Risk assessment can be performed using a traditional Risk matrix. However, the quality of assessment and prioritization can be significantly improved by enhancing the risk attributes used for risk quantification and categorization.
It is proposed that for risk assessment, we adopt the guidances provided by the COSO ERM Integrated Framework for Risk assessments as documented in Risk Management in Practice .
Within the COSO ERM framework, the purpose of risk assessment is to assess how big the risks are, both individually and collectively, in order to focus management’s attention on the most important threats and opportunities, and to lay the groundwork for risk response. Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being overcontrolled or forgoing desirable opportunities.
It is proposed that we perform Risk Assessment in a 2-step approach, as documented below:
1. Use the enhanced Risk Matrix (template attached) to quantify & categorize risks based on 4 basic factors (which are described later in this paper).
2. Use the Risk Heat map to generate a visual representation of identified risks, and apply Risk Inclusion/ Exclusion criteria to filter out low-priority risks from the Risks Heat map.
The Risk Heat map charts risks in the traditional manner with Likelihood & Consequence on X- and Y-axis of a matrix, and then enhances the visual depiction by including Vulnerability and Speed of Onset of the risks in the chart.
The Risk Heat map can be refined further by applying rules for inclusion/ exclusion of risks that match specific criteria. The criteria can be defined during Risk planning phase, and applied consistently across all projects and initiatives. This approach can filter out the less-important risks, and present a picture with focus on the more-important risks, thus improving the ability of this chart to support a Senior Management review or Executive review, especially when the risk universe consists of a large number of risks.
Risk Matrix – sample image
Risk Heat Map – sample image
Risk Assessment Factors
COSO ERM Integrated Framework uses the following 4 attributes to quantify each identified risk:
1. Consequence or Impact: Refers to the extent to which a risk event might affect the enterprise. Impact assessment criteria may include financial, reputational, regulatory, health, safety, security, environmental, employee, customer, and operational impacts.
2. Likelihood or Probability: Represents the possibility that a given event will occur. Likelihood can be expressed using qualitative terms (frequent, likely, possible, unlikely, rare), as a percent probability, or as a frequency.
3. Vulnerability: Refers to the susceptibility of the entity to a risk event in terms of criteria related to the entity’s preparedness, agility, and adaptability. Vulnerability is related to consequence and likelihood. The more vulnerable the entity is to the risk, the higher the consequence will be should the event occur. If risk responses including controls are not in place and operating as designed, then the likelihood of an event increases.
4. Speed of Onset or Velocity: Refers to the time it takes for a risk event to manifest itself, or in other words, the time that elapses between the occurrence of an event and the point at which the company first feels its effects.
Risk Assessment Criteria – Rating ranges (Samples only)
The following Risk assessment criteria have been used in the attached template, as the guidance on mapping the various risks. These criteria can be modified based on project/ organization context, but is recommended that the criteria are defined at an organization level, so as to enable comparisons across a portfolio of projects.
The template for the enhanced Risk Matrix is attached here. pmExcell Risk Matrix template
The template for Risk Heat Map is attached here. pmExcell Risk Heat Map template
The Consequence x Likelihood product (CxL) shall be used to identify the positioning of the risk identifier image on the Risk Heat map.
The Risk heat map is split into squares that are characterized by the intersecting values of Consequence & Likelihood. The Heat map colors are identified by ranges of CxL values, as depicted here.
Vulnerability of risk is indicated by the shape. As Vulnerability increases, so does the number of sides of the shape used in this depiction. However, these images can be replaced by any other image set.
Speed of Onset – Guide: Speed of Onset is depicted by the size of the images used. As the Speed of Onset (and hence the threat of the risk) increases, so does the size of the image.
Using this Heat map technique, it is possible for a reviewer to quickly identify the risks that offer the greatest threats to the project, using the following simple rules:
• The higher the CxL value (or the deeper the color), the greater the risk severity;
• The greater the number of sides of the image used, the greater the vulnerability of the project or organization; AND
• The larger the image, the quicker will the risk impact the project or organization.
 Risk Management in Practice, Dr. Curtis, P. and Carey, M, Deloitte & Touche LLP. Research commissioned by COSO (Committee of Sponsoring Organizations of the Treadway Commission)