After identifying the threats you face and ranking them for likelihood and impact, you are ready to deal with risk assessment. What is needed is to present both aspects of risk—the likelihood of the threat occurring and the resulting impact—at once. You can do this by indexing them against each other in a matrix. Begin by listing the threats generated from your threat assessment.
Threat list with likelihood and impact rankings
This example lists the threats that were encountered at one duty station and the level of impact and probability that staff assigned to each. This is only an example. The rankings are not the “right” answers for all situations and will vary according to time and place.
Displaying your analysis in a list format can be useful, but it is still difficult to prioritize risk among the various threats in this format. Now look at the example risk matrix presented in the exercise below. The same descriptors from the list above are presented along the two axes of the matrix. The five descriptors for impact are shown along the vertical axis and the five descriptors for likelihood across the horizontal axis. This lets us record both the degree of likelihood and probable impact within a single framework for a more complete understanding of overall risk. These threats should now be placed on the matrix based on their rankings for both likelihood and impact.
Use the sample risk matrix below to plot each threat listed above in its appropriate place in the grid. Write in the letter and a few key words to identify each threat (A-J) on the matrix below. The correct answer is shown at the end of this module; this is not an assessment but an exercise to aid in your learning of the risk matrix. Note: These threats are illustrative and do not necessarily represent any particular area or operation.
Risk Matrix Exercise
Please note: You will need a pen and paper/notebook to copy these exercises and fill in your own answers.
Determination of risk level using the risk matrix
When risk analysts use the risk matrix, they usually look to the upper-right area to identify their highest priorities. This is because these threats represent the greatest combined value of impact and likelihood and, therefore, have the greatest overall risk. These threats are usually considered very high or high risk. Greatest priority should be given to finding ways to prevent or mitigate them. Which threats would you prioritize next? Opinions among professional security officers differ on this. Some look to the top-left, saying that a very high-impact but low-likelihood threat should be dealt with next as the result would be catastrophic should they occur. Others look at the bottom right section, saying that high-likelihood but low-impact threats, if not dealt with, will eventually have a cumulative effect that could be as bad as a single dramatic incident. What is clear, however, is that these areas represent the next area of focus—medium risk threats—and should be dealt with after considering the very high and high-risk threats.
The guideline below can be used . Once again the point of such a system or tool is to begin using a standardized language and approach so that different threats can be compared and ranked for prioritization in your overall risk management task.
Risk Level for Identified Threats
Now compare the risk matrix that you completed previously to this guideline. What is the risk level for each threat on the matrix? Write in the appropriate risk-level descriptor from the above guideline after each threat (A-J).
Suggested Answers To These Exercises
Possible choice of impact descriptors for each threat listed along with assumptions or reasons (right column) which may differ from yours.
Correct placement of threats on the Risk Matrix
Risk Level for Identified Threats – Answer Key