The risk matrix is a commonly used risk tool across industries ranging from quality management to finance. And while all sorts of companies like to talk about their risk-based solutions, the truth is it’s not just as simple as using these tools straight out of the box. Risk is a complex concept, and tools like a risk matrix are only useful if they are informed by data that’s highly specific to each organization.
So how do you create a risk matrix, and how do you properly use it? First you have to start by understanding the basics of how a risk matrix works, using collaboration to build a robust model so you can successfully apply it to your quality processes.1. Risk Matrix Basics
A basic definition of risk is likelihood (frequency) multiplied by impact (severity). Combining these two dimensions gives you a sense of the overall risk of a given hazard.
For example, my dog recently had surgery, and she doesn’t know why she can’t jump on and off my bed as she normally does. There’s only a low to moderate likelihood she would bust her stitches open, but the impact would be significant: longer recovery, additional vet care and possibly infection. So she’s stuck on her dog bed for now.
A risk matrix breaks likelihood and impact into numerical scales, plotting them on separate axes to create a chart or matrix showing each combination. On opposite corners you have acceptable and unacceptable risk, but the middle area is what often gives companies trouble.
2. Collaborate with Others
How do you decide what to do with hazards that fall in the middle? Where is the line between acceptable and unacceptable risk? That’s where working with others to vet the risk matrix comes in.
Collaboration is essential when it comes to creating a risk matrix. A collaborative Quality Management System (QMS) makes this process easier, allowing you to share data and manage the review process in a controlled manner.
To create a risk matrix that others can apply in different situations, company leadership needs to agree on:
- What defines the different levels of severity and frequency.
- Which outcomes are acceptable and unacceptable.
- What numerical value in the middle region defines the line between moving forward (acceptable risk) and stopping to retool the process or implement a new control (unacceptable risk).
3. Vet the Risk Matrix
Unless you’re running actual situations through your risk matrix, these discussions are purely hypothetical. Before you finalize the risk matrix, you need to vet it using historical data to see if you get the desired outcome.
For instance, let’s take a hazard that led to a lost-time injury, a risk your management team has deemed unacceptable. When you load the severity and likelihood of the hazard into the risk matrix, does the quotient of those two numbers fall into the acceptable or unacceptable zone? If it comes up as acceptable, you still have work to do.
Working in this way, you can reverse engineer your risk matrix so that it will deliver the desired outcome, providing a clear numerical value that tells users when the risk is too high to proceed.
4. Apply the Risk Matrix
A risk matrix is one of just many risk tools available to quality and safety managers, and it won’t necessarily be applicable in all situations. For instance, it would be difficult to use a risk matrix for rare, catastrophic events where you don’t have much historical data (that’s where the bowtie risk model comes in).
Areas where companies have most successfully applied a risk matrix include:
- Searching and filtering: Risk-based filtering of items such as nonconforming materials, customer complaints, safety incidents and corrective actions helps you find the needle in the haystack that needs attention now.
- Job Safety Analysis (JSA): You can use the risk matrix to break down the risk at every step in a procedure, as well as obtain a cumulative score for the job as a whole.
- Final verification: Performing a final risk-based verification step before closing out items like corrective action requests helps ensure that action taken was truly effective.
- Compliance tracking: Companies often have literally thousands of requirements to comply with, and going through them in sequential order isn’t necessarily useful for managing compliance risks. Using the risk matrix to inform a gap analysis helps you prioritize high-risk gaps that need controls first.
At the end of the day, a risk matrix is only as useful as the data behind it. Take the time to build it correctly, and it’s a tool that can help you standardize decision-making and reduce risk across the board.