Risk Matrices – How to

Design them Correctly

Peter Carr
Risk, Reliability and Asset Integrity Manager
August 25, 2015
Lunch and Learn, ECII Office
OneWay Moment

Sometimes safety is about quickly getting away

from an unsafe situation. That’s why it pays to
know your exits.
Chances are you’re aware of the exits from your
home or your workplace. But what about the
stores where you shop, the public buildings you
enter, the venues you take your family to, or the
hotels where you stay?
Get in the habit of always locating the
emergency exit wherever you are. If you know
exactly where to go, you’ll get there a lot
quicker.
 What’s a risk matrix?

A risk matrix is a table

Risk • It has several categories of
category consequence on one axis
• And several categories of
likelihood on the other axis
• It maps a consequence-
likelihood pair to a risk level
• Risk levels are usually shown
with colors
• In this case, red denotes highest
risk, green lowest risk and
yellow intermediate risk

Risk is“effect of uncertainty on objectives”

Risk level (or simply risk) is “magnitude of a risk or combination of risks, expressed in terms of the
combination of consequences and their likelihood”
Risk (quantitative) = consequence times likelihood (usually)
INTECSEA 3
 How do we use a risk matrix? Use risk matrix to look
up risk level (red in
this case)

Assess
likelihood
category Apply
corporate
rules for
Describe risk treatment of
scenario risk of the
level indicated
(What can by the matrix
go wrong?)

Assess
consequence
category
INTECSEA 4
Assessing the consequence and likelihood categories (1 of 2)

A risk matrix is normally accompanied by “valuation scales” defining the consequence and likelihood
categories. Here’s an example for definition of consequence categories, taken from MIL-STD-882E,
used by the US Department of Defense for assessing risks in the development, test, production, use
and disposal of defense systems:

INTECSEA 6
Assessing the consequence and likelihood categories (2 of 2)

Here’s an example for likelihood categories, taken from MIL-STD-882E (we can’t fit the whole table
on the slide):

INTECSEA 7
Risk matrix scales can be cardinal or ordinal

We can find examples of both types of scale in MIL-STD-882E. We can do

calculations with cardinal scales but not with ordinal.
Monetary Loss – Cardinal Environmental Impact – Ordinal

Consequence categories: Consequence categories:

1 Greater than $10m 1 Irreversible significant
2 $1m to $10m 2 Reversible significant
3 $100k to $1m 3 Reversible moderate
4 Less than $100k 4 Minimal

Probability of occurrence categories: Likelihood categories:

A. Greater than 0.1 A. Frequent
B. 0.01 to 0.1 B. Probable
C. 10-3 to 10-2 C. Occasional
D. 10-6 to 10-3 D. Remote
E. Less than 10-6 E. Improbable

INTECSEA 8
 How NOT to construct a risk matrix (1 of 2)

This a matrix widely used in

healthcare in the UK. The
probability and consequence
categories are labeled with
numbers from 1 to 5 (ordinal
scales).

Each cell has been given a risk

score obtained by multiplying
the probability and consequence
categories. The coloring has then
been set according to the risk
score, e.g. red for cells with score
greater than or equal to 15.
Multiplying ordinal scales is a
common and wrong practice.
INTECSEA 9
 How NOT to construct a risk matrix (2 of 2)

For claims against the healthcare

authority, the risk matrix scales are
cardinal, so we can calculate risks.
Assume risk = consequence x
probability (usual measure).

Compare the three cells circled in

brown. Each has maximum risk of
100, yet two cells are green and one
cell is yellow!

Compare the two cells circled in

white. Risks can be as high as
100,000 in both cells, yet one is red
and the other orange!

Multiplying category numbers to

estimate risk was misleading!
INTECSEA 10
 Recommended construction procedure (Step 1 of 3)

Set up Probability-Impact Graph

using cardinal scales with range
and subdivisions appropriate to
the type of risk and the project.

This procedure is applicable only

when scales are cardinal.

Draw some contours of equal

risk (“isorisk contours”) to divide
the domain into several risk
levels of interest. These contours
mark the thresholds between the
different risk levels of interest.

INTECSEA 11
 Recommended construction procedure (Step 2 of 3)

Color the cells according to their

relationship to the risk contours
(ignoring for the moment the
cells intersected by the risk
contours).

Here, cells above the first

(highest contour) have been
colored red, the cells between the
first and second contours have
been colored yellow, and so on.

The cells intersected by the risk

contours are of ambiguous risk
level and need special
consideration.
INTECSEA 12
Why cells that straddle risk thresholds are of ambiguous risk level

Cells entirely above this risk threshold

are colored red and cells entirely below Whenever a cell
it are colored yellow
straddles a risk
threshold, some
This part of the risks in the cell
brown cell that is will be above the
above the contour
contains risks as
threshold and
high as in the red some below,
zone therefore the cell
has ambiguous
risk level.
This part of the
brown cell contains We can adopt
risks as low as in the conservative
yellow zone
coloring for these
To be conservative, the brown cells should be ambiguous cells.
recolored as red, to ensure that any error of
risk classification is on the safe side
INTECSEA 13
 Recommended construction procedure (Step 3 of 3)

We have to decide how to color

the cells of ambiguous risk level.

To be conservative, apply the

color of the risk level
immediately above each
ambiguous cell. So any error of
risk classification will be on the
safe side.

INTECSEA 14
 The finished matrix

Our finished matrix is color

consistent, with any error in risk
classification being on the safe
side.

As an optional final step, we can

hide the isorisk contours used in
constructing the matrix.

INTECSEA 15
Check on NASA’s risk matrix

NASA risk matrix Our check construction using NASA’s

? denotes possible inconsistent coloring scales for risk of hardware loss

? -

-
?
-

( )
INTECSEA 16
Check on ExxonMobil risk matrix

With risk thresholds at $1m, $100k and $10k, we can nearly reproduce the EM matrix. Two cells in
EM’s matrix are found to be inconsistently colored with respect to the underlying scales. And 11 out of 20
cells straddle risk thresholds and are of ambiguous risk level – too many colors for a small matrix?

EM risk matrix Our check construction using EM’s

? denotes possible inconsistent coloring scales for financial risks

INTECSEA 17
 Redesign of UK healthcare risk matrix considered earlier

This is speculative since we have no idea what risk thresholds the organization may
have had in mind. Our construction (below right) assumes risk thresholds at £10,000,
£1,000 and £100. Several cells in the original matrix (below left) appear to have
inconsistent color. Also, columns 4 and 5 could be merged according to our
construction since they have identical coloring.

? ?

)
?

(
?

- - - - -
·

INTECSEA 18
Demo of risk matrix construction software

Points to note:

Changing the cardinal scales or the risk thresholds of interest may change the required
risk matrix coloring.

Most companies have a “standard” risk matrix and use it in conjunction with disparate
scales. It is highly unlikely that the same coloring will be consistent with all these
scales.

INTECSEA 19
Risk matrix construction software – screen capture

INTECSEA 20