired event)
– Harms = resulting damages from the Hazard
– Risk = The potential that a chosen action or activity will lead to an
undesirable event
– Control = A method of evaluating potential losses and taking
action to reduce or eliminate the potential for an undesired event
4. Step 2. Quantifying Hazards and Harms
• We need a scale – Severity and Frequency
– Define the level of Risk on a pre-defined Scale:
Severity Description
Catastrophic Likely to result in death
Critical Potential for severe injury
Moderate Potential for moderate injury
Minor Potential for minor injury
Negligible No significant risk of injury
Frequency Description
Frequent Hazard likely to occur
Probable Hazard will be experienced
Occasional Some manifestations of the hazard are likely to occur
Remote Manifestations of the hazard are possible, but unlikely
Improbable Manifestations of the hazard are very unlikely
5. Step 3. Build it all into a Risk Matrix
• The Risk Matrix: tool used in the Risk Assessment process, it
allows the severity of the risk of an event occurring to be
determined.
• Graphically displays the total of each of the
hazards/harms that contribute to the risk
– Severity = X
– Probability = Y
– Risk Score = XY
Y
X
RISK
(XY)
6. Hold On – There are some “gray areas”
• Risks are not always “black and white”
• When defining risk management, some organizations
find it convenient to categorize risks into the following
three regions:
• The broadly acceptable region (Generally Acceptable - GA)
• The ALARP (As Low As Reasonably Practicable) region; and
• The intolerable region (Generally Unacceptable - GU)
GU
GA
ALARP
But how many zones?
How to determine ALARP?
Probability
Severity
7. Step 4. Test your Risk Matrix
• You must vet the matrix
– Risk score is a mathematical measure
– Use “real world” examples to ensure validity of the matrix
– Example: False symmetry in risk matrix – needs to be validated
with real world situations
5 10 15 20 25
4 8 12 16 20
3 6 9 12 15
2 4 6 8 10
1 2 3 4 5
PROBABILITY
SEVERITY
10
10
8. A Vetted Risk Matrix is just a Tool
• Risk Matrix is designed as a tool, not a solution
– Risk is only quantifying the result
– Organizations need to work on interpreting the decision
• Risk Teams review events to make decisions, using the
Risk Matrix as a tool for the decision-making process
9. How to Apply The Risk Matrix - Example
• Use Risk Assessment to filter adverse events
– What is the risk of the event, versus when it came into the
system
– Prioritize events by their RISK not their due date
• Resolve low-priority events at the source where they
are found
– Minor Complaints/Nonconformances/Audit findings
– Events with little impact can be immediately resolved
• Risk Mitigation: Applies risk assessment to verification
and effectiveness in Corrective Action
– Are we reducing the risk to the right level?
– Are we truly mitigating risk of recurrence?
Where’s
the Risk
here?
10. Conclusion
• Risk Assessment is great tool for making informed decisions
• Understand your Hazards and Harms within the organization
• Build a scale that makes sense to your organization
• Plot the scale on a graph to form a Risk Matrix
• Determine where the acceptable and unacceptable risk lie
• Then, vet that matrix with real-world historical examples
• Use the Risk Matrix as a tool within a Risk team to filter adverse
events by their Risk
11. For more than 5 minutes…
EtQ’s Blog on Risk Matrix
blog.etq.com
Webcasts on EtQ’s Risk
Based system
www.etq.com/webinar
www.etq.com
info@etq.com
516.293.0946