Using risk scales and matrices for your organisation
Use your organisation’s approved risk scales and matrices — if they’re in development or do not exist, use our examples to help in their development and approval.
Quantitative methods for assessing risks
If your organisation has approved quantitative methods for assessing risks, use those. Otherwise, qualitative scales and matrices are good ways to have stakeholders analyse the risks to an information system.
Definitions are must-haves for qualitative scales and matrices
When using qualitative scales and matrices, you need to define the categories. For example, when using the categories of high, medium or low, they do not give enough information for the:
- stakeholders to accurately assign a rating
- reader of a risk report to understand how and why a risk was given a specific rating.
Approval from senior management
If your organisation does not already have approved scales and matrices for rating risks, then it’s very important that senior management be involved in their:
- approval — by signing off on them.
This way, senior management can tailor the scales and matrices to reflect your organisation’s unique risk appetite and governance structures.
When developing or tailoring an impact scale, senior management must carefully consider the different types of impacts that could weaken your organisation’s operations and prevent it from achieving its strategic objectives.
Senior management should consider the impacts on:
- financial effects
- legal aspects
- health and safety
- service delivery
- any other area that is specific to your organisation’s context.
Define the impacts at each point of the scale
Once the categories have been identified, senior management must define the impacts at each point on the scale.
A useful strategy for this is to write down the maximum credible impact and the lowest impact of concern. This way, the extremes will be defined — severe, 5, and minimal, 1.
For workshop participants to rate risks in a consistent manner across your organisation’s different risk assessments, the definitions must be clear, concise and not open to interpretation.
Senior management should make sure that your organisation’s likelihood scale is as clear as possible.
It should reflect your organisation’s standard life cycle for its information systems. For example, if your organisation typically refreshes its information systems after 5 years of operation, the scale should consider likelihood over that period of time.
Define likelihood at each point of the scale
The scale needs to take into account that the lowest probability must be acceptable for the highest defined impact. Otherwise, all activities with an impact rate at severe, 5, would be beyond your organisation’s appetite for risk, even if they have a likelihood rating of 1 — almost never occurring.
Senior management must have a risk matrix in place to work through its initial and final risk ratings. Using a 5 × 5 risk matrix is a common format.
Risk escalation and reporting
Senior management must also identify and document who needs to be informed and has the authority to accept risk at each level of importance to your organisation.