Читать книгу The Failure of Risk Management - Douglas W. Hubbard - Страница 29

The most common risk assessment method is some form of a risk matrix. A total of 41 percent of respondents in the HDR/KPMG survey say they use a risk matrix—14 percent use a risk matrix based on one of the major standards (e.g., NIST, ISO, COSO, etc.) and 27 percent use an internally developed risk matrix. Internally developed risk matrices are most common in firms with revenue over $10 billion, where 39 percent say that is the method they use.

Risk matrices are among the simplest of the risk assessment methods and this is one reason they are popular. Sometimes referred to as heat map or risk map, they also provide the type of visual display often considered necessary for communication to upper management. See exhibit 2.3 for an example of a risk map for both verbal categories and numerical scores.

As the exhibit shows, a risk matrix has two dimensions, usually labeled as likelihood on one axis and an impact on the other. Typically, likelihood and impact are then evaluated on a scale with verbal labels. For example, different levels of likelihood might be called likely, unlikely, extremely unlikely, and so on. Impact might be moderate or critical. Sometimes, the scales are numbered, most commonly on a scale of 1 to 5, where 1 is the lowest value for likelihood or impact and 5 is the highest. Sometimes these scores are multiplied together to get a “risk score” between 1 and 25. The risk matrix is often further divided into zones where total risk, as a function of likelihood and impact, is classified as high-medium-low or red-yellow-green.

EXHIBIT 2.3 Does This Work? One Version of a Risk Map Using Either Numerical or Verbal Scales

There are many variations of risk matrices in many fields. They may differ in the verbal labels used, the point scale, whether the point scales are themselves defined quantitatively, and so on. Chapter 8 will have a lot more on this.