How to identify risk with a control matrix
written by Juan Pablo Calle, On November 06, 2019
There is a wide variety of methods for identifying risks, basically divided into deductive and inductive methods. Some methodologies are very specific and focus on the identification of certain types of risks, such as those of the manufacturing industry.
In the industrial environment, the methods are mainly based on the study of the facilities and on much more structured processes from the logical-deductive standpoint. They usually follow a logical procedure of deduction of faults, errors, processes and facilities, which in the end will determine a certain type of solutions for each of these events. These methods include:
- What if.
- Hazard and operability (HAZOP).
- Fault tree analysis (FTA)
- Event tree analysis (ETA)
- Failure mode and effective analysis (FMEA).
There are also other methods that, although designed to identify risks, can be widely used in specific environments across the different processes of an organization or a project. Below, we will discuss one of them: the control matrix method.
This methodology was created by the American Jerry Fitzgerald in 1981. It is very useful in the identification of threats and threatened components in the object of analysis.
A risk matrix identifies the activities of a company, classifies the type of risk according to its intensity and the different factors that can cause it. Similarly, the matrix makes it possible to measure the effectiveness of appropriate risk management.
The risk situation of an entity is diagnosed based on the information documented in the matrix. Therefore, this method should cover the different business fronts of a company in order to compare the projects, areas, products and processes.
In this regard, Rubí Mejía Quijano, in his book Administración de riesgos un enfoque empresarial (Risk Management: A Business Approach), says:
"The main advantage of the control matrix is the ease of identifying risks, determining existing controls and proposing new ones. Its main disadvantage is the amount of information and the tables that must be developed, as they can complicate, delay or make their application difficult. This disadvantage has been overcome with the use of computerized tools".
In this regard, the control matrix makes it possible not only to identify risks, but also to propose strategies aimed at developing a management model that is relevant to each entity.
How to design a risk matrix
For the design of the matrix, the so-called Delphi method is used, which basically consists of consulting a specific subject with a group of experts or specialists on the environment and operations of the organization or project. Thus, the components, threatened resources and possible threats to the object of analysis are identified and reflected in the matrix.
The matrix is built by placing the threatened resources (components) at the top of the rows and the threats at the top of the columns. Components are the resources to be protected and the threats are the negative events that may cause loss or affect the components.
See Table 1
Once the risks are identified, their probability of occurrence is established, along with a valuation thereof. After that, therating and assessment processes begin.