Risk matrices are probably one of the most widespread tools for risk evaluation. They are mainly used to determine the size of a risk and whether or not the risk is sufficiently controlled. There is still confusion about how they are supposed to be used. This article will explain their use in the context of the bowtie diagram.
There are two dimensions to a risk matrix. It looks at how severe and likely an unwanted event is. These two dimensions create a matrix. The combination of probability and severity will give any event a place on a risk matrix (there are some events that are more difficult, but we’ll come to that later).
Most risk matrices have at least three areas.
- The low probability, low severity area (usually green) that indicates the risk of an event is not high enough, or that it is sufficiently controlled. No action is usually taken with this. If we talk about risk matrices in a bowtie however, usually bowties are done for major hazards, so most events are high risk and don’t fall into this category.
- The high probability, high severity (ususally red) which indicates an event needs a lot or more control measures to bring the probability or severity down. Bowties will have a lot of events that fall into this category.
- The medium category (usually yellow) is in between these two areas. Any event that falls in this area is usually judged to be an area that needs to be monitored, but is controlled as low as reasonably practicable (or ALARP, a concept that is beyond the scope of this article, but you can go here and read about it). Essentially it means if we keep the risk at that level, we accept it.
It’s important to understand that a risk matrix by itself makes for a poor decision making tool. It is best suited for ranking events. There is not enough granularity in a risk matrix to use it for anything other than saying that some events are really bad, and others are less so. Decisions need to be based on an underlying analysis (like a bowtie diagram) that will tell you what will cause the unwanted event and what an organisation is already doing to control it. This information will make an informed decision possible.
Another misconception is that a risk matrix is a quantitative tool. In theory, it can be, but in practice, it is not. The risk matrix is made up of two ordinal rating scales, with mostly qualitative descriptions along its axes. This makes it very difficult to assign any real numbers to a matrix and thus to do calculations with it. It can only give a qualitative score that indicates in which category an event falls. It won't allow for any sophisticated calculations.
There are different ways of looking at severity. Something can be very severe from the perspective of human life, or from the perspective of damage to a facility. Usually four perspectives are used (although more or less is also possible) that form the accronym PEAR. This stands for People, Environment, Assets and Reputation. Any event can be judged against these four categories. For instance: a car crash will have an impact on people, but also on assets. An oil spill might have an impact on the environment and reputation, and also some asset and people impact.
These different perspectives do make it very difficult to compare two events with each other. If we have two events, one that scores high on people, and another that scores high on environment, which one is more severe? This is why aggregating risk matrix scores is difficult, if not impossible to do. The best way to compare the severity of events is to make a qualitative judgement.
Up until now, only probability has been discussed. But there are different possibilities. If we drive to work, and there’s a probability of 0,05 that we’ll crash, we expect for every car that in 100 workdays, there are 5 crashes. The probability will be the same every time we drive to work.
Instead of focusing on a single event, we can also say: how often can I drive to work before I crash? The frequency of a crash will be 1 in 20. This is essentially the same, just written down differently.
The last category looks at the past and scores higher if the event has occurred more. The main difference is that probability and frequency tell us something about the future, while historical scales will only tell us something about the past. If something has not occured yet, a historical scale will not allow you to make a prediction about how often it might happen in the future. This is why most risk matrices now use probability or frequency scales.
Low probability, high severity
There is a problem with events that have a very low frequency, but a catastrophic severity. If the risk matrix categories are not set up correctly, these types of events tend to ‘fall off’ the grid and get less attention than they deserve. This is especially a problem with historical frequency scales, where an event will get the lowest possible score just because it has never occurred. A possible solution is to make the worst severity category the highest priority category, regardless of the probability.
Strategies for giving scores
Ranking an event on a risk matrix can be done in three ways:
- Worst case scenario. This is done by taking the worst that could happen. For instance in the case of a car crash, there will be multiple fatalities and it might be likely to occur. Essentially when looking at the worst case scenario, all Barriers are ignored and only the Hazard, Top event and Consequences are considered. These types of incidents might occur in reality, but they will most likely be the exception, not the rule.
- Current situation. The second strategy tries to evaluate the severity and probability of the average event. So the average severity for a car crash might be a single fatality, and it’s unlikely to happen. This strategy takes into account all the barriers that are currently implemented.
- Future situation. The last strategy tries to make an estimate of how the risk might go down after improvements to barriers, or implementation of new barriers. It aims to estimate the future average of incidents.
Even though the risk matrix has a lot of drawbacks, it has endured the criticism and is still one of the standard tools used in most risk assessments. If the risk matrix is used in the correct way, it can add some understanding, although probably the greatest challenge today is for people to understand its limitations.