I've worked in risk management for over 35 years, and a few common threads run through those years. We all agree (most of us, at least) that risk management is crucial to any organization.

High-reliability organizations (HROs) are a well-studied group of organizations. They include things like nuclear aircraft carriers, chemical facilities, and air traffic control. Activities that flirt, theoretically at least, with catastrophe on a daily basis. For our purposes, we'll look more broadly at the generic term of high-risk industries.

Some of the things that I notice almost everywhere I consult are:

1. Risk matrices are ubiquitous, particularly in high-risk industries such as oil and gas, construction, aviation, etc, where lives, infrastructure, and money are in the balance.

2. The correct use of risk matrices is often widely misunderstood, particularly regarding inputs such as threat assessments and risk definition.

3. Designing an effective risk matrix takes care, attention, and expertise.

My approach uses the CASE method to improve the effective use of risk matrices. However, the importance of well-designed likelihood and consequence criteria, coherent ratings, comprehensive inputs, and risk identification are all critical.

The Importance of Risk Matrices in High-Risk Industries

Oil and gas companies are an excellent example of high-risk industries. They face significant risks throughout their operations, from initial capital to safely operating a facility for delivery of 20 or 30-year supply contracts. Managing these risks poorly can have catastrophic financial and human consequences for the organization, employees, and the environment.

Risk matrices are ubiquitous in high-risk industries despite much criticism from various corners. When used properly as part of a risk management system, they provide a structured and logical framework for assessing and managing risks.. The implementation of risk matrices has been demonstrated across various industries worldwide, making them a core tool in risk management.

The Components of an Effective Risk Matrix

Let's start with the basics. A risk matrix is a two-dimensional matrix that plots the likelihood and consequence of identified risks. The matrix is divided into cells, each assigned a rating based on the level of risk.

The main components of an effective risk matrix include:

1. Likelihood and Consequence Criteria: The matrix's foundation, these criteria need to be well-designed and tailored to the organization's context. Likelihood criteria refer to the probability of a risk occurring, while consequence criteria represent the potential impact of the risk.

2. Risk Rating: Each cell in the matrix is assigned a risk rating (e.g., low, medium, high), reflecting the risk's overall severity. A well-designed matrix ensures that the ratings assigned to each cell are coherent and well-considered, providing a consistent and logical framework for risk assessment.

3. Inputs: Effective risk matrices rely on comprehensive and accurate inputs. These may include quantitative data, threat assessments, hazard assessments, and other relevant information that can inform the likelihood and consequence criteria.

4. Risk Identification: A critical component of risk management, clear and concise risk identification is essential for an effective risk matrix. The CASE method (Consequence, Asset, Source, Event) is helpful for creating concise yet informative risk descriptions.

Implementing Risk Matrices in Oil and Gas Companies

The way I help organizations maximize the effectiveness of risk matrices is via the following process:

1. Gather Inputs: We then collect and analyze relevant quantitative data, incident reports, threat assessments, hazard registers, and other relevant information to inform the likelihood and consequence criteria.

2. Develop Likelihood and Consequence Criteria: Tailor the criteria to the organization's specific context, considering the unique sector risks. Ensure that the criteria are realistic, transparent, and easily understood by all stakeholders. I start by defining the asset types and risk categories (e.g., People, financial, reputation), then seek agreement on the definition of an existential consequence in each category. For example, how much financial loss or fatalities could the organization stand before it ceased to exist?

3. Establish Risk Ratings: I sit down with my team to consider the internal consistency and logic of the risk ratings assigned to each cell in the matrix. These ratings must be internally coherent to provide a consistent and logical framework for risk assessment.

4. Implement the Risk Matrix: Once developed, the risk matrix must be signed off by the risk team and the CEO or senior leadership team.

5. It is then a matter of getting the word out by updating the risk management system and training people on how to use it.

The key challenge is to design a risk matrix that works for all aspects of that particular organization. For example, the financial consequence criteria should refer to a percentage of budget/revenue/profit rather than an absolute amount. A $1 million loss is catastrophic for a $200,000 project but insignificant in the context of a $2 billion asset register.

Another aspect of designing that risk matrix is that it should stand the test of time. Yes, it needs to be regularly reviewed and updated when the context changes, but no more than necessary. If the risk matrix and criteria change every year, evaluating risk performance and prioritizing risk treatments becomes difficult, if not impossible.

Benefits and Limitations of Risk Matrices in High-Risk Industries

Understanding risk matrices' potential benefits and limitations is essential for maximizing their efficacy in sectors such as the oil and gas industry. This gets to the heart of why even use a risk matrix. Certainly, they should never be the only tool, but the question is, why have them in the toolbox in the first place?

a) Benefits:

i) Improved Risk Awareness: Risk matrices can help systematically identify and assess risks. Organizations that enhance their understanding of potential hazards and vulnerabilities can make more informed decisions.

ii) Prioritization of Resources: Risk matrices facilitate the prioritization of resources by highlighting the most critical risks in a manner that is immediately obvious. This allows organizations to bring the conversation to focus on the highest-priority risks.

iii) Enhanced Communication: The visual and structured nature of risk matrices enables clear communication of risks and their associated consequences, promoting a shared understanding among stakeholders.

iv) Facilitated Compliance: By providing a structured framework for risk assessment, risk matrices can help organizations demonstrably meet regulatory requirements and industry standards, thereby reducing the risk of non-compliance and associated penalties

b) Limitations

The second area where most organizations fail when using risk matrices is not understanding and communicating the limitations of risk matrices. In case you were wondering, the first issue is using a poorly designed matrix with lousy inputs.

One widely cited paper on risk matrices even falls into this trap. The paper evaluates several risk matrices that are poorly designed and were used in absentia of well-defined risks. The paper then concludes that risk matrices are fundamentally flawed. As you have probably gathered, it is not risk matrices that are flawed but the way they are designed and used.

Before we go into the key limitations of risk matrices, it is essential to highlight that they have a limited and specific role in risk management. In the following graphic, you can see the ISO31000 risk process on the left. The diagram to the right is an expanded view of what happens at each step. Risk matrices have their use when compiling the risk rating.

In this model, that is a very small part of the risk management process.

However, it is essential to understand that every tool has limitations. In the case of risk matrices, these include:

• Subjectivity: While risk matrices can incorporate quantitative data, they often rely on subjective judgments, which can introduce biases and inconsistencies.

• Over-simplification: Categorizing risks into a limited number of cells can sometimes oversimplify complex risks, potentially leading to inadequate risk management strategies.

• False Sense of Confidence: Using risk matrices can create a false sense of security if organizations overly rely on them without considering other risk management approaches or tools.

• Static Nature: Risk matrices can become outdated if not regularly reviewed and updated, limiting their effectiveness in addressing evolving risks and changing circumstances.

You can find a more comprehensive list of the limitations of risk matrices in this article.

Conclusion

Risk matrices have proven effective in helping organizations manage risks in various sectors, including high-risk industries such as nuclear power, military, oil & gas, etc. Organizations that use them need to maximize the efficacy of risk matrices by carefully designing the likelihood and consequence criteria, ensuring the coherence of risk ratings, gathering comprehensive inputs, and using the CASE method for risk identification.

Any tool that can help navigate the complex risk landscape of the early 21st century deserves a place in your risk management system. It should be used regularly but also used wisely and appropriately.

If you'd like to design and use a risk matrix, I have a couple of Excel templates you can download from the SRMBOK website. If you're keen to automate and speed up those steps, you might like to sign up for a free trial of SECTARA, the software that a few friends and I use for this process.