- On 01/07/2019
What Is a Risk Assessment Matrix?
A risk assessment matrix is the basis for measuring potential risks based on two intersecting factors: the likelihood (or probability) of a security risk-based event occurring, and the consequence (or impact) of its impact to an entity if it did.
A risk assessment matrix completes the risk assessment template and is used to derive both current and mitigated risk levels.
Why Use a Risk Assessment Matrix?
As discussed in a previous post, the following data is expected to be documented within the risk assessment template:
- context (external, internal and security risk);
- assets and their criticality;
- an account of the effectiveness of risk controls that currently protect assets from threats;
- an assessment of individual risks (using the risk assessment matrix), which derives current risk ratings;
- evaluation of whether these risk ratings are tolerable by the entity;
- recommendation of mitigation measures if they are not;
- re-assessment of individual risks (using the risk assessment matrix), which derives residual risk ratings; and
- the risk owner, and timings for implementation of the controls.
The risk assessment matrix is thus a critical component of the risk assessment, because without it identified risks cannot be assessed or evaluated.
The matrix below shows two axes: the vertical axis represents the Likelihood, and the lateral axis shows the Consequence.
Risk Assessment Matrix
While this matrix, which is derived from the Security Risk Management Body of Knowledge (SRMBoK), presents measures of likelihood in qualitative and quantitative terms, it is not always necessary to do so. In truth, quantitative measures here can more realistically be referred to as semi-quantitative.
It is most common within the security industry, where incident reporting figures are not always available, to apply a qualitative descriptor and approach within the risk assessment matrix; it is not necessary to include both qualitative and quantitative, as has been done here.
Labels used here, which include Rare, Unlikely, Possible, Likely and Almost Certain, as also qualitative. These are very commonly used by practitioners and thus represent a mainstream approach.
Consequence criteria included within an assessment is not always as detailed as it is presented within the matrix above but considering the impact of a risk across multiple areas of the business is a better practice approach.
In this manner security acts as catalyst for other functional area managers to consider the potential impacts on their assets, and alert them to the need for action.
Again, the labels used here, which include Insignificant, Negligible, Moderate, Extensive and Significant, are common, but a range of others are also commonly used by assessors.
Using the Matrix
In applying the risk assessment matrix, assessors decide, in their expert view, the likelihood that a defined risk will occur, then cross reference this (in this matrix) with the worst-case consequence that may result. Where these values intersect on the coloured/numbered area of the matrix, is the risk level.
It should strike some then that the values/colours on this area of the matrix are key. When designing risk assessment matrices, assessors must ensure that this aspect of the matrix is very carefully considered.
Many assessors complete this instinctively, which can devalue the rigour and regard for an assessment. That said, many risk assessment stakeholders are not necessarily attuned to this, meaning that inaccurate risk results may go unnoticed.
There are scientific methods to design a risk assessment matrix, and https://riskmatrix.co/ is one tool that we have applied in the past.
How SECTARA Uses Risk Assessment Matrix
Industry Risk has incorporated such approaches within our SECTARA security risk assessment platform. Indeed, our desire to ensure best practice in all aspects of security risk management is what drove us to develop it.
SECTARA requires users to apply the risk assessment matrix in the assessment, and re-assessment of security risks.