The Risk Management Matrix - A Primer

Last week we discussed the basics of the Risk Management Process, and I promised an exploration into the Risk Management Matrix. Well, TA-DAH:

Sorry for the X-Large Size, it was the only option in Blogger to make it readable. When will they let you drag corners to adjust size?

In case you are wondering, this is what a basic Risk Management Matrix looks like. There are varying degrees of Risk, from Green to Yellow to Red. When talking about Risks that are negative (some people would say there are positive Risks, others call them Opportunities) then you want to move the risk as close to Green as possible through the different Risk Management Approaches of dealing with Risk (mentioned last week: Accept, Avoid, Mitigate,  or Transfer). We'll go into more detail as we explore the Risk Management Matrix.

The version I've selected is perhaps the most common and basic. It breaks down the Risk into Impact and then Probability. Most organizations will devise their own standards, but here is a recommended starting point:

Impact:

Catastrophic - Typically identified as death, or high financial impact to the point of bankruptcy, loss of project, or significant impact to outside stakeholders / environment

Critical - Potential for significant injury or significant material / finance losses to the project

Moderate - Potential for injury requiring medical attention and / or loss to material / finanaces of company / project
Marginal - Potential for injury (most likely not significant, requiring onsite first aid) and some material / finances loss

Negligible - Potential for minor injury and minor loss of material / finances

Probability:

Almost Certain - This will happen, you will have to deal with it (95%+ chance)

Likely - This has a high probability to happen, but might not (60% - 94.9% chance)

Possible - This has a medium probability to happen (40% - 59.9% chance)

Unlikely - This has a low chance of happening (15% - 39.9% chance)

Rare - Almost certainly won't happen (0% - 14.9% chance)

Requisite Level of Risk is based on the combination of Impact / Probability:

Minimum - Dark Green
Low - Green

Medium - Yellow

High - Orange

Extreme - Red

Typically during the Risk Management Process, the intention is to move project risks to the left of the Matrix via the different Risk Management Approaches. In most cases companies will not allow a Risk to remain Orange / Red, and shouldn't remain Yellow if at all possible. If it is not possible to move all the risks into a Green area (or at least Yellow) then a decision has to be made on whether or not to proceed (most often not!).

In the next post, we'll discuss how to use the Risk Management Register to list the risks of a project, identify the courses of action necessary to move from Red to Green, and distribute the register to the various team members for comments / updates.

In the meantime, at the beginning of the post we identified that you would want to move items toward the Green if they were negative risks. What about positive risks (or opportunities)? What changes would you recommend to make the Risk Matrix into an Opportunity Matrix?